diff --git a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json index a7ed631dc4..765fc26546 100644 --- a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json +++ b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json @@ -41,8 +41,8 @@ "Workbooks/RecordedFutureThreatActorHunting.json", "Workbooks/RecordedFutureMalwareThreatHunting.json" ], - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future", - "Version": "3.2.8", + "BasePath": "Users\\emangsten\\git\\github\\Azure-Sentinel\\Solutions\\Recorded Future", + "Version": "3.2.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Recorded Future/Package/3.2.9.zip b/Solutions/Recorded Future/Package/3.2.9.zip new file mode 100644 index 0000000000..cdce02b6cc Binary files /dev/null and b/Solutions/Recorded Future/Package/3.2.9.zip differ diff --git a/Solutions/Recorded Future/Package/createUiDefinition.json b/Solutions/Recorded Future/Package/createUiDefinition.json index 0fce911f17..1a2801a3f0 100644 --- a/Solutions/Recorded Future/Package/createUiDefinition.json +++ b/Solutions/Recorded Future/Package/createUiDefinition.json @@ -1,397 +1,397 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nUnderlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n* [Threat Indicators](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api)\n\n\n**Workbooks:** 8, **Analytic Rules:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "workbooks", - "label": "Workbooks", - "subLabel": { - "preValidation": "Configure the workbooks", - "postValidation": "Done" - }, - "bladeTitle": "Workbooks", - "elements": [ - { - "name": "workbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." - } - }, - { - "name": "workbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" - } - } - }, - { - "name": "workbook1", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Playbook Alerts Overview", - "elements": [ - { - "name": "workbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." - } - } - ] - }, - { - "name": "workbook2", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Alerts Overview", - "elements": [ - { - "name": "workbook2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." - } - } - ] - }, - { - "name": "workbook3", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Domain Correlation", - "elements": [ - { - "name": "workbook3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook4", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Hash Correlation", - "elements": [ - { - "name": "workbook4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook5", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - IP Correlation", - "elements": [ - { - "name": "workbook5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook6", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - URL Correlation", - "elements": [ - { - "name": "workbook6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook7", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Threat Actor Hunting", - "elements": [ - { - "name": "workbook7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." - } - } - ] - }, - { - "name": "workbook8", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Malware Threat Hunting", - "elements": [ - { - "name": "workbook8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." - } - } - ] - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 Domains in DNS Events", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist." - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 Domains in Syslog Events", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Detection of Specific Hashes in CommonSecurityLog", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList." - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 IPs in Azure Act. Events", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist." - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 IPs in DNS Events", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist." - } - } - ] - }, - { - "name": "analytic6", - "type": "Microsoft.Common.Section", - "label": "Detection of Malicious URLs in Syslog Events", - "elements": [ - { - "name": "analytic6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group." - } - } - ] - }, - { - "name": "analytic7", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting Hash All Actors", - "elements": [ - { - "name": "analytic7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting hash correlation for all actors." - } - } - ] - }, - { - "name": "analytic8", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting IP All Actors", - "elements": [ - { - "name": "analytic8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting IP correlation for all actors." - } - } - ] - }, - { - "name": "analytic9", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting Domain All Actors", - "elements": [ - { - "name": "analytic9-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting domain correlation for all actors." - } - } - ] - }, - { - "name": "analytic10", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting Url All Actors", - "elements": [ - { - "name": "analytic10-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting Url correlation for all actors." - } - } - ] - } - ] - }, - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nUnderlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n* [Threat Indicators](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api)\n\n\n**Workbooks:** 8, **Analytic Rules:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Playbook Alerts Overview", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." + } + } + ] + }, + { + "name": "workbook2", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Alerts Overview", + "elements": [ + { + "name": "workbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." + } + } + ] + }, + { + "name": "workbook3", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Domain Correlation", + "elements": [ + { + "name": "workbook3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook4", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Hash Correlation", + "elements": [ + { + "name": "workbook4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook5", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - IP Correlation", + "elements": [ + { + "name": "workbook5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook6", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - URL Correlation", + "elements": [ + { + "name": "workbook6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook7", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Threat Actor Hunting", + "elements": [ + { + "name": "workbook7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." + } + } + ] + }, + { + "name": "workbook8", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Malware Threat Hunting", + "elements": [ + { + "name": "workbook8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 Domains in DNS Events", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 Domains in Syslog Events", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Detection of Specific Hashes in CommonSecurityLog", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 IPs in Azure Act. Events", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 IPs in DNS Events", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Detection of Malicious URLs in Syslog Events", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting Hash All Actors", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting hash correlation for all actors." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting IP All Actors", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting IP correlation for all actors." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting Domain All Actors", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting domain correlation for all actors." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting Url All Actors", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting Url correlation for all actors." + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index 8d44f8cbec..229649d34e 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -1,9829 +1,9656 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Recorded Future Premier Integrations - support@recordedfuture.com", - "comments": "Solution template for Recorded Future" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "Recorded Future - Playbook Alerts Overview", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook2-name": { - "type": "string", - "defaultValue": "Recorded Future - Alerts Overview", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook3-name": { - "type": "string", - "defaultValue": "Recorded Future - Domain Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook4-name": { - "type": "string", - "defaultValue": "Recorded Future - Hash Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook5-name": { - "type": "string", - "defaultValue": "Recorded Future - IP Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook6-name": { - "type": "string", - "defaultValue": "Recorded Future - URL Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook7-name": { - "type": "string", - "defaultValue": "Recorded Future - Threat Actor Hunting", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook8-name": { - "type": "string", - "defaultValue": "Recorded Future - Malware Threat Hunting", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - } - }, - "variables": { - "email": "support@recordedfuture.com", - "_email": "[variables('email')]", - "_solutionName": "Recorded Future", - "_solutionVersion": "3.2.8", - "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution", - "_solutionId": "[variables('solutionId')]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.4", - "_analyticRulecontentId1": "a1c02815-4248-4728-a9ae-dac73c67db23", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1c02815-4248-4728-a9ae-dac73c67db23')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1c02815-4248-4728-a9ae-dac73c67db23')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1c02815-4248-4728-a9ae-dac73c67db23','-', '1.0.4')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", - "_analyticRulecontentId2": "dffd068f-fdab-440e-bbc0-34c14b623c89", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dffd068f-fdab-440e-bbc0-34c14b623c89')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dffd068f-fdab-440e-bbc0-34c14b623c89')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dffd068f-fdab-440e-bbc0-34c14b623c89','-', '1.0.3')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", - "_analyticRulecontentId3": "388e197d-ec9e-46b6-addb-947d74d2a5c4", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '388e197d-ec9e-46b6-addb-947d74d2a5c4')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('388e197d-ec9e-46b6-addb-947d74d2a5c4')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','388e197d-ec9e-46b6-addb-947d74d2a5c4','-', '1.0.2')))]" - }, - "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", - "_analyticRulecontentId4": "588dc717-7583-452c-a743-dee96705898e", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '588dc717-7583-452c-a743-dee96705898e')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('588dc717-7583-452c-a743-dee96705898e')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','588dc717-7583-452c-a743-dee96705898e','-', '1.0.2')))]" - }, - "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", - "_analyticRulecontentId5": "22cc1dff-14ad-481d-97e1-0602895e429e", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '22cc1dff-14ad-481d-97e1-0602895e429e')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('22cc1dff-14ad-481d-97e1-0602895e429e')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','22cc1dff-14ad-481d-97e1-0602895e429e','-', '1.0.3')))]" - }, - "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", - "_analyticRulecontentId6": "9acb3664-72c4-4676-80fa-9f81912e347e", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9acb3664-72c4-4676-80fa-9f81912e347e')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9acb3664-72c4-4676-80fa-9f81912e347e')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9acb3664-72c4-4676-80fa-9f81912e347e','-', '1.0.2')))]" - }, - "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.4", - "_analyticRulecontentId7": "6db6a8e6-2959-440b-ba57-a505875fcb37", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6db6a8e6-2959-440b-ba57-a505875fcb37')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6db6a8e6-2959-440b-ba57-a505875fcb37')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6db6a8e6-2959-440b-ba57-a505875fcb37','-', '1.0.4')))]" - }, - "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.3", - "_analyticRulecontentId8": "e31bc14e-2b4c-42a4-af34-5bfd7d768aea", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e31bc14e-2b4c-42a4-af34-5bfd7d768aea')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e31bc14e-2b4c-42a4-af34-5bfd7d768aea')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e31bc14e-2b4c-42a4-af34-5bfd7d768aea','-', '1.0.3')))]" - }, - "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.4", - "_analyticRulecontentId9": "acbf7ef6-f964-44c3-9031-7834ec68175f", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acbf7ef6-f964-44c3-9031-7834ec68175f')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acbf7ef6-f964-44c3-9031-7834ec68175f')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acbf7ef6-f964-44c3-9031-7834ec68175f','-', '1.0.4')))]" - }, - "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.4", - "_analyticRulecontentId10": "3f6f0d1a-f2f9-4e01-881a-c55a4a71905b", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3f6f0d1a-f2f9-4e01-881a-c55a4a71905b','-', '1.0.4')))]" - }, - "RecordedFuture-IOC_Enrichment": "RecordedFuture-IOC_Enrichment", - "_RecordedFuture-IOC_Enrichment": "[variables('RecordedFuture-IOC_Enrichment')]", - "playbookVersion1": "2.7", - "playbookContentId1": "RecordedFuture-IOC_Enrichment", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "RecordedFuture-Playbook-Alert-Importer": "RecordedFuture-Playbook-Alert-Importer", - "_RecordedFuture-Playbook-Alert-Importer": "[variables('RecordedFuture-Playbook-Alert-Importer')]", - "TemplateEmptyArray": "[json('[]')]", - "playbookVersion2": "1.3", - "playbookContentId2": "RecordedFuture-Playbook-Alert-Importer", - "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", - "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer", - "_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]", - "playbookVersion3": "1.3", - "playbookContentId3": "RecordedFuture-Alert-Importer", - "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", - "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "RecordedFuture-ThreatIntelligenceImport": "RecordedFuture-ThreatIntelligenceImport", - "_RecordedFuture-ThreatIntelligenceImport": "[variables('RecordedFuture-ThreatIntelligenceImport')]", - "playbookVersion4": "1.0", - "playbookContentId4": "RecordedFuture-ThreatIntelligenceImport", - "_playbookContentId4": "[variables('playbookContentId4')]", - "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", - "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "RecordedFuture-Domain-IndicatorImport": "RecordedFuture-Domain-IndicatorImport", - "_RecordedFuture-Domain-IndicatorImport": "[variables('RecordedFuture-Domain-IndicatorImport')]", - "playbookVersion5": "1.0", - "playbookContentId5": "RecordedFuture-Domain-IndicatorImport", - "_playbookContentId5": "[variables('playbookContentId5')]", - "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", - "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "RecordedFuture-Hash-IndicatorImport": "RecordedFuture-Hash-IndicatorImport", - "_RecordedFuture-Hash-IndicatorImport": "[variables('RecordedFuture-Hash-IndicatorImport')]", - "playbookVersion6": "1.0", - "playbookContentId6": "RecordedFuture-Hash-IndicatorImport", - "_playbookContentId6": "[variables('playbookContentId6')]", - "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", - "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "RecordedFuture-IP-IndicatorImport": "RecordedFuture-IP-IndicatorImport", - "_RecordedFuture-IP-IndicatorImport": "[variables('RecordedFuture-IP-IndicatorImport')]", - "playbookVersion7": "1.0", - "playbookContentId7": "RecordedFuture-IP-IndicatorImport", - "_playbookContentId7": "[variables('playbookContentId7')]", - "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", - "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "RecordedFuture-URL-IndicatorImport": "RecordedFuture-URL-IndicatorImport", - "_RecordedFuture-URL-IndicatorImport": "[variables('RecordedFuture-URL-IndicatorImport')]", - "playbookVersion8": "1.0", - "playbookContentId8": "RecordedFuture-URL-IndicatorImport", - "_playbookContentId8": "[variables('playbookContentId8')]", - "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", - "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", - "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url", - "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]", - "playbookVersion9": "1.0", - "playbookContentId9": "RecordedFuture-Sandbox_Enrichment-Url", - "_playbookContentId9": "[variables('playbookContentId9')]", - "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", - "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", - "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", - "RecordedFuture-CustomConnector": "RecordedFuture-CustomConnector", - "_RecordedFuture-CustomConnector": "[variables('RecordedFuture-CustomConnector')]", - "playbookVersion10": "1.0", - "playbookContentId10": "RecordedFuture-CustomConnector", - "_playbookContentId10": "[variables('playbookContentId10')]", - "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId10'))))]", - "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", - "RecordedFuture-ThreatMap-Importer": "RecordedFuture-ThreatMap-Importer", - "_RecordedFuture-ThreatMap-Importer": "[variables('RecordedFuture-ThreatMap-Importer')]", - "playbookVersion11": "1.2", - "playbookContentId11": "RecordedFuture-ThreatMap-Importer", - "_playbookContentId11": "[variables('playbookContentId11')]", - "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", - "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", - "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", - "RecordedFuture-ThreatMapMalware-Importer": "RecordedFuture-ThreatMapMalware-Importer", - "_RecordedFuture-ThreatMapMalware-Importer": "[variables('RecordedFuture-ThreatMapMalware-Importer')]", - "playbookVersion12": "1.0", - "playbookContentId12": "RecordedFuture-ThreatMapMalware-Importer", - "_playbookContentId12": "[variables('playbookContentId12')]", - "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", - "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", - "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", - "RecordedFuture-ActorThreatHunt-IndicatorImport": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "_RecordedFuture-ActorThreatHunt-IndicatorImport": "[variables('RecordedFuture-ActorThreatHunt-IndicatorImport')]", - "playbookVersion13": "1.0", - "playbookContentId13": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "_playbookContentId13": "[variables('playbookContentId13')]", - "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", - "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", - "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", - "RecordedFuture-MalwareThreatHunt-IndicatorImport": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "_RecordedFuture-MalwareThreatHunt-IndicatorImport": "[variables('RecordedFuture-MalwareThreatHunt-IndicatorImport')]", - "playbookVersion14": "1.0", - "playbookContentId14": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "_playbookContentId14": "[variables('playbookContentId14')]", - "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", - "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", - "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", - "workbookVersion1": "1.0.1", - "workbookContentId1": "RecordedFuturePlaybookAlertOverviewWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "workbookVersion2": "1.0.1", - "workbookContentId2": "RecordedFutureAlertOverviewWorkbook", - "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", - "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", - "_workbookContentId2": "[variables('workbookContentId2')]", - "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "workbookVersion3": "1.0.1", - "workbookContentId3": "RecordedFutureDomainCorrelationWorkbook", - "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", - "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", - "_workbookContentId3": "[variables('workbookContentId3')]", - "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", - "workbookVersion4": "1.0.1", - "workbookContentId4": "RecordedFutureHashCorrelationWorkbook", - "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", - "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", - "_workbookContentId4": "[variables('workbookContentId4')]", - "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", - "workbookVersion5": "1.0.1", - "workbookContentId5": "RecordedFutureIPCorrelationWorkbook", - "workbookId5": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId5'))]", - "workbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId5'))))]", - "_workbookContentId5": "[variables('workbookContentId5')]", - "_workbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId5'),'-', variables('workbookVersion5'))))]", - "workbookVersion6": "1.0.1", - "workbookContentId6": "RecordedFutureURLCorrelationWorkbook", - "workbookId6": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId6'))]", - "workbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId6'))))]", - "_workbookContentId6": "[variables('workbookContentId6')]", - "_workbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId6'),'-', variables('workbookVersion6'))))]", - "workbookVersion7": "1.0.1", - "workbookContentId7": "RecordedFutureThreatActorHuntingWorkbook", - "workbookId7": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId7'))]", - "workbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId7'))))]", - "_workbookContentId7": "[variables('workbookContentId7')]", - "_workbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId7'),'-', variables('workbookVersion7'))))]", - "workbookVersion8": "1.0.0", - "workbookContentId8": "RecordedFutureMalwareThreatHuntingWorkbook", - "workbookId8": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId8'))]", - "workbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId8'))))]", - "_workbookContentId8": "[variables('workbookContentId8')]", - "_workbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId8'),'-', variables('workbookVersion8'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist.", - "displayName": "Detection of Malware C2 Domains in DNS Events", - "enabled": false, - "query": "// Identifies a match in DnsEvent from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract Domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.Name\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, DomainName, Description, ConfidenceScore, AdditionalInformation, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "ASimDnsActivityLogs", - "dataTypes": [ - "DnsEvents" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "subTechniques": [ - "T1071.004" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Computer", - "identifier": "FullName" - }, - { - "columnName": "HostName", - "identifier": "HostName" - }, - { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "DomainName", - "identifier": "DomainName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 Domains in DNS Events", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist.", - "displayName": "Detection of Malware C2 Domains in Syslog Events", - "enabled": false, - "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Syslog", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "SyslogAma", - "dataTypes": [ - "Syslog" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "subTechniques": [ - "T1071.004" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "HostCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "URLCustomEntity", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "domain", - "identifier": "DomainName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 Domains in Syslog Events", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.", - "displayName": "Detection of Specific Hashes in CommonSecurityLog", - "enabled": false, - "query": "// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n// Picking up only Recorded Future IOC's that have been observed in undersground testing sites\n| where Description == \"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n| join (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation\n| extend AccountName = tostring(split(SourceUserName, \"@\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \"@\")[1])\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CefAma", - "dataTypes": [ - "CommonSecurityLog" - ] - } - ], - "tactics": [ - "ResourceDevelopment" - ], - "subTechniques": [ - "T1587.001" - ], - "techniques": [ - "T1587" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "SourceUserName", - "identifier": "FullName" - }, - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "DeviceName", - "identifier": "FullName" - }, - { - "columnName": "HostName", - "identifier": "HostName" - }, - { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "SourceIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Specific Hashes in CommonSecurityLog", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist.", - "displayName": "Detection of Malware C2 IPs in Azure Act. Events", - "enabled": false, - "query": "// Identifies a match in AzureActivity from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| extend TI_ipEntity = NetworkIP\n| join (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n )\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated >= TimeGenerated and AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, Description, AdditionalInformation\n| extend AccountName = tostring(split(Caller, \"@\")[0]), AccountUPNSuffix = tostring(split(Caller, \"@\")[1])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActivity", - "dataTypes": [ - "AzureActivity" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Caller", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CallerIpAddress", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "TI_ipEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 IPs in Azure Act. Events", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist.", - "displayName": "Detection of Malware C2 IPs in DNS Events", - "enabled": false, - "query": "// Identifies a match in DnsEvent from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| join (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n )\non $left.NetworkIP == $right.SingleIP\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, Description, AdditionalInformation\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "ASimDnsActivityLogs", - "dataTypes": [ - "DnsEvents" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Computer", - "identifier": "FullName" - }, - { - "columnName": "HostName", - "identifier": "HostName" - }, - { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "NetworkIP", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 IPs in DNS Events", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.", - "displayName": "Detection of Malicious URLs in Syslog Events", - "enabled": false, - "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Syslog", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "SyslogAma", - "dataTypes": [ - "Syslog" - ] - } - ], - "tactics": [ - "LateralMovement", - "Execution" - ], - "techniques": [ - "T1072" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "HostCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "URLCustomEntity", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malicious URLs in Syslog Events", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting hash correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting Hash All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing Hash data.\n// The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns \nimFileEvent\n| where isnotempty(Hash)\n| extend lowerHash=tolower(Hash)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(FileHashValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerHash=tolower(FileHashValue)\n) on lowerHash\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "InitialAccess", - "Execution", - "Persistence" - ], - "techniques": [ - "T1189", - "T1059", - "T1554" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Hash", - "identifier": "Value" - }, - { - "columnName": "HashType", - "identifier": "Algorithm" - } - ], - "entityType": "FileHash" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting Hash All Actors", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting IP correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting IP All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (ASimNetworkSessionLogs) can be replaced by any infrastructure table containing ip data.\n// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns \nimNetworkSession\n| where isnotempty(DstIpAddr)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(NetworkIP)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n) on $left.DstIpAddr == $right.NetworkIP\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.DstIpAddr\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project NetworkIP, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "Exfiltration", - "CommandAndControl" - ], - "techniques": [ - "T1041", - "T1568" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "NetworkIP", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting IP All Actors", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting domain correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting Domain All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.\n// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns \nimDns\n| where isnotempty(Domain)\n| extend lowerDomain=tolower(Domain)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look at Domain IOCs\n| where isnotempty(DomainName)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerDomain=tolower(DomainName)\n) on lowerDomain \n// select column from the source table to match with Recorded Future $left.Domain\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "InitialAccess", - "CommandAndControl" - ], - "techniques": [ - "T1566", - "T1568" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Domain", - "identifier": "DomainName" - } - ], - "entityType": "DNS" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting Domain All Actors", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting Url correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting Url All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (imWebSession) can be replaced by any infrastructure table containing Url data.\n// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns \nimWebSession\n| where isnotempty(Url)\n| extend lowerUrl=tolower(Url)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(Url)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerUrl=tolower(Url)\n) on lowerUrl\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion" - ], - "techniques": [ - "T1098", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ], - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting Url All Actors", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-IOC_Enrichment", - "type": "string" - } - }, - "variables": { - "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", - "AzureSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateVersion": "2.7", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" - ], - "properties": { - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "For_each": { - "actions": { - "Parse_JSON_2": { - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "id": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "properties": { - "type": "object" - }, - "type": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "Switch": { - "cases": { - "Case": { - "actions": { - "Add_comment_to_incident_(V3)_-_Domain": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Domain_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Domain_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_4": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_Domain": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Domain_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/domain/@{encodeURIComponent(body('Parse_JSON_-_DNS_Resolution')?['domainName'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_DNS_Resolution": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_DNS_Resolution": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "domainName": { - "type": "string" - }, - "friendlyName": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "case": "DnsResolution" - }, - "Case_2": { - "actions": { - "Add_comment_to_incident_(V3)_-_Hash": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Hash_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Hash_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_3": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_Hash": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Hash_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/hash/@{encodeURIComponent(body('Parse_JSON_-_File_Hash')?['hashValue'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_File_Hash": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_File_Hash": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "algorithm": { - "type": "string" - }, - "friendlyName": { - "type": "string" - }, - "hashValue": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "case": "FileHash" - }, - "Case_3": { - "actions": { - "Add_comment_to_incident_(V3)_-_URL": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('URL_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "URL_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Url')?['url']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_URL": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_Url": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "friendlyName": { - "type": "string" - }, - "url": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "URL_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/url/@{encodeURIComponent(body('Parse_JSON_-_Url')?['url'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_Url": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "case": "Url" - }, - "Case_4": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Ip')?['address']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_IP": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_-_IP": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('IP_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "IP_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "IP_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_Ip": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_Ip": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "address": { - "type": "string" - }, - "friendlyName": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "case": "Ip" - } - }, - "expression": "@body('Parse_JSON_2')?['kind']", - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "Switch" - } - }, - "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "runAfter": { - "RFIncidentId": [ - "Succeeded" - ] - }, - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - }, - "type": "Foreach" - }, - "RFIncidentId": { - "inputs": { - "variables": [ - { - "name": "RFIncidentId", - "type": "string", - "value": "@{guid()}" - } - ] - }, - "type": "InitializeVariable" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "IntelligenceCloud": { - "defaultValue": true, - "type": "Bool" - }, - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuture": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", - "connectionName": "[[variables('RecordedFutureConnectionName')]" - } - } - } - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-IOC_Enrichment", - "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident \"Microsoft.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment open the playbook in edit mode and configure/authorize all connections and press save.\"Logic" - ], - "lastUpdateTime": "2024-07-09T00:00:00Z", - "entities": [ - "ip", - "url", - "dnsresolution", - "filehash" - ], - "tags": [ - "Enrichment" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Improved layout and added Recorded Future Collective Insights." - ] - }, - { - "version": "1.2", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Fixed risk rule severity and correct image url." - ] - }, - { - "version": "2.3", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Updated readme and improved layout." - ] - }, - { - "version": "2.4", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Handle 404 result from enrichment." - ] - }, - { - "version": "2.5", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Backend rendered markdown/html to increse performance and reduce cost of enrichment." - ] - }, - { - "version": "2.6", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Shorten name from RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash. Renamed API connections" - ] - }, - { - "version": "2.7", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Reduce concurrency to 1." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-IOC_Enrichment", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Playbook-Alert-Importer", - "type": "string" - }, - "create_incident": { - "type": "String", - "defaultValue": "false", - "metadata": { - "description": "Create Microsoft Sentinel incidents (possible values true/false)" - } - } - }, - "variables": { - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "create_incident": { - "type": "String", - "defaultValue": "[[parameters('create_incident')]" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 1 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Search_Playbook_Alerts')", - "actions": { - "Get_Playbook_Alert_by_ID": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" - } - }, - "method": "get", - "path": "/playbook-alert/@{encodeURIComponent(items('For_each')?['playbook_alert_id'])}" - } - }, - "Create_incident_if_parameter_is_set-copy": { - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@body('Create_incident')?['id']", - "message": "

**Recorded Future Alert** @{body('Get_Playbook_Alert_by_ID')?['title']}

Playbook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}

Playbook Alert Type: @{items('For_each')?['category']}

Playbook Alert Priority: @{items('For_each')?['priority']}

Playbook Alert Status: @{item()?['status']}

Playbook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}

[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})


Evidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}


created_date: @{items('For_each')?['created']}

updated_date: @{items('For_each')?['updated']}

" - }, - "path": "/Incidents/Comment" - } - }, - "Create_incident": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "body": { - "title": "@body('Get_Playbook_Alert_by_ID')?['title']", - "severity": "Medium", - "status": "New", - "description": "**Recorded Future Alert**\n@{body('Get_Playbook_Alert_by_ID')?['title']}\nPlaybook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}\nPlaybook Alert Type: @{items('For_each')?['category']}\nPlaybook Alert Priority: @{items('For_each')?['priority']}\nPlaybook Alert Status: @{item()?['status']}\nPlaybook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}\n[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})\n\nEvidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\n\ncreated_date: @{items('For_each')?['created']}\nupdated_date: @{items('For_each')?['updated']}\n\n", - "tagsToAdd": { - "TagsToAdd": [ - { - "Tag": "Recorded Future Playbook Alert" - }, - { - "Tag": "RFPAID:@{item()?['playbook_alert_id']}" - } - ] - } - }, - "path": "/Incidents/subscriptions/5129b3ff-c0c6-4e86-bd1c-70e5fcd579cf/resourceGroups/RF-SaaS-V3.2.2/workspaces/RF-SaaS-V3-2-2" - } - } - }, - "runAfter": { - "Send_Data": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "equals": [ - "@parameters('create_incident')", - "true" - ] - } - ] - }, - "type": "If" - }, - "Send_Data": { - "runAfter": { - "Get_Playbook_Alert_by_ID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "{\n\"title\": \" @{items('For_each')?['title']}\",\n\"id\": \"@{body('Get_Playbook_Alert_by_ID')?['id']}\",\n\"category\":\"@{items('For_each')?['category']}\",\n\"rule_label\":\"@{coalesce(body('Get_Playbook_Alert_by_ID')?['rule_label'],items('For_each')?['category'])}\",\n\"status\": \"@{items('For_each')?['status']}\", \n\"priority\": \"@{items('For_each')?['priority']}\",\n\"created_date\": \"@{items('For_each')?['created']}\",\n\"updated_date\": \"@{items('For_each')?['updated']}\",\n\"targets\":\"@{body('Get_Playbook_Alert_by_ID')?['targets']}\",\n\"evidence_summary\": \"@{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\",\n\"link\": \"@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])}\"\n}", - "headers": { - "Log-Type": "RecordedFuturePlaybookAlerts" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - }, - "runAfter": { - "Search_Playbook_Alerts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Search_Playbook_Alerts": { - "type": "ApiConnection", - "inputs": { - "body": { - "updated_from_relative": "-1", - "categories": "[variables('TemplateEmptyArray')]" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" - } - }, - "method": "post", - "path": "/playbook-alert/search" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - }, - "recordedfuturev2": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", - "connectionName": "[[variables('RecordedFutureConnectionName')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "PlaybookAlert-Import", - "hidden-SentinelTemplateVersion": "1.3", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Playbook-Alert-Importer", - "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-07-09T00:00:00Z", - "tags": [ - "Alert" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "Changed default search parameters for playbook alert serach." - ] - }, - { - "version": "1.2", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "API connector renaming." - ] - }, - { - "version": "1.3", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "Added Incident creation." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Playbook-Alert-Importer", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-AlertImporter Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-AlertImporter", - "type": "string" - }, - "create_incident": { - "type": "string", - "metadata": { - "description": "Create Microsoft Sentinel incidents (possible values true/false)" - } - }, - "workspace_name": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Microsoft Sentinel Workspace name" - } - } - }, - "variables": { - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-4": "[[variables('connection-4')]", - "connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-5": "[[variables('connection-5')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "create_incident": { - "type": "string", - "defaultValue": "[[parameters('create_incident')]" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 1 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each_triggered_alert": { - "foreach": "@body('Search_Triggered_Alerts')?['data']", - "actions": { - "Create_incident_if_parameter_is_set": { - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Create_incident')?['id']", - "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Create_incident": { - "type": "ApiConnection", - "inputs": { - "body": { - "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", - "severity": "Medium", - "status": "New", - "tagsToAdd": { - "TagsToAdd": [ - { - "Tag": "Recorded Future Alert" - } - ] - }, - "title": "@items('For_each_triggered_alert')?['title']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "[[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" - } - }, - "Parse_JSON_2": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_triggered_alert')?['hits']", - "schema": { - "items": { - "properties": { - "document": { - "properties": { - "authors": { - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - } - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - } - }, - "required": [ - "entities", - "document", - "fragment", - "id", - "language", - "primary_entity", - "analyst_note" - ], - "type": "object" - }, - "type": "array" - } - } - } - }, - "runAfter": { - "For_each_hit": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "equals": [ - "@parameters('create_incident')", - "true" - ] - } - ] - }, - "type": "If" - }, - "For_each_hit": { - "foreach": "@items('For_each_triggered_alert')['hits']", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_hit')", - "schema": { - "properties": { - "document": { - "properties": { - "authors": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - } - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_Data_2": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}", - "headers": { - "Log-Type": "RecordedFuturePortalAlerts" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Search_Triggered_Alerts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "latest_event_date", - "type": "string", - "value": "@{addHours(utcNow(), -24)}" - } - ] - } - }, - "Run_query_and_list_results": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))", - "host": { - "connection": { - "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" - } - }, - "method": "post", - "path": "/queryData", - "queries": { - "resourcegroups": "[[resourceGroup().name]", - "resourcename": "[[parameters('workspace_name')]", - "resourcetype": "Log Analytics Workspace", - "subscriptions": "[[subscription().subscriptionId]", - "timerange": "Last 7 days" - } - } - }, - "Search_Triggered_Alerts": { - "runAfter": { - "Set_variable": [ - "Succeeded", - "Skipped" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" - } - }, - "method": "get", - "path": "/v2/alerts", - "queries": { - "triggered": "[[[@{addSeconds(variables('latest_event_date'),1)},@{utcNow()}]" - } - } - }, - "Set_variable": { - "runAfter": { - "Run_query_and_list_results": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "latest_event_date", - "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - }, - "azuremonitorlogs": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", - "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuturev2": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]", - "connectionName": "[[variables('Recordedfuturev2ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", - "hidden-SentinelTemplateVersion": "1.3", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzuremonitorlogsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzuremonitorlogsConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Recordedfuturev2ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Recordedfuturev2ConnectionName')]", - "api": { - "id": "[[variables('_connection-5')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Alert-Importer", - "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-08-23T00:00:00Z", - "tags": [ - "Alert" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "Fixed ARM encoding" - ] - }, - { - "version": "1.2", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "API connector renaming." - ] - }, - { - "version": "1.3", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "Encoding and latest_event_date fix." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-AlertImporter", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "string" - }, - "WorkspaceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Microsoft Sentinel WorkspaceID, guid format (example:75a5bccc-7a5c-4e3f-ad57-36be224c4d2e). WorkspaceID can be found under Log Analytics Workspaces blade. " - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Batch_messages": { - "type": "Batch", - "inputs": { - "configurations": { - "RFImportToSentinel": { - "releaseCriteria": { - "messageCount": 100, - "recurrence": { - "frequency": "Minute", - "interval": 2 - } - } - } - }, - "mode": "Inline" - } - } - }, - "actions": { - "Select": { - "type": "Select", - "inputs": { - "from": "@triggerBody()['items']", - "select": "@item()['content']" - } - }, - "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": { - "runAfter": { - "Select": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "indicators": "@body('Select')", - "sourcesystem": "Recorded Future" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" - } - }, - "method": "post", - "path": "[[concat( '/V2/ThreatIntelligence/',parameters('WorkspaceID'),'/UploadIndicators/')]", - "retryPolicy": { - "count": 10, - "interval": "PT20S", - "maximumInterval": "PT1H", - "minimumInterval": "PT10S", - "type": "exponential" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ThreatIntelligenceImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ThreatIntelligenceImport", - "description": "This playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table.", - "prerequisites": [ - "Microsoft Sentinel Threat Intelligence active" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-ThreatIntelligenceImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-ThreatIntelligenceImport", - "notes": [ - "Fixed Api connection" - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId4')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-ThreatIntelligenceImport", - "contentProductId": "[variables('_playbookcontentProductId4')]", - "id": "[variables('_playbookcontentProductId4')]", - "version": "[variables('playbookVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Domain-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 2 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ImportToSentinel": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - Domains - Command and Control Activity", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[domain-name:value = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),2)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/domain_c2_dns.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Domain-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", - "kind": "Playbook", - "version": "[variables('playbookVersion5')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Domain-IndicatorImport", - "description": "This playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Domain-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId5')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Domain-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId5')]", - "id": "[variables('_playbookcontentProductId5')]", - "version": "[variables('playbookVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion6')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Hash-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ImportToSentinel": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[file:hashes.'@{body('Parse_JSON')?['Algorithm']}' = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),24)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/hash_observed_testing.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Hash-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId6')]", - "contentId": "[variables('_playbookContentId6')]", - "kind": "Playbook", - "version": "[variables('playbookVersion6')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Hash-IndicatorImport", - "description": "This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Hash-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId6')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Hash-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId6')]", - "id": "[variables('_playbookcontentProductId6')]", - "version": "[variables('playbookVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion7')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-IP-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "RecordedFutureThreatIntelligenceImport": "[[parameters('PlaybookNameBatching')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ThreatIntelligenceImport": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - IP - Actively Communicating C&C Server", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[ipv4-addr:value = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),1)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/ip_active_c2.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId7')]", - "contentId": "[variables('_playbookContentId7')]", - "kind": "Playbook", - "version": "[variables('playbookVersion7')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-IP-IndicatorImport", - "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "Refer to [Recorded Future Logic App - Threat Intelligence Import](../readme.md) documentation for deployment instructions." - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T17:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-IP-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId7')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-IP-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId7')]", - "id": "[variables('_playbookcontentProductId7')]", - "version": "[variables('playbookVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion8')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-URL-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 2 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ImportToSentinel": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - URL - Recently Reported by Insikt Group", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[url:value = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),2)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/url_insikt.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", - "kind": "Playbook", - "version": "[variables('playbookVersion8')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-URL-IndicatorImport", - "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-URL-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-URL-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion9')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Sandbox_Enrichment-Url", - "type": "string" - }, - "Sandbox API Key": { - "type": "string", - "metadata": { - "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)" - } - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "Sandbox API Key": { - "defaultValue": "[[parameters('Sandbox API Key')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_URLs": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/url" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Get_the_full_report": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Get_the_full_report')?['html_report']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_the_full_report": { - "runAfter": { - "Wait_for_sandbox_report": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "headers": { - "SandboxToken": "@parameters('Sandbox API Key')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } - }, - "method": "get", - "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" - } - }, - "Initialize_Sandbox_status": { - "runAfter": { - "Submit_url_samples": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Submit_url_samples')?['status']" - } - }, - "Submit_url_samples": { - "type": "ApiConnection", - "inputs": { - "body": { - "url": "@items('For_each')?['Url']" - }, - "headers": { - "Content-Type": "application/json", - "SandboxToken": "@parameters('Sandbox API Key')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } - }, - "method": "post", - "path": "/samples/url" - } - }, - "Wait_for_sandbox_report": { - "actions": { - "Delay": { - "runAfter": { - "Set_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 2, - "unit": "Minute" - } - } - }, - "Get_the_full_summary": { - "type": "ApiConnection", - "inputs": { - "headers": { - "SandboxToken": "@parameters('Sandbox API Key')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } - }, - "method": "get", - "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" - } - }, - "Set_sandbox_status": { - "runAfter": { - "Get_the_full_summary": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Get_the_full_summary')?['status']" - } - } - }, - "runAfter": { - "Initialize_Sandbox_status": [ - "Succeeded" - ] - }, - "expression": "@equals(variables('sandbox_status'), 'reported')", - "limit": { - "count": 60, - "timeout": "PT1H" - }, - "type": "Until" - } - }, - "runAfter": { - "Define_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Define_sandbox_status": { - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "sandbox_status", - "type": "string" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuturesandbo": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "recordedfuturesandbo", - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId9')]", - "contentId": "[variables('_playbookContentId9')]", - "kind": "Playbook", - "version": "[variables('playbookVersion9')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Sandbox_Enrichment-Url", - "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", - "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "postDeployment": [ - "After deployment you have to open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "entities": [ - "url" - ], - "tags": [ - "Enrichment" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Sandbox_Enrichment-Url", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId9')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Sandbox_Enrichment-Url", - "contentProductId": "[variables('_playbookcontentProductId9')]", - "id": "[variables('_playbookcontentProductId9')]", - "version": "[variables('playbookVersion9')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-CustomConnector Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion10')]", - "parameters": { - "ConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "String", - "metadata": { - "description": "Recorded Future Custom Connector" - } - }, - "ServiceEndpoint": { - "defaultValue": "https://api.recordedfuture.com/gw/azure", - "type": "String", - "metadata": { - "description": "Recorded Future API" - } - } - }, - "variables": { - "operationId-IP_Enrichment": "IP_Enrichment", - "_operationId-IP_Enrichment": "[[variables('operationId-IP_Enrichment')]", - "operationId-Threat_Map_Actors": "Threat_Map_Actors", - "_operationId-Threat_Map_Actors": "[[variables('operationId-Threat_Map_Actors')]", - "operationId-Threat_Map_Malware": "Threat_Map_Malware", - "_operationId-Threat_Map_Malware": "[[variables('operationId-Threat_Map_Malware')]", - "operationId-Domain_Enrichment": "Domain_Enrichment", - "_operationId-Domain_Enrichment": "[[variables('operationId-Domain_Enrichment')]", - "operationId-Url_Enrichment": "Url_Enrichment", - "_operationId-Url_Enrichment": "[[variables('operationId-Url_Enrichment')]", - "operationId-Hash_Enrichment": "Hash_Enrichment", - "_operationId-Hash_Enrichment": "[[variables('operationId-Hash_Enrichment')]", - "operationId-Vuln_Enrichment": "Vuln_Enrichment", - "_operationId-Vuln_Enrichment": "[[variables('operationId-Vuln_Enrichment')]", - "operationId-Alert_Rules_Search": "Alert_Rules_Search", - "_operationId-Alert_Rules_Search": "[[variables('operationId-Alert_Rules_Search')]", - "operationId-Alert_Not_Search": "Alert_Not_Search", - "_operationId-Alert_Not_Search": "[[variables('operationId-Alert_Not_Search')]", - "operationId-Alert_Not_Lookup": "Alert_Not_Lookup", - "_operationId-Alert_Not_Lookup": "[[variables('operationId-Alert_Not_Lookup')]", - "operationId-Rislk_List_Download": "Rislk_List_Download", - "_operationId-Rislk_List_Download": "[[variables('operationId-Rislk_List_Download')]", - "operationId-Soar_Bulk_Lookup": "Soar_Bulk_Lookup", - "_operationId-Soar_Bulk_Lookup": "[[variables('operationId-Soar_Bulk_Lookup')]", - "operationId-STIX_Indicators": "STIX_Indicators", - "_operationId-STIX_Indicators": "[[variables('operationId-STIX_Indicators')]", - "operationId-STIX_MalwareIndicators": "STIX_MalwareIndicators", - "_operationId-STIX_MalwareIndicators": "[[variables('operationId-STIX_MalwareIndicators')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId10": "RecordedFuture-CustomConnector", - "playbookId10": "[[resourceId('Microsoft.Web/customApis', parameters('ConnectorName'))]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[[parameters('ConnectorName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "connectionParameters": { - "api_key": { - "type": "securestring" - } - }, - "backendService": { - "serviceUrl": "[[parameters('ServiceEndPoint')]" - }, - "capabilities": "[variables('TemplateEmptyArray')]", - "brandColor": "#FFFFFF", - "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files.", - "displayName": "[[parameters('ConnectorName')]", - "iconUri": "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCAAoADADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9U6a7rGpZ2CqoyWY4Ap1YXjjwXpvxC8K6h4d1hZX02+QJMIZDG+AwYYYdOVFVHlckpOyJlzKLcVdniXxW8VeJvF/ir4ofD2wSO4tY/Cq3NnBGoWRpnIDfOSOoYjB44Fa/wz8ZeIdL+JujeAdRaOKwsfBlreSwsoMi3IKoxL55GMj04rzjx5p+m+G/id8VYLnT573RbLwLbxfZlnaNpI1KKq+bgkH5evPQ9a0PBvh3S/GPxkt9LaznttC1L4b20HkeczOkLuo2+ZwSQOM98V9U6VP6va3u8t9uvLHXff8Aq58sqtT6xe/vc1t+nNLTbb+rH1SrBlDKQVIyCOhpay/C/h2z8I+HdN0TTldbHT4Et4RI5dtijAyT1NalfKStd22Pqo3sr7nnvgr45eHPHV5pttaRanYtqkTS6fJqNi8Ed4qrubynPysQuTjOcAntXZnXtMXT5b86jaCxiJEl156+UhBwctnA5r5TH7OvifRfBOjLNczCb/hHLmxmGpaqDBol2y482PL7QjoWiOzO3dkcE1f0H4X3mrXMGsaZpFtqlpYX9rPeeG21LT2ju1SKZAwjt0WFWUyAgu2X2c7doz79TBYVtypVNPl3+W//AAdmeDTxuKVo1aer9e36f8DdM+ifFcHhzxN4fk0jWbq0fTtciNsqtciM3KsOkbAgk88bfWrGlz6D4d0yHT7S7s7a1023WAI1wpMMSYQBiTnAIAye9fP2tfBTxBcR6o0fgfSXj1jR20+zs471CmhSmaV/My/Y+YrHys4ZMAYwaZo/7P2t6R4atJr3QbXXtVtfFEuoXtvNLEJNVs8MEy7HafmIkCOQMjnmsvq1Dks62l9tP8/l/wAA1+s1ue6o6231/wAvn/wT3vQPiDofiK3vp7a8WGKz1CXS3e5IjDTxkBlUk/N14x1pvj34iaH8N/D9/rGs3Oy3so0llihw82xpFjDBM5I3MBmvmiP4C+KbCbUtQv8AQUXRZrjURFosNzYlbRZpFZJQ06tGqlRsJXDrsGARxVjx58BPFGo+B/FWj2nhm38R6rqS2Mun6/PqMLTQRRRwI1vvcIxI8t8EBVYOScH5TqsDhPaxvV9266rur63+f5XMnjcV7OVqT5rdn2dtLf11se2ftIK0nwJ8bKqlmOmyYAGT2ri4G1P4ReKPB8usnRdK0XUJLqK8k8O6W9vDIwgBt1mA3Fm3b9vuSO9FFZ4P36caL2k5X/8AAUaYz3akqq3io2/8CZ5HbeIvEqre+JTrusp4ivPCIuLRe87x3cgkVV28lI13kDkEk+1d/rHxE1fxz8XF0vQPE2o2nhu91CwgjuLJNn7t7K6eTyy6d2jX5scEcdKKK9+rShyzqWV0nbRd1+VvxZ4NKrNShTu7Nq+r7frfX5D/AId674p8U+NINJ1/VpJmmubuHVdFupHdo4Yy/kMsS2wEJBWI+Y0pEgJ6lgB9JWtvHZ28UES7Yo1CKMk8D3NFFfN5laNSKirK1z6PLbypycnd3t+R/9k=", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Recorded Future V2", - "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files", - "contact": { - "name": "Recorded Future Support", - "url": "https://support.recordedfuture.com", - "email": "support@recordedfuture.com" - }, - "version": "1.0" - }, - "host": "api.recordedfuture.com", - "basePath": "/gw/azure", - "schemes": [ - "https" - ], - "paths": { - "/lookup/ip/{ip}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "IP Enrichment", - "description": "IP Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-IP_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "ip", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The IP address to lookup. Must be a single IP address", - "x-ms-summary": "IP input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/threat/map/actors": { - "post": { - "tags": [ - "Threat Hunt" - ], - "summary": "Fetch Threat Map actors", - "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", - "operationId": "[[variables('_operationId-Threat_Map_Actors')]", - "x-ms-visibility": "important", - "consumes": [ - "application/json" - ], - "parameters": [ - { - "name": "body", - "in": "body", - "required": true, - "x-ms-visibility": "important", - "schema": { - "type": "object", - "x-ms-visibility": "important", - "properties": { - "actors": { - "description": "List of actors", - "type": "array", - "items": { - "type": "string", - "description": "Description actor1", - "title": "Title actor1", - "x-ms-visibility": "important" - } - }, - "categories": { - "description": "List of categories", - "type": "array", - "items": { - "type": "string", - "description": "Description category1", - "title": "Title category1", - "x-ms-visibility": "important" - } - }, - "watchlists": { - "description": "List of watchlists", - "type": "array", - "items": { - "type": "string", - "description": "Description watchlist1", - "title": "Title watchlist1", - "x-ms-visibility": "important" - } - } - }, - "required": [ - "actors", - "categories", - "watchlists" - ] - } - } - ], - "responses": { - "200": { - "description": "Returns Threat Map", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatMapActors" - } - } - } - } - } - } - }, - "/threat/map/malware": { - "post": { - "tags": [ - "Threat Hunt" - ], - "summary": "Fetch Threat Map malware", - "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", - "operationId": "[[variables('_operationId-Threat_Map_Malware')]", - "x-ms-visibility": "important", - "consumes": [ - "application/json" - ], - "parameters": [ - { - "name": "body", - "in": "body", - "required": true, - "x-ms-visibility": "important", - "schema": { - "type": "object", - "x-ms-visibility": "important", - "properties": { - "malware": { - "description": "List of malware", - "type": "array", - "items": { - "type": "string", - "description": "Description malware1", - "title": "Title malware1", - "x-ms-visibility": "important" - } - }, - "categories": { - "description": "List of categories", - "type": "array", - "items": { - "type": "string", - "description": "Description category1", - "title": "Title category1", - "x-ms-visibility": "important" - } - }, - "watchlists": { - "description": "List of watchlists", - "type": "array", - "items": { - "type": "string", - "description": "Description watchlist1", - "title": "Title watchlist1", - "x-ms-visibility": "important" - } - } - }, - "required": [ - "malware", - "categories", - "watchlists" - ] - } - } - ], - "responses": { - "200": { - "description": "Returns Threat Map", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatMapMalware" - } - } - } - } - } - } - }, - "/lookup/domain/{domain}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "advanced" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "Domain Enrichment", - "description": "Domain Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-Domain_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "domain", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The domain to lookup. Must be a single domain", - "x-ms-summary": "Domain input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/lookup/url/{url}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "URL Enrichment", - "description": "URL Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-Url_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "url", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The URL to lookup. Must be a single URL", - "x-ms-summary": "URL input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/lookup/hash/{hash}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "Hash Enrichment", - "description": "Hash Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-Hash_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "hash", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The HASH to lookup. Must be a single HASH", - "x-ms-summary": "HASH input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/lookup/vulnerability/{id}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Vulnerability Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Vulnerability Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Vulnerability Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "Vulnerability Enrichment", - "description": "Vulnerability Enrichment with Recorded Future data", - "parameters": [ - { - "name": "id", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)", - "x-ms-summary": "Vulnerability ID (CVE, name) input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ], - "operationId": "[[variables('_operationId-Vuln_Enrichment')]", - "x-ms-visibility": "advanced" - } - }, - "/alert/rules": { - "get": { - "tags": [ - "Alerts" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "results": { - "type": "array", - "items": { - "type": "object", - "properties": { - "title": { - "type": "string", - "description": "Title", - "title": "Alert Rule Title", - "x-ms-visibility": "advanced" - }, - "id": { - "type": "string", - "description": "Id", - "title": "Alert Rule ID", - "x-ms-visibility": "important" - } - } - }, - "description": "Results" - } - }, - "description": "Data" - }, - "counts": { - "type": "object", - "properties": { - "returned": { - "type": "integer", - "format": "int32", - "description": "Returned", - "title": "Returned Number of Alert Rules", - "x-ms-visibility": "advanced" - }, - "total": { - "type": "integer", - "format": "int32", - "description": "Total", - "title": "Total Number of Alert Rules", - "x-ms-visibility": "advanced" - } - }, - "description": "Counts" - } - } - } - } - }, - "summary": "Search Alert Rules", - "description": "Search Recorded Future UI Alert Rules", - "operationId": "[[variables('_operationId-Alert_Rules_Search')]", - "x-ms-visibility": "advanced", - "parameters": [ - { - "name": "freetext", - "in": "query", - "required": false, - "type": "string", - "description": "Freetext search for Alert Rule Name", - "x-ms-visibility": "advanced", - "x-ms-summary": "Freetext search" - }, - { - "name": "limit", - "in": "query", - "required": false, - "type": "integer", - "default": 10, - "x-ms-visibility": "advanced", - "description": "Maximum number of records", - "x-ms-summary": "Maximum number of records" - } - ] - } - }, - "/alert/search": { - "get": { - "tags": [ - "Alerts" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "$ref": "#/definitions/AlertSearch" - } - } - }, - "summary": "Search Alert Notifications", - "operationId": "[[variables('_operationId-Alert_Not_Search')]", - "x-ms-visibility": "advanced", - "parameters": [ - { - "name": "triggered", - "in": "query", - "required": false, - "type": "string", - "description": "All Elasticsearch compatible date formats are valid.", - "x-ms-summary": "Triggered", - "x-ms-visibility": "advanced" - }, - { - "name": "alertRule", - "in": "query", - "required": true, - "type": "string", - "description": "Alert Rule ID", - "x-ms-visibility": "important", - "x-ms-summary": "Alert Rule ID" - }, - { - "name": "limit", - "in": "query", - "required": false, - "type": "integer", - "default": 10, - "x-ms-visibility": "advanced", - "description": "Maximum number of records", - "x-ms-summary": "Maximum number of records" - }, - { - "name": "from", - "in": "query", - "required": false, - "type": "integer", - "description": "Records from offset", - "x-ms-visibility": "advanced", - "x-ms-summary": "Records from offset" - } - ], - "description": "Search Alert Notifications" - } - }, - "/alert/{id}": { - "get": { - "tags": [ - "Alerts" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "$ref": "#/definitions/AlertLookup" - } - } - }, - "summary": "Lookup Alert Notification", - "description": "Lookup Alert Notification", - "operationId": "[[variables('_operationId-Alert_Not_Lookup')]", - "parameters": [ - { - "name": "id", - "in": "path", - "required": true, - "type": "string", - "description": "Alert Notification ID", - "x-ms-visibility": "important", - "x-ms-summary": "Alert Notification ID", - "x-ms-url-encoding": "single" - } - ], - "x-ms-visibility": "advanced" - } - }, - "/fusion/files": { - "get": { - "tags": [ - "Fusion Files" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "array", - "items": { - "type": "object", - "properties": { - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "RiskString": { - "type": "string" - }, - "EvidenceDetails": { - "type": "object", - "properties": { - "EvidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "Rule": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "CriticalityLabel": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - }, - "MitigationString": { - "type": "string" - }, - "Criticality": { - "type": "integer" - } - } - } - } - } - } - } - } - } - } - }, - "summary": "Recorded Future RiskLists and SCF Download", - "description": "Recorded Future RiskList & Security Control Feeds Download", - "operationId": "[[variables('_operationId-Rislk_List_Download')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "path", - "in": "query", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "enum": [ - "/public/MicrosoftAzure/ip_default.json", - "/public/MicrosoftAzure/ip_gt_90.json", - "/public/MicrosoftAzure/ip_active_c2.json", - "/public/MicrosoftAzure/ip_current_c2.json", - "/public/MicrosoftAzure/ip_botnet.json", - "/public/MicrosoftAzure/ip_insikt.json", - "/public/MicrosoftAzure/ip_phishing.json", - "/public/MicrosoftAzure/domain_default.json", - "/public/MicrosoftAzure/domain_gt_90.json", - "/public/MicrosoftAzure/domain_c2_dns.json", - "/public/MicrosoftAzure/domain_ransomware_payment.json", - "/public/MicrosoftAzure/domain_recent_weaponized.json", - "/public/MicrosoftAzure/domain_insikt.json", - "/public/MicrosoftAzure/domain_covid_lure.json", - "/public/MicrosoftAzure/domain_phishing.json", - "/public/MicrosoftAzure/url_gt_90.json", - "/public/MicrosoftAzure/url_c2.json", - "/public/MicrosoftAzure/url_ransomware_distribution.json", - "/public/MicrosoftAzure/url_compromised.json", - "/public/MicrosoftAzure/url_insikt.json", - "/public/MicrosoftAzure/url_malware_verdict.json", - "/public/MicrosoftAzure/hash_targeting_vulns.json", - "/public/MicrosoftAzure/hash_observed_testing.json", - "/public/MicrosoftAzure/hash_malware_ssl.json", - "/public/MicrosoftAzure/vuln_default.json", - "/public/MicrosoftAzure/vuln_gt_90.json", - "/public/MicrosoftAzure/vuln_recent_active_malware.json", - "/public/MicrosoftAzure/vuln_recent_exploit_kit.json", - "/public/MicrosoftAzure/vuln_recent_ransomware.json", - "/public/MicrosoftAzure/vuln_recent_rat.json", - "/public/MicrosoftAzure/vuln_recent_poc_remote.json", - "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json", - "/public/MicrosoftAzure/vuln_exploited_itw_malware.json", - "/public/MicrosoftAzure/vuln_critical_cyber_signal.json", - "/public/prevent/c2_communicating_ips.json", - "/public/prevent/weaponized_domains.json", - "/public/prevent/weaponized_urls.json", - "/public/ukraine/ukraine_russia_ip.csv", - "/public/ukraine/ukraine_russia_domain.csv", - "/public/ukraine/ukraine_russia_hash.csv", - "/public/ukraine/ukraine_russia_url.csv" - ], - "x-ms-editor-options": { - "items": [ - { - "title": "IP - Default RiskList", - "value": "/public/MicrosoftAzure/ip_default.json" - }, - { - "title": "IP - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/ip_gt_90.json" - }, - { - "title": "IP - Actively Communicating C&C Server", - "value": "/public/MicrosoftAzure/ip_active_c2.json" - }, - { - "title": "IP - Current C&C Server", - "value": "/public/MicrosoftAzure/ip_current_c2.json" - }, - { - "title": "IP - Recent Botnet Traffic", - "value": "/public/MicrosoftAzure/ip_botnet.json" - }, - { - "title": "IP - Recently Reported by Insikt Group", - "value": "/public/MicrosoftAzure/ip_insikt.json" - }, - { - "title": "IP - Phishing Host", - "value": "/public/MicrosoftAzure/ip_phishing.json" - }, - { - "title": "IP - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_ip.csv" - }, - { - "title": "DOMAIN - Default RiskList", - "value": "/public/MicrosoftAzure/domain_default.json" - }, - { - "title": "DOMAIN - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/domain_gt_90.json" - }, - { - "title": "DOMAIN - C&C DNS Name", - "value": "/public/MicrosoftAzure/domain_c2_dns.json" - }, - { - "title": "DOMAIN - Ransomware Payment DNS Name", - "value": "/public/MicrosoftAzure/domain_ransomware_payment.json" - }, - { - "title": "DOMAIN - Recently Active Weaponized Domain", - "value": "/public/MicrosoftAzure/domain_recent_weaponized.json" - }, - { - "title": "DOMAIN - Recently Reported by Insikt Group", - "value": "/public/MicrosoftAzure/domain_insikt.json" - }, - { - "title": "DOMAIN - Recent COVID-19-Related Domain Lure: Malicious", - "value": "/public/MicrosoftAzure/domain_covid_lure.json" - }, - { - "title": "DOMAIN - Recent Phishing Lure: Malicious", - "value": "/public/MicrosoftAzure/domain_phishing.json" - }, - { - "title": "DOMAIN - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_domain.csv" - }, - { - "title": "URL - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/url_gt_90.json" - }, - { - "title": "URL - C&C URL", - "value": "/public/MicrosoftAzure/url_c2.json" - }, - { - "title": "URL - Ransomware Distribution URL", - "value": "/public/MicrosoftAzure/url_ransomware_distribution.json" - }, - { - "title": "URL - Compromised URL", - "value": "/public/MicrosoftAzure/url_compromised.json" - }, - { - "title": "URL - Recently Reported by Insikt Group", - "value": "/public/MicrosoftAzure/url_insikt.json" - }, - { - "title": "URL - Positive Malware Verdict", - "value": "/public/MicrosoftAzure/url_malware_verdict.json" - }, - { - "title": "URL - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_url.csv" - }, - { - "title": "HASH - Recently Active Targeting Vulnerabilities in the Wild", - "value": "/public/MicrosoftAzure/hash_targeting_vulns.json" - }, - { - "title": "HASH - Observed in Underground Virus Testing Sites ", - "value": "/public/MicrosoftAzure/hash_observed_testing.json" - }, - { - "title": "HASH - Malware SSL Certificate Fingerprint", - "value": "/public/MicrosoftAzure/hash_malware_ssl.json" - }, - { - "title": "HASH - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_hash.csv" - }, - { - "title": "(SCF) Security Control Feed: Command and Control IPs", - "value": "/public/prevent/c2_communicating_ips.json" - }, - { - "title": "(SCF) Security Control Feed: Weaponized Domains", - "value": "/public/prevent/weaponized_domains.json" - }, - { - "title": "(SCF) Security Control Feed: Weaponized URLs", - "value": "/public/prevent/weaponized_urls.json" - }, - { - "title": "VULNERABILITY - Default RiskList", - "value": "/public/MicrosoftAzure/vuln_default.json" - }, - { - "title": "VULNERABILITY - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/vuln_gt_90.json" - }, - { - "title": "VULNERABILITY - Exploited in the Wild by Recently Active Malware", - "value": "/public/MicrosoftAzure/vuln_recent_active_malware.json" - }, - { - "title": "VULNERABILITY - Recently Linked to Exploit Kit", - "value": "/public/MicrosoftAzure/vuln_recent_exploit_kit.json" - }, - { - "title": "VULNERABILITY - Recently Linked to Ransomware", - "value": "/public/MicrosoftAzure/vuln_recent_ransomware.json" - }, - { - "title": "VULNERABILITY - Recently Linked to Remote Access Trojan", - "value": "/public/MicrosoftAzure/vuln_recent_rat.json" - }, - { - "title": "VULNERABILITY - Recent Verified Proof of Concept Available Using Remote Execution", - "value": "/public/MicrosoftAzure/vuln_recent_poc_remote.json" - }, - { - "title": "VULNERABILITY - Recently Observed Exploit/Tool Development in the Wild", - "value": "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json" - }, - { - "title": "VULNERABILITY - Exploited in the Wild by Malware", - "value": "/public/MicrosoftAzure/vuln_exploited_itw_malware.json" - }, - { - "title": "VULNERABILITY - Cyber Exploit Signal: Critical", - "value": "/public/MicrosoftAzure/vuln_critical_cyber_signal.json" - } - ] - }, - "description": "Path to file", - "x-ms-summary": "Path to file" - } - ] - } - }, - "/soar/lookup": { - "post": { - "tags": [ - "SOAR", - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "counts": { - "type": "object", - "properties": { - "returned": { - "type": "integer" - }, - "total": { - "type": "integer" - } - } - }, - "data": { - "type": "object", - "properties": { - "results": { - "type": "array", - "items": { - "type": "object", - "properties": { - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - }, - "risk": { - "type": "object", - "properties": { - "context": { - "type": "object" - }, - "level": { - "type": "number" - }, - "rule": { - "type": "object" - }, - "score": { - "type": "number" - } - } - } - } - } - } - } - } - } - } - } - }, - "summary": "SOAR API - Look up multiple entities", - "description": "SOAR API - Look up multiple entities (Specific Access is Required)", - "operationId": "[[variables('_operationId-Soar_Bulk_Lookup')]", - "x-ms-visibility": "important", - "consumes": [ - "application/json" - ], - "parameters": [ - { - "name": "body", - "in": "body", - "required": false, - "schema": { - "type": "object", - "properties": { - "ip": { - "type": "array", - "items": { - "type": "string", - "description": "An IP or array of IPs: array[string]", - "title": "IP", - "x-ms-visibility": "important" - }, - "description": "Ip" - }, - "url": { - "type": "array", - "items": { - "type": "string", - "description": "An URL or array of URLs: array[string]", - "title": "URL", - "x-ms-visibility": "important" - }, - "description": "Url" - }, - "domain": { - "type": "array", - "items": { - "type": "string", - "description": "A domain or array of domains: array[string]", - "title": "Domain", - "x-ms-visibility": "important" - }, - "description": "Domain" - }, - "hash": { - "type": "array", - "items": { - "type": "string", - "description": "A hash or array of hashes: array[string]", - "title": "HASH", - "x-ms-visibility": "advanced" - }, - "description": "Hash" - }, - "vulnerability": { - "type": "array", - "items": { - "type": "string", - "description": "A vulnerability ID or an array of vulnerability IDs: array[string]", - "title": "Vulnerability", - "x-ms-visibility": "advanced" - }, - "description": "Vulnerability" - } - } - } - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/threat/indicators/actors": { - "post": { - "tags": [ - "Threat Hunt", - "STIX" - ], - "summary": "Fetch Threat Indicators for Actors in STIX format.", - "parameters": [ - { - "name": "body", - "in": "body", - "schema": { - "type": "object", - "properties": { - "actors": { - "type": "array", - "items": { - "type": "string", - "example": "QCwdoU" - } - }, - "categories": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchlists": { - "type": "array", - "items": { - "type": "string" - } - }, - "trigger_score_ip": { - "type": "integer", - "example": 85 - }, - "trigger_score_url": { - "type": "integer", - "example": 85 - }, - "trigger_score_domain": { - "type": "integer", - "example": 85 - }, - "trigger_score_hash": { - "type": "integer", - "example": 85 - }, - "valid_until_delta_hours": { - "type": "integer", - "example": 1 - }, - "threat_hunt_description": { - "type": "string", - "example": "Lazarus Group high risk" - } - }, - "x-ms-visibility": "important" - }, - "required": true, - "x-ms-visibility": "important" - } - ], - "responses": { - "200": { - "description": "List of Threat Indicator in STIX format.", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatHuntActors" - } - } - } - } - }, - "operationId": "[[variables('_operationId-STIX_Indicators')]", - "description": "Fetch Threat Indicators for Actors in STIX format.", - "x-ms-visibility": "important" - } - }, - "/threat/indicators/malware": { - "post": { - "tags": [ - "Threat Hunt", - "STIX" - ], - "summary": "Fetch Threat Indicators for Malware in STIX format.", - "parameters": [ - { - "name": "body", - "in": "body", - "schema": { - "type": "object", - "properties": { - "malware": { - "type": "array", - "items": { - "type": "string", - "example": "LnK3Q6" - } - }, - "categories": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchlists": { - "type": "array", - "items": { - "type": "string" - } - }, - "trigger_score_ip": { - "type": "integer", - "example": 85 - }, - "trigger_score_url": { - "type": "integer", - "example": 85 - }, - "trigger_score_domain": { - "type": "integer", - "example": 85 - }, - "trigger_score_hash": { - "type": "integer", - "example": 85 - }, - "valid_until_delta_hours": { - "type": "integer", - "example": 1 - }, - "threat_hunt_description": { - "type": "string", - "example": "Cobalt Strike Beacon high risk" - } - }, - "x-ms-visibility": "important" - }, - "required": true, - "x-ms-visibility": "important" - } - ], - "responses": { - "200": { - "description": "List of Threat Indicator in STIX format.", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatHuntMalware" - } - } - } - } - }, - "operationId": "[[variables('_operationId-STIX_MalwareIndicators')]", - "description": "Fetch Threat Indicators for Malware in STIX format.", - "x-ms-visibility": "important" - } - } - }, - "x-ms-connector-metadata": [ - { - "propertyName": "Website", - "propertyValue": "https://www.recordedfuture.com" - }, - { - "propertyName": "Privacy Policy", - "propertyValue": "https://www.recordedfuture.com/privacy-policy/" - }, - { - "propertyName": "Categories", - "propertyValue": "AI;Data" - } - ], - "definitions": { - "Links": { - "type": "object", - "title": "links", - "description": "High Confidence Evidence Based Links", - "x-ms-visibility": "important", - "properties": { - "technical": { - "type": "object", - "title": "technical", - "description": "Technical links generated through network traffic analysis, malware analysis, infrastructure analysis and more", - "x-ms-visibility": "important", - "properties": { - "start_date": { - "type": "string", - "title": "startDate", - "description": "Link start date", - "x-ms-visibility": "important" - }, - "stop_date": { - "type": "string", - "title": "stopDate", - "description": "Link stop date", - "x-ms-visibility": "important" - }, - "entities": { - "type": "array", - "title": "entities", - "description": "Related entities", - "x-ms-visibility": "important", - "items": { - "$ref": "#/definitions/LinkEntities" - } - } - } - }, - "research": { - "type": "object", - "title": "research", - "description": "Research links discovered by Insikt Group", - "x-ms-visibility": "important", - "properties": { - "start_date": { - "type": "string", - "title": "startDate", - "description": "Link start date", - "x-ms-visibility": "important" - }, - "stop_date": { - "type": "string", - "title": "stopDate", - "description": "Link stop date", - "x-ms-visibility": "important" - }, - "entities": { - "type": "array", - "title": "entities", - "description": "Related entities", - "x-ms-visibility": "important", - "items": { - "$ref": "#/definitions/LinkEntities" - } - } - } - } - } - }, - "LinkEntities": { - "type": "object", - "properties": { - "type": { - "type": "string", - "title": "type", - "description": "Enitity type", - "x-ms-visibility": "important" - }, - "name": { - "type": "string", - "title": "name", - "description": "Entity name", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "title": "score", - "description": "Risk score", - "x-ms-visibility": "important" - }, - "category": { - "type": "string", - "title": "category", - "description": "Entity category", - "x-ms-visibility": "important" - } - } - }, - "AlertSearch": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "results": { - "type": "array", - "items": { - "type": "object", - "properties": { - "review": { - "$ref": "#/definitions/AlertReview" - }, - "url": { - "$ref": "#/definitions/AlertURL" - }, - "rule": { - "$ref": "#/definitions/AlertRule" - }, - "triggered": { - "$ref": "#/definitions/AlertTriggered" - }, - "id": { - "$ref": "#/definitions/AlertID" - }, - "title": { - "$ref": "#/definitions/AlertTitle" - }, - "type": { - "$ref": "#/definitions/AlertType" - } - } - } - } - } - }, - "counts": { - "type": "object", - "properties": { - "returned": { - "type": "integer" - }, - "total": { - "type": "integer" - } - } - } - } - }, - "ThreatMapActors": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "threat_map": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "alias": { - "type": "array", - "items": { - "type": "string" - } - }, - "categories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - } - }, - "intent": { - "type": "integer", - "format": "int32" - }, - "opportunity": { - "type": "integer", - "format": "int32" - }, - "log_entries": { - "type": "array", - "items": { - "type": "object", - "properties": { - "watchlist": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "severity": { - "type": "integer", - "format": "int32" - }, - "axis": { - "type": "string" - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - } - } - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - }, - "ThreatHuntActors": { - "type": "array", - "items": { - "type": "object", - "properties": { - "confidence": { - "type": "integer", - "example": 89 - }, - "description": { - "type": "string", - "example": "Recorded Future - Threat Hunt - Threat Actor - DOMAIN - Lazarus Group (QCwdoU) - [Lazarus Group high risk]" - }, - "id": { - "type": "string", - "example": "indicator--321991ed-aca0-4e25-85a0-c1615c95074f" - }, - "indicator_types": { - "type": "array", - "items": { - "type": "string", - "example": "malicious-activity" - } - }, - "labels": { - "type": "array", - "items": { - "type": "string", - "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/QCwdoU\"}" - } - }, - "name": { - "type": "string", - "example": "akamaicontainer.com" - }, - "pattern": { - "type": "string", - "example": "[[[domain-name:value = 'akamaicontainer.com']" - }, - "pattern_type": { - "type": "string", - "example": "stix" - }, - "spec_version": { - "type": "string", - "example": "2.1" - }, - "type": { - "type": "string", - "example": "indicator" - }, - "created": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "modified": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_from": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_until": { - "type": "string", - "example": "2023-09-20T16:39:35.993568+02:00" - }, - "external_references": { - "type": "array", - "items": { - "type": "object", - "properties": { - "source_name": { - "type": "string", - "example": "Recorded Future" - }, - "description": { - "type": "string", - "example": "Recorded Future Entity card for Threat Actor: Lazarus Group (QCwdoU)" - }, - "external_id": { - "type": "string", - "example": "QCwdoU" - }, - "url": { - "type": "string", - "example": "https://app.recordedfuture.com/live/sc/entity/QCwdoU" - } - } - } - } - }, - "required": [ - "confidence", - "description", - "id", - "indicator_types", - "labels", - "name", - "pattern", - "pattern_type", - "spec_version", - "type", - "created", - "modified", - "valid_from", - "valid_until", - "external_references" - ] - } - }, - "ThreatMapMalware": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "threat_map": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "alias": { - "type": "array", - "items": { - "type": "string" - } - }, - "categories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - } - }, - "intent": { - "type": "integer", - "format": "int32" - }, - "opportunity": { - "type": "integer", - "format": "int32" - }, - "log_entries": { - "type": "array", - "items": { - "type": "object", - "properties": { - "watchlist": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "severity": { - "type": "integer", - "format": "int32" - }, - "axis": { - "type": "string" - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - } - } - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - }, - "ThreatHuntMalware": { - "type": "array", - "items": { - "type": "object", - "properties": { - "confidence": { - "type": "integer", - "example": 89 - }, - "description": { - "type": "string", - "example": "Recorded Future - Threat Hunt - Threat Malware - DOMAIN - Cobalt Strike Beacon Malware (LnK3Q6) - [Cobalt Strike Beacon high risk]" - }, - "id": { - "type": "string", - "example": "indicator--321991ed-aca0-4e25-85a0-c1615c75074f" - }, - "indicator_types": { - "type": "array", - "items": { - "type": "string", - "example": "malicious-activity" - } - }, - "labels": { - "type": "array", - "items": { - "type": "string", - "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/LnK3Q6\"}" - } - }, - "name": { - "type": "string", - "example": "masterunis.net" - }, - "pattern": { - "type": "string", - "example": "[[[domain-name:value = 'masterunis.net']" - }, - "pattern_type": { - "type": "string", - "example": "stix" - }, - "spec_version": { - "type": "string", - "example": "2.1" - }, - "type": { - "type": "string", - "example": "indicator" - }, - "created": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "modified": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_from": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_until": { - "type": "string", - "example": "2023-09-20T16:39:35.993568+02:00" - }, - "external_references": { - "type": "array", - "items": { - "type": "object", - "properties": { - "source_name": { - "type": "string", - "example": "Recorded Future" - }, - "description": { - "type": "string", - "example": "Recorded Future Entity card for Malware: Cobalt Strike Beacon (LnK3Q6)" - }, - "external_id": { - "type": "string", - "example": "LnK3Q6" - }, - "url": { - "type": "string", - "example": "https://app.recordedfuture.com/live/sc/entity/LnK3Q6" - } - } - } - } - }, - "required": [ - "confidence", - "description", - "id", - "indicator_types", - "labels", - "name", - "pattern", - "pattern_type", - "spec_version", - "type", - "created", - "modified", - "valid_from", - "valid_until", - "external_references" - ] - } - }, - "AlertLookup": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "review": { - "$ref": "#/definitions/AlertReview" - }, - "entities": { - "$ref": "#/definitions/AlertEntities" - }, - "url": { - "$ref": "#/definitions/AlertURL" - }, - "rule": { - "$ref": "#/definitions/AlertRule" - }, - "triggered": { - "$ref": "#/definitions/AlertTriggered" - }, - "id": { - "$ref": "#/definitions/AlertID" - }, - "counts": { - "type": "object", - "properties": { - "references": { - "type": "integer" - }, - "entities": { - "type": "integer" - }, - "documents": { - "type": "integer" - } - } - }, - "title": { - "$ref": "#/definitions/AlertTitle" - }, - "type": { - "$ref": "#/definitions/AlertType" - } - } - } - } - }, - "AlertReview": { - "type": "object", - "properties": { - "assignee": { - "type": "string" - }, - "status": { - "type": "string" - }, - "noteDate": { - "type": "string" - }, - "noteAuthor": { - "type": "string" - }, - "note": { - "type": "string" - } - } - }, - "AlertEntities": { - "type": "array", - "items": { - "type": "object", - "properties": { - "trend": { - "type": "object", - "additionalProperties": true - }, - "documents": { - "type": "array", - "items": { - "type": "object", - "properties": { - "references": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fragment": { - "type": "string" - }, - "entities": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - } - }, - "language": { - "type": "string" - } - } - } - }, - "source": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - }, - "title": { - "type": "string" - }, - "url": { - "type": "string" - } - } - } - }, - "risk": { - "type": "object", - "additionalProperties": true - }, - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - } - } - } - }, - "AlertURL": { - "type": "string" - }, - "AlertRule": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "id": { - "type": "string" - }, - "url": { - "type": "string" - } - } - }, - "AlertTriggered": { - "type": "string" - }, - "AlertID": { - "type": "string" - }, - "AlertTitle": { - "type": "string" - }, - "AlertType": { - "type": "string" - } - }, - "securityDefinitions": { - "API Key": { - "type": "apiKey", - "in": "header", - "name": "X-RFToken" - } - }, - "security": [ - { - "API Key": "[variables('TemplateEmptyArray')]" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId10'),'/'))))]", - "properties": { - "parentId": "[[variables('playbookId10')]", - "contentId": "[variables('_playbookContentId10')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('playbookVersion10')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId10')]", - "contentKind": "LogicAppsCustomConnector", - "displayName": "RecordedFuture-CustomConnector", - "contentProductId": "[variables('_playbookcontentProductId10')]", - "id": "[variables('_playbookcontentProductId10')]", - "version": "[variables('playbookVersion10')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName11')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion11')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-ThreatMap-Importer", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - } - }, - "variables": { - "RecordedFutureCustomConnectorConnectionName": "Recordedfuture-CustomConnector", - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Map_actors": { - "type": "ApiConnection", - "inputs": { - "headers": { - "Content-Type": "application/json" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/map/actors" - } - }, - "Parse_JSON": { - "inputs": { - "content": "@body('Fetch_Threat_Map_actors')", - "schema": { - "properties": { - "data": { - "properties": { - "date": { - "type": "string" - }, - "threat_map": { - "items": { - "properties": { - "alias": { - "items": { - "type": "string" - }, - "type": "array" - }, - "categories": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "required": [ - "id", - "name" - ], - "type": "object" - }, - "type": "array" - }, - "id": { - "type": "string" - }, - "intent": { - "type": "integer" - }, - "log_entries": { - "items": { - "properties": { - "axis": { - "type": "string" - }, - "date": { - "type": "string" - }, - "entity": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "severity": { - "type": "integer" - }, - "watchlist": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - } - }, - "required": [ - "axis", - "date", - "entity", - "severity" - ], - "type": "object" - }, - "type": "array" - }, - "name": { - "type": "string" - }, - "opportunity": { - "type": "integer" - } - }, - "required": [ - "alias", - "categories", - "id", - "intent", - "log_entries", - "name", - "opportunity" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "runAfter": { - "Fetch_Threat_Map_actors": [ - "Succeeded" - ] - }, - "type": "ParseJson" - }, - "Send_Data_-_Save_full_ThreatMap_response": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@{body('Parse_JSON')?['data']?['threat_map']}", - "headers": { - "Log-Type": "RecordedFutureThreatMap" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFutureCustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - }, - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ThreatMap-Importer", - "hidden-SentinelTemplateVersion": "1.2", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId11')]", - "contentId": "[variables('_playbookContentId11')]", - "kind": "Playbook", - "version": "[variables('playbookVersion11')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ThreatMap-Importer", - "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", - "prerequisites": [ - "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", - "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-03-08T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-ThreatMap-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - }, - { - "version": "1.2", - "title": "Default Recurrence", - "notes": [ - "Changed Default Recurrence to 24." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId11')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-ThreatMap-Importer", - "contentProductId": "[variables('_playbookcontentProductId11')]", - "id": "[variables('_playbookcontentProductId11')]", - "version": "[variables('playbookVersion11')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName12')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion12')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-MalwareThreatMap-Importer", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - } - }, - "variables": { - "RecordedFutureCustomConnectorConnectionName": "RecordedFuture-CustomConnector", - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Map_malware": { - "type": "ApiConnection", - "inputs": { - "body": { - "categories": [ - null - ], - "malware": [ - null - ], - "watchlists": [ - null - ] - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/map/malware" - } - }, - "Parse_JSON": { - "runAfter": { - "Fetch_Threat_Map_malware": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Fetch_Threat_Map_malware')", - "schema": { - "properties": { - "data": { - "properties": { - "date": { - "type": "string" - }, - "threat_map": { - "items": { - "properties": { - "alias": { - "items": { - "type": "string" - }, - "type": "array" - }, - "categories": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "required": [ - "id", - "name" - ], - "type": "object" - }, - "type": "array" - }, - "id": { - "type": "string" - }, - "log_entries": { - "items": { - "properties": { - "axis": { - "type": "string" - }, - "date": { - "type": "string" - }, - "entity": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "severity": { - "type": "integer" - }, - "watchlist": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - } - }, - "required": [ - "axis", - "date", - "entity", - "severity" - ], - "type": "object" - }, - "type": "array" - }, - "name": { - "type": "string" - }, - "opportunity": { - "type": "integer" - }, - "prevalence": { - "type": "integer" - } - }, - "required": [ - "alias", - "categories", - "id", - "prevalence", - "log_entries", - "name", - "opportunity" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - } - }, - "type": "object" - } - } - }, - "Send_Data_-_Save_full_ThreatMap_Malware_Response": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@{body('Parse_JSON')?['data']?['threat_map']}", - "headers": { - "Log-Type": "RecordedFutureThreatMapMalware" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFutureCustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - }, - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - } - } - } - }, - "zoneRedundancy": "Enabled" - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ThreatMapMalware-Importer", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId12')]", - "contentId": "[variables('_playbookContentId12')]", - "kind": "Playbook", - "version": "[variables('playbookVersion12')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ThreatMapMalware-Importer", - "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", - "prerequisites": [ - "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", - "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-MalwareThreatMap-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId12')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-MalwareThreatMap-Importer", - "contentProductId": "[variables('_playbookcontentProductId12')]", - "id": "[variables('_playbookcontentProductId12')]", - "version": "[variables('playbookVersion12')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName13')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion13')]", - "parameters": { - "PlaybookName": { - "defaultValue": "ActorThreatHunt-IndicatorImport", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String", - "metadata": { - "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" - } - } - }, - "variables": { - "RecordedFuture-CustomConnectorConnectionName": "Recordedfuture-CustomConnector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Indicators_for_Actors_in_STIX_format": { - "type": "ApiConnection", - "inputs": { - "body": { - "trigger_score_domain": 65, - "trigger_score_hash": 65, - "trigger_score_ip": 65, - "trigger_score_url": 65, - "valid_until_delta_hours": 24 - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/indicators/actors" - } - }, - "For_each": { - "foreach": "@body('Fetch_Threat_Indicators_for_Actors_in_STIX_format')", - "actions": { - "RecordedFuture-ThreatIntelligenceImport": { - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": "@items('For_each')", - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Fetch_Threat_Indicators_for_Actors_in_STIX_format": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFuture-CustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", - "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId13')]", - "contentId": "[variables('_playbookContentId13')]", - "kind": "Playbook", - "version": "[variables('playbookVersion13')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", - "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:02:00Z", - "tags": [ - "Threat Hunting" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-ActorThreatMap-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId13')]", - "contentKind": "Playbook", - "displayName": "ActorThreatHunt-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId13')]", - "id": "[variables('_playbookcontentProductId13')]", - "version": "[variables('playbookVersion13')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName14')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion14')]", - "parameters": { - "PlaybookName": { - "defaultValue": "MalwareThreatHunt-IndicatorImport", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String", - "metadata": { - "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" - } - } - }, - "variables": { - "Recordedfuture-CustomconnectorConnectionName": "Recordedfuture-CustomConnector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Indicators_for_Malware_in_STIX_format": { - "type": "ApiConnection", - "inputs": { - "body": { - "trigger_score_domain": 65, - "trigger_score_hash": 65, - "trigger_score_ip": 65, - "trigger_score_url": 65, - "valid_until_delta_hours": 24 - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/indicators/malware" - } - }, - "For_each": { - "foreach": "@body('Fetch_Threat_Indicators_for_Malware_in_STIX_format')", - "actions": { - "RecordedFuture-ThreatIntelligenceImport": { - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": "@items('For_each')", - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Fetch_Threat_Indicators_for_Malware_in_STIX_format": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFuture-CustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", - "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - } - } - } - }, - "zoneRedundancy": "Enabled" - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('Recordedfuture-CustomconnectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId14')]", - "contentId": "[variables('_playbookContentId14')]", - "kind": "Playbook", - "version": "[variables('playbookVersion14')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", - "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:02:00Z", - "tags": [ - "Threat Hunting" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-MalwareThreatHunt-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId14')]", - "contentKind": "Playbook", - "displayName": "MalwareThreatHunt-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId14')]", - "id": "[variables('_playbookcontentProductId14')]", - "version": "[variables('playbookVersion14')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFuturePlaybookAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Playbook Alerts Overview; templateRelativePath=RecordedFuturePlaybookAlertOverview.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "RecordedFuturePlaybookAlerts_CL", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureAlertOverview Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId2')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." - }, - "properties": { - "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Alerts Overview; templateRelativePath=RecordedFutureAlertOverview.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId2')]", - "contentId": "[variables('_workbookContentId2')]", - "kind": "Workbook", - "version": "[variables('workbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "RecordedFuturePortalAlerts_CL", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId2')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook2-name')]", - "contentProductId": "[variables('_workbookcontentProductId2')]", - "id": "[variables('_workbookcontentProductId2')]", - "version": "[variables('workbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId3')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureDomainCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Domain Correlation; templateRelativePath=RecordedFutureDomainCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId3')]", - "contentId": "[variables('_workbookContentId3')]", - "kind": "Workbook", - "version": "[variables('workbookVersion3')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId3')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook3-name')]", - "contentProductId": "[variables('_workbookcontentProductId3')]", - "id": "[variables('_workbookcontentProductId3')]", - "version": "[variables('workbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureHashCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId4')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureHashCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Hash Correlation; templateRelativePath=RecordedFutureHashCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId4')]", - "contentId": "[variables('_workbookContentId4')]", - "kind": "Workbook", - "version": "[variables('workbookVersion4')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId4')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook4-name')]", - "contentProductId": "[variables('_workbookcontentProductId4')]", - "id": "[variables('_workbookcontentProductId4')]", - "version": "[variables('workbookVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureIPCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId5')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook5-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId5'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureIPCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - IP Correlation; templateRelativePath=RecordedFutureIPCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId5')]", - "contentId": "[variables('_workbookContentId5')]", - "kind": "Workbook", - "version": "[variables('workbookVersion5')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId5')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook5-name')]", - "contentProductId": "[variables('_workbookcontentProductId5')]", - "id": "[variables('_workbookcontentProductId5')]", - "version": "[variables('workbookVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureURLCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion6')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId6')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook6-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId6'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureURLCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - URL Correlation; templateRelativePath=RecordedFutureURLCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId6')]", - "contentId": "[variables('_workbookContentId6')]", - "kind": "Workbook", - "version": "[variables('workbookVersion6')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId6')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook6-name')]", - "contentProductId": "[variables('_workbookcontentProductId6')]", - "id": "[variables('_workbookcontentProductId6')]", - "version": "[variables('workbookVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion7')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId7')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook7-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId7'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureThreatActorHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Threat Actor Hunting; templateRelativePath=RecordedFutureThreatActorHunting.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId7')]", - "contentId": "[variables('_workbookContentId7')]", - "kind": "Workbook", - "version": "[variables('workbookVersion7')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId7')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook7-name')]", - "contentProductId": "[variables('_workbookcontentProductId7')]", - "id": "[variables('_workbookcontentProductId7')]", - "version": "[variables('workbookVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion8')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId8')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook8-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId8'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureMalwareThreatHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Malware Threat Hunting; templateRelativePath=RecordedFutureMalwareThreatHunting.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId8')]", - "contentId": "[variables('_workbookContentId8')]", - "kind": "Workbook", - "version": "[variables('workbookVersion8')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId8')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook8-name')]", - "contentProductId": "[variables('_workbookcontentProductId8')]", - "id": "[variables('_workbookcontentProductId8')]", - "version": "[variables('workbookVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.2.8", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Recorded Future", - "publisherDisplayName": "Recorded Future Support Team", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

\n

Underlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n\n

Workbooks: 8, Analytic Rules: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-IOC_Enrichment')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Playbook-Alert-Importer')]", - "version": "[variables('playbookVersion2')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Alert-Importer')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ThreatIntelligenceImport')]", - "version": "[variables('playbookVersion4')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Domain-IndicatorImport')]", - "version": "[variables('playbookVersion5')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Hash-IndicatorImport')]", - "version": "[variables('playbookVersion6')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-IP-IndicatorImport')]", - "version": "[variables('playbookVersion7')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-URL-IndicatorImport')]", - "version": "[variables('playbookVersion8')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Sandbox_Enrichment-Url')]", - "version": "[variables('playbookVersion9')]" - }, - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ThreatMap-Importer')]", - "version": "[variables('playbookVersion11')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ThreatMapMalware-Importer')]", - "version": "[variables('playbookVersion12')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ActorThreatHunt-IndicatorImport')]", - "version": "[variables('playbookVersion13')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-MalwareThreatHunt-IndicatorImport')]", - "version": "[variables('playbookVersion14')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId2')]", - "version": "[variables('workbookVersion2')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId3')]", - "version": "[variables('workbookVersion3')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId4')]", - "version": "[variables('workbookVersion4')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId5')]", - "version": "[variables('workbookVersion5')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId6')]", - "version": "[variables('workbookVersion6')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId7')]", - "version": "[variables('workbookVersion7')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId8')]", - "version": "[variables('workbookVersion8')]" - } - ] - }, - "firstPublishDate": "2021-11-01", - "lastPublishDate": "2023-09-19", - "providers": [ - "Recorded Future" - ], - "categories": { - "domains": [ - "Security - Threat Intelligence" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Recorded Future Premier Integrations - support@recordedfuture.com", + "comments": "Solution template for Recorded Future" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Recorded Future - Playbook Alerts Overview", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Recorded Future - Alerts Overview", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook3-name": { + "type": "string", + "defaultValue": "Recorded Future - Domain Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook4-name": { + "type": "string", + "defaultValue": "Recorded Future - Hash Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook5-name": { + "type": "string", + "defaultValue": "Recorded Future - IP Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook6-name": { + "type": "string", + "defaultValue": "Recorded Future - URL Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook7-name": { + "type": "string", + "defaultValue": "Recorded Future - Threat Actor Hunting", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook8-name": { + "type": "string", + "defaultValue": "Recorded Future - Malware Threat Hunting", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@recordedfuture.com", + "_email": "[variables('email')]", + "_solutionName": "Recorded Future", + "_solutionVersion": "3.2.9", + "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution", + "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.4", + "_analyticRulecontentId1": "a1c02815-4248-4728-a9ae-dac73c67db23", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1c02815-4248-4728-a9ae-dac73c67db23')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1c02815-4248-4728-a9ae-dac73c67db23')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1c02815-4248-4728-a9ae-dac73c67db23','-', '1.0.4')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.3", + "_analyticRulecontentId2": "dffd068f-fdab-440e-bbc0-34c14b623c89", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dffd068f-fdab-440e-bbc0-34c14b623c89')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dffd068f-fdab-440e-bbc0-34c14b623c89')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dffd068f-fdab-440e-bbc0-34c14b623c89','-', '1.0.3')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.2", + "_analyticRulecontentId3": "388e197d-ec9e-46b6-addb-947d74d2a5c4", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '388e197d-ec9e-46b6-addb-947d74d2a5c4')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('388e197d-ec9e-46b6-addb-947d74d2a5c4')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','388e197d-ec9e-46b6-addb-947d74d2a5c4','-', '1.0.2')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.2", + "_analyticRulecontentId4": "588dc717-7583-452c-a743-dee96705898e", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '588dc717-7583-452c-a743-dee96705898e')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('588dc717-7583-452c-a743-dee96705898e')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','588dc717-7583-452c-a743-dee96705898e','-', '1.0.2')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.3", + "_analyticRulecontentId5": "22cc1dff-14ad-481d-97e1-0602895e429e", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '22cc1dff-14ad-481d-97e1-0602895e429e')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('22cc1dff-14ad-481d-97e1-0602895e429e')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','22cc1dff-14ad-481d-97e1-0602895e429e','-', '1.0.3')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.2", + "_analyticRulecontentId6": "9acb3664-72c4-4676-80fa-9f81912e347e", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9acb3664-72c4-4676-80fa-9f81912e347e')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9acb3664-72c4-4676-80fa-9f81912e347e')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9acb3664-72c4-4676-80fa-9f81912e347e','-', '1.0.2')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.4", + "_analyticRulecontentId7": "6db6a8e6-2959-440b-ba57-a505875fcb37", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6db6a8e6-2959-440b-ba57-a505875fcb37')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6db6a8e6-2959-440b-ba57-a505875fcb37')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6db6a8e6-2959-440b-ba57-a505875fcb37','-', '1.0.4')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.3", + "_analyticRulecontentId8": "e31bc14e-2b4c-42a4-af34-5bfd7d768aea", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e31bc14e-2b4c-42a4-af34-5bfd7d768aea')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e31bc14e-2b4c-42a4-af34-5bfd7d768aea')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e31bc14e-2b4c-42a4-af34-5bfd7d768aea','-', '1.0.3')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.4", + "_analyticRulecontentId9": "acbf7ef6-f964-44c3-9031-7834ec68175f", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acbf7ef6-f964-44c3-9031-7834ec68175f')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acbf7ef6-f964-44c3-9031-7834ec68175f')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acbf7ef6-f964-44c3-9031-7834ec68175f','-', '1.0.4')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.4", + "_analyticRulecontentId10": "3f6f0d1a-f2f9-4e01-881a-c55a4a71905b", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3f6f0d1a-f2f9-4e01-881a-c55a4a71905b','-', '1.0.4')))]" + }, + "RecordedFuture-IOC_Enrichment": "RecordedFuture-IOC_Enrichment", + "_RecordedFuture-IOC_Enrichment": "[variables('RecordedFuture-IOC_Enrichment')]", + "playbookVersion1": "2.7", + "playbookContentId1": "RecordedFuture-IOC_Enrichment", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "RecordedFuture-Playbook-Alert-Importer": "RecordedFuture-Playbook-Alert-Importer", + "_RecordedFuture-Playbook-Alert-Importer": "[variables('RecordedFuture-Playbook-Alert-Importer')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion2": "1.3", + "playbookContentId2": "RecordedFuture-Playbook-Alert-Importer", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer", + "_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]", + "playbookVersion3": "1.4", + "playbookContentId3": "RecordedFuture-Alert-Importer", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "RecordedFuture-ThreatIntelligenceImport": "RecordedFuture-ThreatIntelligenceImport", + "_RecordedFuture-ThreatIntelligenceImport": "[variables('RecordedFuture-ThreatIntelligenceImport')]", + "playbookVersion4": "1.0", + "playbookContentId4": "RecordedFuture-ThreatIntelligenceImport", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "RecordedFuture-Domain-IndicatorImport": "RecordedFuture-Domain-IndicatorImport", + "_RecordedFuture-Domain-IndicatorImport": "[variables('RecordedFuture-Domain-IndicatorImport')]", + "playbookVersion5": "1.0", + "playbookContentId5": "RecordedFuture-Domain-IndicatorImport", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "RecordedFuture-Hash-IndicatorImport": "RecordedFuture-Hash-IndicatorImport", + "_RecordedFuture-Hash-IndicatorImport": "[variables('RecordedFuture-Hash-IndicatorImport')]", + "playbookVersion6": "1.0", + "playbookContentId6": "RecordedFuture-Hash-IndicatorImport", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "RecordedFuture-IP-IndicatorImport": "RecordedFuture-IP-IndicatorImport", + "_RecordedFuture-IP-IndicatorImport": "[variables('RecordedFuture-IP-IndicatorImport')]", + "playbookVersion7": "1.0", + "playbookContentId7": "RecordedFuture-IP-IndicatorImport", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "RecordedFuture-URL-IndicatorImport": "RecordedFuture-URL-IndicatorImport", + "_RecordedFuture-URL-IndicatorImport": "[variables('RecordedFuture-URL-IndicatorImport')]", + "playbookVersion8": "1.0", + "playbookContentId8": "RecordedFuture-URL-IndicatorImport", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url", + "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]", + "playbookVersion9": "1.2", + "playbookContentId9": "RecordedFuture-Sandbox_Enrichment-Url", + "_playbookContentId9": "[variables('playbookContentId9')]", + "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", + "RecordedFuture-CustomConnector": "RecordedFuture-CustomConnector", + "_RecordedFuture-CustomConnector": "[variables('RecordedFuture-CustomConnector')]", + "playbookVersion10": "1.0", + "playbookContentId10": "RecordedFuture-CustomConnector", + "_playbookContentId10": "[variables('playbookContentId10')]", + "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId10'))))]", + "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", + "RecordedFuture-ThreatMap-Importer": "RecordedFuture-ThreatMap-Importer", + "_RecordedFuture-ThreatMap-Importer": "[variables('RecordedFuture-ThreatMap-Importer')]", + "playbookVersion11": "1.2", + "playbookContentId11": "RecordedFuture-ThreatMap-Importer", + "_playbookContentId11": "[variables('playbookContentId11')]", + "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", + "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", + "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", + "RecordedFuture-ThreatMapMalware-Importer": "RecordedFuture-ThreatMapMalware-Importer", + "_RecordedFuture-ThreatMapMalware-Importer": "[variables('RecordedFuture-ThreatMapMalware-Importer')]", + "playbookVersion12": "1.0", + "playbookContentId12": "RecordedFuture-ThreatMapMalware-Importer", + "_playbookContentId12": "[variables('playbookContentId12')]", + "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", + "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", + "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", + "RecordedFuture-ActorThreatHunt-IndicatorImport": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "_RecordedFuture-ActorThreatHunt-IndicatorImport": "[variables('RecordedFuture-ActorThreatHunt-IndicatorImport')]", + "playbookVersion13": "1.0", + "playbookContentId13": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "_playbookContentId13": "[variables('playbookContentId13')]", + "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", + "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", + "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", + "RecordedFuture-MalwareThreatHunt-IndicatorImport": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "_RecordedFuture-MalwareThreatHunt-IndicatorImport": "[variables('RecordedFuture-MalwareThreatHunt-IndicatorImport')]", + "playbookVersion14": "1.0", + "playbookContentId14": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "_playbookContentId14": "[variables('playbookContentId14')]", + "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", + "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", + "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", + "workbookVersion1": "1.0.1", + "workbookContentId1": "RecordedFuturePlaybookAlertOverviewWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "workbookVersion2": "1.0.1", + "workbookContentId2": "RecordedFutureAlertOverviewWorkbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", + "workbookVersion3": "1.0.1", + "workbookContentId3": "RecordedFutureDomainCorrelationWorkbook", + "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", + "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", + "_workbookContentId3": "[variables('workbookContentId3')]", + "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", + "workbookVersion4": "1.0.1", + "workbookContentId4": "RecordedFutureHashCorrelationWorkbook", + "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", + "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", + "_workbookContentId4": "[variables('workbookContentId4')]", + "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", + "workbookVersion5": "1.0.1", + "workbookContentId5": "RecordedFutureIPCorrelationWorkbook", + "workbookId5": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId5'))]", + "workbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId5'))))]", + "_workbookContentId5": "[variables('workbookContentId5')]", + "_workbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId5'),'-', variables('workbookVersion5'))))]", + "workbookVersion6": "1.0.1", + "workbookContentId6": "RecordedFutureURLCorrelationWorkbook", + "workbookId6": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId6'))]", + "workbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId6'))))]", + "_workbookContentId6": "[variables('workbookContentId6')]", + "_workbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId6'),'-', variables('workbookVersion6'))))]", + "workbookVersion7": "1.0.1", + "workbookContentId7": "RecordedFutureThreatActorHuntingWorkbook", + "workbookId7": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId7'))]", + "workbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId7'))))]", + "_workbookContentId7": "[variables('workbookContentId7')]", + "_workbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId7'),'-', variables('workbookVersion7'))))]", + "workbookVersion8": "1.0.0", + "workbookContentId8": "RecordedFutureMalwareThreatHuntingWorkbook", + "workbookId8": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId8'))]", + "workbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId8'))))]", + "_workbookContentId8": "[variables('workbookContentId8')]", + "_workbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId8'),'-', variables('workbookVersion8'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist.", + "displayName": "Detection of Malware C2 Domains in DNS Events", + "enabled": false, + "query": "// Identifies a match in DnsEvent from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract Domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.Name\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, DomainName, Description, ConfidenceScore, AdditionalInformation, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "DNS" + }, + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "ASimDnsActivityLogs" + } + ], + "tactics": [ + "CommandAndControl" + ], + "subTechniques": [ + "T1071.004" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + }, + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "HostNameDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ClientIP" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "DomainName" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 Domains in DNS Events", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist.", + "displayName": "Detection of Malware C2 Domains in Syslog Events", + "enabled": false, + "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "Syslog" + }, + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "SyslogAma" + } + ], + "tactics": [ + "CommandAndControl" + ], + "subTechniques": [ + "T1071.004" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "domain" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 Domains in Syslog Events", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.", + "displayName": "Detection of Specific Hashes in CommonSecurityLog", + "enabled": false, + "query": "// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n// Picking up only Recorded Future IOC's that have been observed in undersground testing sites\n| where Description == \"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n| join (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation\n| extend AccountName = tostring(split(SourceUserName, \"@\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \"@\")[1])\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CEF" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CefAma" + } + ], + "tactics": [ + "ResourceDevelopment" + ], + "subTechniques": [ + "T1587.001" + ], + "techniques": [ + "T1587" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "SourceUserName" + }, + { + "identifier": "Name", + "columnName": "AccountName" + }, + { + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "DeviceName" + }, + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "HostNameDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIP" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Specific Hashes in CommonSecurityLog", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist.", + "displayName": "Detection of Malware C2 IPs in Azure Act. Events", + "enabled": false, + "query": "// Identifies a match in AzureActivity from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| extend TI_ipEntity = NetworkIP\n| join (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n )\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated >= TimeGenerated and AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, Description, AdditionalInformation\n| extend AccountName = tostring(split(Caller, \"@\")[0]), AccountUPNSuffix = tostring(split(Caller, \"@\")[1])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AzureActivity" + ], + "connectorId": "AzureActivity" + } + ], + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Caller" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "CallerIpAddress" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "TI_ipEntity" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 IPs in Azure Act. Events", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist.", + "displayName": "Detection of Malware C2 IPs in DNS Events", + "enabled": false, + "query": "// Identifies a match in DnsEvent from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| join (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n )\non $left.NetworkIP == $right.SingleIP\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, Description, AdditionalInformation\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "DNS" + }, + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "ASimDnsActivityLogs" + } + ], + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + }, + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "HostNameDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ClientIP" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "NetworkIP" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 IPs in DNS Events", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.", + "displayName": "Detection of Malicious URLs in Syslog Events", + "enabled": false, + "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "Syslog" + }, + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "SyslogAma" + } + ], + "tactics": [ + "LateralMovement", + "Execution" + ], + "techniques": [ + "T1072" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malicious URLs in Syslog Events", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting hash correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting Hash All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing Hash data.\n// The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns \nimFileEvent\n| where isnotempty(Hash)\n| extend lowerHash=tolower(Hash)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(FileHashValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerHash=tolower(FileHashValue)\n) on lowerHash\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "InitialAccess", + "Execution", + "Persistence" + ], + "techniques": [ + "T1189", + "T1059", + "T1554" + ], + "entityMappings": [ + { + "entityType": "FileHash", + "fieldMappings": [ + { + "identifier": "Value", + "columnName": "Hash" + }, + { + "identifier": "Algorithm", + "columnName": "HashType" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting Hash All Actors", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting IP correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting IP All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (ASimNetworkSessionLogs) can be replaced by any infrastructure table containing ip data.\n// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns \nimNetworkSession\n| where isnotempty(DstIpAddr)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(NetworkIP)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n) on $left.DstIpAddr == $right.NetworkIP\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.DstIpAddr\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project NetworkIP, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1041", + "T1568" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "NetworkIP" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting IP All Actors", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting domain correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting Domain All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.\n// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns \nimDns\n| where isnotempty(Domain)\n| extend lowerDomain=tolower(Domain)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look at Domain IOCs\n| where isnotempty(DomainName)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerDomain=tolower(DomainName)\n) on lowerDomain \n// select column from the source table to match with Recorded Future $left.Domain\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "InitialAccess", + "CommandAndControl" + ], + "techniques": [ + "T1566", + "T1568" + ], + "entityMappings": [ + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "Domain" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting Domain All Actors", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting Url correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting Url All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (imWebSession) can be replaced by any infrastructure table containing Url data.\n// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns \nimWebSession\n| where isnotempty(Url)\n| extend lowerUrl=tolower(Url)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(Url)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerUrl=tolower(Url)\n) on lowerUrl\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion" + ], + "techniques": [ + "T1098", + "T1078" + ], + "entityMappings": [ + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ], + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting Url All Actors", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-IOC_Enrichment", + "type": "string" + } + }, + "variables": { + "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", + "AzureSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateVersion": "2.7", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" + ], + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "For_each": { + "actions": { + "Parse_JSON_2": { + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "properties": { + "type": "object" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + }, + "Switch": { + "cases": { + "Case": { + "actions": { + "Add_comment_to_incident_(V3)_-_Domain": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Domain_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Domain_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_4": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_Domain": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Domain_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/domain/@{encodeURIComponent(body('Parse_JSON_-_DNS_Resolution')?['domainName'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_DNS_Resolution": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_DNS_Resolution": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "domainName": { + "type": "string" + }, + "friendlyName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "case": "DnsResolution" + }, + "Case_2": { + "actions": { + "Add_comment_to_incident_(V3)_-_Hash": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Hash_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Hash_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_3": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_Hash": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Hash_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/hash/@{encodeURIComponent(body('Parse_JSON_-_File_Hash')?['hashValue'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_File_Hash": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_File_Hash": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "algorithm": { + "type": "string" + }, + "friendlyName": { + "type": "string" + }, + "hashValue": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "case": "FileHash" + }, + "Case_3": { + "actions": { + "Add_comment_to_incident_(V3)_-_URL": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('URL_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "URL_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Url')?['url']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_URL": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_Url": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "friendlyName": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + }, + "URL_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/url/@{encodeURIComponent(body('Parse_JSON_-_Url')?['url'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_Url": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "case": "Url" + }, + "Case_4": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Ip')?['address']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_IP": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_-_IP": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('IP_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "IP_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "IP_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_Ip": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_Ip": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "address": { + "type": "string" + }, + "friendlyName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "case": "Ip" + } + }, + "expression": "@body('Parse_JSON_2')?['kind']", + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "type": "Switch" + } + }, + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "runAfter": { + "RFIncidentId": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "type": "Foreach" + }, + "RFIncidentId": { + "inputs": { + "variables": [ + { + "name": "RFIncidentId", + "type": "string", + "value": "@{guid()}" + } + ] + }, + "type": "InitializeVariable" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "IntelligenceCloud": { + "defaultValue": true, + "type": "Bool" + }, + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "recordedfuture": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[[variables('RecordedFutureConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-IOC_Enrichment", + "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident \"Microsoft.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment open the playbook in edit mode and configure/authorize all connections and press save.\"Logic" + ], + "lastUpdateTime": "2024-07-09T00:00:00Z", + "entities": [ + "ip", + "url", + "dnsresolution", + "filehash" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Improved layout and added Recorded Future Collective Insights." + ] + }, + { + "version": "1.2", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Fixed risk rule severity and correct image url." + ] + }, + { + "version": "2.3", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Updated readme and improved layout." + ] + }, + { + "version": "2.4", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Handle 404 result from enrichment." + ] + }, + { + "version": "2.5", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Backend rendered markdown/html to increse performance and reduce cost of enrichment." + ] + }, + { + "version": "2.6", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Shorten name from RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash. Renamed API connections" + ] + }, + { + "version": "2.7", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Reduce concurrency to 1." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-IOC_Enrichment", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Playbook-Alert-Importer", + "type": "string" + }, + "create_incident": { + "type": "String", + "defaultValue": "false", + "metadata": { + "description": "Create Microsoft Sentinel incidents (possible values true/false)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "create_incident": { + "type": "String", + "defaultValue": "[[parameters('create_incident')]" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Search_Playbook_Alerts')", + "actions": { + "Get_Playbook_Alert_by_ID": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "get", + "path": "/playbook-alert/@{encodeURIComponent(items('For_each')?['playbook_alert_id'])}" + } + }, + "Create_incident_if_parameter_is_set-copy": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@body('Create_incident')?['id']", + "message": "

**Recorded Future Alert** @{body('Get_Playbook_Alert_by_ID')?['title']}

Playbook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}

Playbook Alert Type: @{items('For_each')?['category']}

Playbook Alert Priority: @{items('For_each')?['priority']}

Playbook Alert Status: @{item()?['status']}

Playbook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}

[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})


Evidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}


created_date: @{items('For_each')?['created']}

updated_date: @{items('For_each')?['updated']}

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_incident": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "title": "@body('Get_Playbook_Alert_by_ID')?['title']", + "severity": "Medium", + "status": "New", + "description": "**Recorded Future Alert**\n@{body('Get_Playbook_Alert_by_ID')?['title']}\nPlaybook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}\nPlaybook Alert Type: @{items('For_each')?['category']}\nPlaybook Alert Priority: @{items('For_each')?['priority']}\nPlaybook Alert Status: @{item()?['status']}\nPlaybook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}\n[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})\n\nEvidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\n\ncreated_date: @{items('For_each')?['created']}\nupdated_date: @{items('For_each')?['updated']}\n\n", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "Recorded Future Playbook Alert" + }, + { + "Tag": "RFPAID:@{item()?['playbook_alert_id']}" + } + ] + } + }, + "path": "/Incidents/subscriptions/5129b3ff-c0c6-4e86-bd1c-70e5fcd579cf/resourceGroups/RF-SaaS-V3.2.2/workspaces/RF-SaaS-V3-2-2" + } + } + }, + "runAfter": { + "Send_Data": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@parameters('create_incident')", + "true" + ] + } + ] + }, + "type": "If" + }, + "Send_Data": { + "runAfter": { + "Get_Playbook_Alert_by_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "{\n\"title\": \" @{items('For_each')?['title']}\",\n\"id\": \"@{body('Get_Playbook_Alert_by_ID')?['id']}\",\n\"category\":\"@{items('For_each')?['category']}\",\n\"rule_label\":\"@{coalesce(body('Get_Playbook_Alert_by_ID')?['rule_label'],items('For_each')?['category'])}\",\n\"status\": \"@{items('For_each')?['status']}\", \n\"priority\": \"@{items('For_each')?['priority']}\",\n\"created_date\": \"@{items('For_each')?['created']}\",\n\"updated_date\": \"@{items('For_each')?['updated']}\",\n\"targets\":\"@{body('Get_Playbook_Alert_by_ID')?['targets']}\",\n\"evidence_summary\": \"@{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\",\n\"link\": \"@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])}\"\n}", + "headers": { + "Log-Type": "RecordedFuturePlaybookAlerts" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Search_Playbook_Alerts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Search_Playbook_Alerts": { + "type": "ApiConnection", + "inputs": { + "body": { + "updated_from_relative": "-1", + "categories": "[variables('TemplateEmptyArray')]" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "post", + "path": "/playbook-alert/search" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "recordedfuturev2": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[[variables('RecordedFutureConnectionName')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "PlaybookAlert-Import", + "hidden-SentinelTemplateVersion": "1.3", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Playbook-Alert-Importer", + "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-07-09T00:00:00Z", + "tags": [ + "Alert" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Changed default search parameters for playbook alert serach." + ] + }, + { + "version": "1.2", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "API connector renaming." + ] + }, + { + "version": "1.3", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Added Incident creation." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Playbook-Alert-Importer", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-AlertImporter Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-AlertImporter", + "type": "string" + }, + "create_incident": { + "metadata": { + "description": "Create Microsoft Sentinel incidents (possible values true/false)" + }, + "type": "string" + }, + "workspace_name": { + "defaultValue": "", + "metadata": { + "description": "Microsoft Sentinel Workspace name" + }, + "type": "string" + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-5": "[[variables('connection-5')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[[variables('workspace-location-inline')]", + "name": "[[parameters('PlaybookName')]", + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "For_each_triggered_alert": { + "actions": { + "Create_incident_if_parameter_is_set": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Create_incident')?['id']", + "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'], '&utm_source=microsoft_sentinel')})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Create_incident": { + "inputs": { + "body": { + "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'],'&utm_source=microsoft_sentinel')})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", + "severity": "Medium", + "status": "New", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "Recorded Future Alert" + } + ] + }, + "title": "@items('For_each_triggered_alert')?['title']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "[[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" + }, + "type": "ApiConnection" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@parameters('create_incident')", + "true" + ] + } + ] + }, + "runAfter": { + "For_each_hit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "For_each_hit": { + "actions": { + "Send_Data_2": { + "inputs": { + "body": "{\n\"RuleName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['rule']?['name'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['title'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\ncoalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''),\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Fragment\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_hit')?['fragment'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\"}", + "headers": { + "Log-Type": "RecordedFuturePortalAlerts" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "type": "ApiConnection" + } + }, + "foreach": "@items('For_each_triggered_alert')['hits']", + "type": "Foreach" + } + }, + "foreach": "@body('Search_Triggered_Alerts')?['data']", + "runAfter": { + "Search_Triggered_Alerts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "inputs": { + "variables": [ + { + "name": "latest_event_date", + "type": "string", + "value": "@{addHours(utcNow(), -24)}" + } + ] + }, + "type": "InitializeVariable" + }, + "Run_query_and_list_results": { + "inputs": { + "body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[resourceGroup().name]", + "resourcename": "[[parameters('workspace_name')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[subscription().subscriptionId]", + "timerange": "Last 7 days" + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Search_Triggered_Alerts": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "get", + "path": "/v2/alerts", + "queries": { + "triggered": "[[[@{addSeconds(variables('latest_event_date'),1)},@{utcNow()}]" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded", + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Set_variable": { + "inputs": { + "name": "latest_event_date", + "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" + }, + "runAfter": { + "Run_query_and_list_results": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "create_incident": { + "defaultValue": "[[parameters('create_incident')]", + "type": "string" + } + }, + "triggers": { + "Recurrence": { + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + }, + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]" + }, + "recordedfuturev2": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]", + "connectionName": "[[variables('Recordedfuturev2ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + }, + "provisioningState": "Succeeded", + "state": "Enabled" + }, + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", + "hidden-SentinelTemplateVersion": "1.4", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "type": "Microsoft.Logic/workflows" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + }, + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + }, + "displayName": "[[variables('AzuremonitorlogsConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-4')]" + }, + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('Recordedfuturev2ConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-5')]" + }, + "displayName": "[[variables('Recordedfuturev2ConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", + "lastUpdateTime": "2024-09-20T00:00:00Z", + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "releaseNotes": [ + { + "notes": [ + "Initial version" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.0" + }, + { + "notes": [ + "Fixed ARM encoding" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.1" + }, + { + "notes": [ + "API connector renaming." + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.2" + }, + { + "notes": [ + "Encoding and latest_event_date fix." + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.3" + }, + { + "notes": [ + "More JSON encoding fixes, and add utm parameter to links" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.4" + } + ], + "tags": [ + "Alert" + ], + "title": "RecordedFuture-Alert-Importer" + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-AlertImporter", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Microsoft Sentinel WorkspaceID, guid format (example:75a5bccc-7a5c-4e3f-ad57-36be224c4d2e). WorkspaceID can be found under Log Analytics Workspaces blade. " + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Batch_messages": { + "type": "Batch", + "inputs": { + "configurations": { + "RFImportToSentinel": { + "releaseCriteria": { + "messageCount": 100, + "recurrence": { + "frequency": "Minute", + "interval": 2 + } + } + } + }, + "mode": "Inline" + } + } + }, + "actions": { + "Select": { + "type": "Select", + "inputs": { + "from": "@triggerBody()['items']", + "select": "@item()['content']" + } + }, + "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": { + "runAfter": { + "Select": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "indicators": "@body('Select')", + "sourcesystem": "Recorded Future" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "[[concat( '/V2/ThreatIntelligence/',parameters('WorkspaceID'),'/UploadIndicators/')]", + "retryPolicy": { + "count": 10, + "interval": "PT20S", + "maximumInterval": "PT1H", + "minimumInterval": "PT10S", + "type": "exponential" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatIntelligenceImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ThreatIntelligenceImport", + "description": "This playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table.", + "prerequisites": [ + "Microsoft Sentinel Threat Intelligence active" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ThreatIntelligenceImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "RecordedFuture-ThreatIntelligenceImport", + "notes": [ + "Fixed Api connection" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-ThreatIntelligenceImport", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Domain-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 2 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - Domains - Command and Control Activity", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[domain-name:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),2)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/domain_c2_dns.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Domain-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Domain-IndicatorImport", + "description": "This playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Domain-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Domain-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Hash-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[file:hashes.'@{body('Parse_JSON')?['Algorithm']}' = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),24)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/hash_observed_testing.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Hash-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Hash-IndicatorImport", + "description": "This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Hash-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Hash-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-IP-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "RecordedFutureThreatIntelligenceImport": "[[parameters('PlaybookNameBatching')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ThreatIntelligenceImport": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - IP - Actively Communicating C&C Server", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[ipv4-addr:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),1)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/ip_active_c2.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-IP-IndicatorImport", + "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "Refer to [Recorded Future Logic App - Threat Intelligence Import](../readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T17:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-IP-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-IP-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-URL-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 2 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - URL - Recently Reported by Insikt Group", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[url:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),2)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/url_insikt.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-URL-IndicatorImport", + "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-URL-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-URL-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Sandbox_Enrichment-Url", + "type": "string" + }, + "Sandbox API Key": { + "metadata": { + "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)" + }, + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "RecordedfutureSandboxConnectionName": "RecordedFuture-SandboxConnector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[[variables('workspace-location-inline')]", + "name": "[[parameters('PlaybookName')]", + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Define_sandbox_status": { + "inputs": { + "variables": [ + { + "name": "sandbox_status", + "type": "string" + } + ] + }, + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Entities_-_Get_URLs": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Get_the_full_report')?['html_report']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Get_the_full_report": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_the_full_report": { + "inputs": { + "headers": { + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "get", + "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" + }, + "runAfter": { + "Wait_for_sandbox_report": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Initialize_Sandbox_status": { + "inputs": { + "name": "sandbox_status", + "value": "@body('Submit_url_samples')?['status']" + }, + "runAfter": { + "Submit_url_samples": [ + "Succeeded" + ] + }, + "type": "SetVariable" + }, + "Submit_url_samples": { + "inputs": { + "body": { + "url": "@items('For_each')?['Url']" + }, + "headers": { + "Content-Type": "application/json", + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "post", + "path": "/samples/url" + }, + "type": "ApiConnection" + }, + "Wait_for_sandbox_report": { + "actions": { + "Delay": { + "inputs": { + "interval": { + "count": 2, + "unit": "Minute" + } + }, + "runAfter": { + "Set_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Wait" + }, + "Get_the_full_summary": { + "inputs": { + "headers": { + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "get", + "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" + }, + "type": "ApiConnection" + }, + "Set_sandbox_status": { + "inputs": { + "name": "sandbox_status", + "value": "@body('Get_the_full_summary')?['status']" + }, + "runAfter": { + "Get_the_full_summary": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": "@equals(variables('sandbox_status'), 'reported')", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Sandbox_status": [ + "Succeeded" + ] + }, + "type": "Until" + } + }, + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", + "runAfter": { + "Define_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Sandbox API Key": { + "defaultValue": "[[parameters('Sandbox API Key')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + }, + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]" + }, + "recordedfuturesandbo": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]", + "connectionName": "recordedfuturesandbo", + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]" + } + } + } + }, + "provisioningState": "Succeeded", + "state": "Enabled" + }, + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", + "hidden-SentinelTemplateVersion": "1.2", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "type": "Microsoft.Logic/workflows" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('RecordedfutureSandboxConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + }, + "displayName": "[[variables('RecordedfutureSandboxConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + }, + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", + "entities": [ + "url" + ], + "lastUpdateTime": "2024-09-24T00:00:00Z", + "postDeployment": [ + "After deployment you have to open the playbook to configure all connections and press save." + ], + "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "releaseNotes": [ + { + "notes": [ + "Initial version" + ], + "title": "RecordedFuture-Sandbox_Enrichment-Url", + "version": "1.0" + }, + { + "notes": [ + "API connection rename." + ], + "title": "API Connectors", + "version": "1.1" + }, + { + "notes": [ + "API connector rename." + ], + "title": "API Connectors", + "version": "1.2" + } + ], + "tags": [ + "Enrichment" + ], + "title": "RecordedFuture-Sandbox_Enrichment-Url" + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Sandbox_Enrichment-Url", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName10')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-CustomConnector Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion10')]", + "parameters": { + "ConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "String", + "metadata": { + "description": "Recorded Future Custom Connector" + } + }, + "ServiceEndpoint": { + "defaultValue": "https://api.recordedfuture.com/gw/azure", + "type": "String", + "metadata": { + "description": "Recorded Future API" + } + } + }, + "variables": { + "operationId-IP_Enrichment": "IP_Enrichment", + "_operationId-IP_Enrichment": "[[variables('operationId-IP_Enrichment')]", + "operationId-Threat_Map_Actors": "Threat_Map_Actors", + "_operationId-Threat_Map_Actors": "[[variables('operationId-Threat_Map_Actors')]", + "operationId-Threat_Map_Malware": "Threat_Map_Malware", + "_operationId-Threat_Map_Malware": "[[variables('operationId-Threat_Map_Malware')]", + "operationId-Domain_Enrichment": "Domain_Enrichment", + "_operationId-Domain_Enrichment": "[[variables('operationId-Domain_Enrichment')]", + "operationId-Url_Enrichment": "Url_Enrichment", + "_operationId-Url_Enrichment": "[[variables('operationId-Url_Enrichment')]", + "operationId-Hash_Enrichment": "Hash_Enrichment", + "_operationId-Hash_Enrichment": "[[variables('operationId-Hash_Enrichment')]", + "operationId-Vuln_Enrichment": "Vuln_Enrichment", + "_operationId-Vuln_Enrichment": "[[variables('operationId-Vuln_Enrichment')]", + "operationId-Alert_Rules_Search": "Alert_Rules_Search", + "_operationId-Alert_Rules_Search": "[[variables('operationId-Alert_Rules_Search')]", + "operationId-Alert_Not_Search": "Alert_Not_Search", + "_operationId-Alert_Not_Search": "[[variables('operationId-Alert_Not_Search')]", + "operationId-Alert_Not_Lookup": "Alert_Not_Lookup", + "_operationId-Alert_Not_Lookup": "[[variables('operationId-Alert_Not_Lookup')]", + "operationId-Rislk_List_Download": "Rislk_List_Download", + "_operationId-Rislk_List_Download": "[[variables('operationId-Rislk_List_Download')]", + "operationId-Soar_Bulk_Lookup": "Soar_Bulk_Lookup", + "_operationId-Soar_Bulk_Lookup": "[[variables('operationId-Soar_Bulk_Lookup')]", + "operationId-STIX_Indicators": "STIX_Indicators", + "_operationId-STIX_Indicators": "[[variables('operationId-STIX_Indicators')]", + "operationId-STIX_MalwareIndicators": "STIX_MalwareIndicators", + "_operationId-STIX_MalwareIndicators": "[[variables('operationId-STIX_MalwareIndicators')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "playbookContentId10": "RecordedFuture-CustomConnector", + "playbookId10": "[[resourceId('Microsoft.Web/customApis', parameters('ConnectorName'))]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[[parameters('ConnectorName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "connectionParameters": { + "api_key": { + "type": "securestring" + } + }, + "backendService": { + "serviceUrl": "[[parameters('ServiceEndPoint')]" + }, + "capabilities": "[variables('TemplateEmptyArray')]", + "brandColor": "#FFFFFF", + "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files.", + "displayName": "[[parameters('ConnectorName')]", + "iconUri": "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCAAoADADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9U6a7rGpZ2CqoyWY4Ap1YXjjwXpvxC8K6h4d1hZX02+QJMIZDG+AwYYYdOVFVHlckpOyJlzKLcVdniXxW8VeJvF/ir4ofD2wSO4tY/Cq3NnBGoWRpnIDfOSOoYjB44Fa/wz8ZeIdL+JujeAdRaOKwsfBlreSwsoMi3IKoxL55GMj04rzjx5p+m+G/id8VYLnT573RbLwLbxfZlnaNpI1KKq+bgkH5evPQ9a0PBvh3S/GPxkt9LaznttC1L4b20HkeczOkLuo2+ZwSQOM98V9U6VP6va3u8t9uvLHXff8Aq58sqtT6xe/vc1t+nNLTbb+rH1SrBlDKQVIyCOhpay/C/h2z8I+HdN0TTldbHT4Et4RI5dtijAyT1NalfKStd22Pqo3sr7nnvgr45eHPHV5pttaRanYtqkTS6fJqNi8Ed4qrubynPysQuTjOcAntXZnXtMXT5b86jaCxiJEl156+UhBwctnA5r5TH7OvifRfBOjLNczCb/hHLmxmGpaqDBol2y482PL7QjoWiOzO3dkcE1f0H4X3mrXMGsaZpFtqlpYX9rPeeG21LT2ju1SKZAwjt0WFWUyAgu2X2c7doz79TBYVtypVNPl3+W//AAdmeDTxuKVo1aer9e36f8DdM+ifFcHhzxN4fk0jWbq0fTtciNsqtciM3KsOkbAgk88bfWrGlz6D4d0yHT7S7s7a1023WAI1wpMMSYQBiTnAIAye9fP2tfBTxBcR6o0fgfSXj1jR20+zs471CmhSmaV/My/Y+YrHys4ZMAYwaZo/7P2t6R4atJr3QbXXtVtfFEuoXtvNLEJNVs8MEy7HafmIkCOQMjnmsvq1Dks62l9tP8/l/wAA1+s1ue6o6231/wAvn/wT3vQPiDofiK3vp7a8WGKz1CXS3e5IjDTxkBlUk/N14x1pvj34iaH8N/D9/rGs3Oy3so0llihw82xpFjDBM5I3MBmvmiP4C+KbCbUtQv8AQUXRZrjURFosNzYlbRZpFZJQ06tGqlRsJXDrsGARxVjx58BPFGo+B/FWj2nhm38R6rqS2Mun6/PqMLTQRRRwI1vvcIxI8t8EBVYOScH5TqsDhPaxvV9266rur63+f5XMnjcV7OVqT5rdn2dtLf11se2ftIK0nwJ8bKqlmOmyYAGT2ri4G1P4ReKPB8usnRdK0XUJLqK8k8O6W9vDIwgBt1mA3Fm3b9vuSO9FFZ4P36caL2k5X/8AAUaYz3akqq3io2/8CZ5HbeIvEqre+JTrusp4ivPCIuLRe87x3cgkVV28lI13kDkEk+1d/rHxE1fxz8XF0vQPE2o2nhu91CwgjuLJNn7t7K6eTyy6d2jX5scEcdKKK9+rShyzqWV0nbRd1+VvxZ4NKrNShTu7Nq+r7frfX5D/AId674p8U+NINJ1/VpJmmubuHVdFupHdo4Yy/kMsS2wEJBWI+Y0pEgJ6lgB9JWtvHZ28UES7Yo1CKMk8D3NFFfN5laNSKirK1z6PLbypycnd3t+R/9k=", + "swagger": { + "swagger": "2.0", + "info": { + "title": "Recorded Future V2", + "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files", + "contact": { + "name": "Recorded Future Support", + "url": "https://support.recordedfuture.com", + "email": "support@recordedfuture.com" + }, + "version": "1.0" + }, + "host": "api.recordedfuture.com", + "basePath": "/gw/azure", + "schemes": [ + "https" + ], + "paths": { + "/lookup/ip/{ip}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "IP Enrichment", + "description": "IP Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-IP_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "ip", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The IP address to lookup. Must be a single IP address", + "x-ms-summary": "IP input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/threat/map/actors": { + "post": { + "tags": [ + "Threat Hunt" + ], + "summary": "Fetch Threat Map actors", + "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", + "operationId": "[[variables('_operationId-Threat_Map_Actors')]", + "x-ms-visibility": "important", + "consumes": [ + "application/json" + ], + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "x-ms-visibility": "important", + "schema": { + "type": "object", + "x-ms-visibility": "important", + "properties": { + "actors": { + "description": "List of actors", + "type": "array", + "items": { + "type": "string", + "description": "Description actor1", + "title": "Title actor1", + "x-ms-visibility": "important" + } + }, + "categories": { + "description": "List of categories", + "type": "array", + "items": { + "type": "string", + "description": "Description category1", + "title": "Title category1", + "x-ms-visibility": "important" + } + }, + "watchlists": { + "description": "List of watchlists", + "type": "array", + "items": { + "type": "string", + "description": "Description watchlist1", + "title": "Title watchlist1", + "x-ms-visibility": "important" + } + } + }, + "required": [ + "actors", + "categories", + "watchlists" + ] + } + } + ], + "responses": { + "200": { + "description": "Returns Threat Map", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatMapActors" + } + } + } + } + } + } + }, + "/threat/map/malware": { + "post": { + "tags": [ + "Threat Hunt" + ], + "summary": "Fetch Threat Map malware", + "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", + "operationId": "[[variables('_operationId-Threat_Map_Malware')]", + "x-ms-visibility": "important", + "consumes": [ + "application/json" + ], + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "x-ms-visibility": "important", + "schema": { + "type": "object", + "x-ms-visibility": "important", + "properties": { + "malware": { + "description": "List of malware", + "type": "array", + "items": { + "type": "string", + "description": "Description malware1", + "title": "Title malware1", + "x-ms-visibility": "important" + } + }, + "categories": { + "description": "List of categories", + "type": "array", + "items": { + "type": "string", + "description": "Description category1", + "title": "Title category1", + "x-ms-visibility": "important" + } + }, + "watchlists": { + "description": "List of watchlists", + "type": "array", + "items": { + "type": "string", + "description": "Description watchlist1", + "title": "Title watchlist1", + "x-ms-visibility": "important" + } + } + }, + "required": [ + "malware", + "categories", + "watchlists" + ] + } + } + ], + "responses": { + "200": { + "description": "Returns Threat Map", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatMapMalware" + } + } + } + } + } + } + }, + "/lookup/domain/{domain}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "advanced" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "Domain Enrichment", + "description": "Domain Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-Domain_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "domain", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The domain to lookup. Must be a single domain", + "x-ms-summary": "Domain input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/lookup/url/{url}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "URL Enrichment", + "description": "URL Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-Url_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "url", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The URL to lookup. Must be a single URL", + "x-ms-summary": "URL input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/lookup/hash/{hash}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "Hash Enrichment", + "description": "Hash Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-Hash_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "hash", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The HASH to lookup. Must be a single HASH", + "x-ms-summary": "HASH input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/lookup/vulnerability/{id}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Vulnerability Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Vulnerability Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Vulnerability Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "Vulnerability Enrichment", + "description": "Vulnerability Enrichment with Recorded Future data", + "parameters": [ + { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)", + "x-ms-summary": "Vulnerability ID (CVE, name) input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ], + "operationId": "[[variables('_operationId-Vuln_Enrichment')]", + "x-ms-visibility": "advanced" + } + }, + "/alert/rules": { + "get": { + "tags": [ + "Alerts" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "title": { + "type": "string", + "description": "Title", + "title": "Alert Rule Title", + "x-ms-visibility": "advanced" + }, + "id": { + "type": "string", + "description": "Id", + "title": "Alert Rule ID", + "x-ms-visibility": "important" + } + } + }, + "description": "Results" + } + }, + "description": "Data" + }, + "counts": { + "type": "object", + "properties": { + "returned": { + "type": "integer", + "format": "int32", + "description": "Returned", + "title": "Returned Number of Alert Rules", + "x-ms-visibility": "advanced" + }, + "total": { + "type": "integer", + "format": "int32", + "description": "Total", + "title": "Total Number of Alert Rules", + "x-ms-visibility": "advanced" + } + }, + "description": "Counts" + } + } + } + } + }, + "summary": "Search Alert Rules", + "description": "Search Recorded Future UI Alert Rules", + "operationId": "[[variables('_operationId-Alert_Rules_Search')]", + "x-ms-visibility": "advanced", + "parameters": [ + { + "name": "freetext", + "in": "query", + "required": false, + "type": "string", + "description": "Freetext search for Alert Rule Name", + "x-ms-visibility": "advanced", + "x-ms-summary": "Freetext search" + }, + { + "name": "limit", + "in": "query", + "required": false, + "type": "integer", + "default": 10, + "x-ms-visibility": "advanced", + "description": "Maximum number of records", + "x-ms-summary": "Maximum number of records" + } + ] + } + }, + "/alert/search": { + "get": { + "tags": [ + "Alerts" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "$ref": "#/definitions/AlertSearch" + } + } + }, + "summary": "Search Alert Notifications", + "operationId": "[[variables('_operationId-Alert_Not_Search')]", + "x-ms-visibility": "advanced", + "parameters": [ + { + "name": "triggered", + "in": "query", + "required": false, + "type": "string", + "description": "All Elasticsearch compatible date formats are valid.", + "x-ms-summary": "Triggered", + "x-ms-visibility": "advanced" + }, + { + "name": "alertRule", + "in": "query", + "required": true, + "type": "string", + "description": "Alert Rule ID", + "x-ms-visibility": "important", + "x-ms-summary": "Alert Rule ID" + }, + { + "name": "limit", + "in": "query", + "required": false, + "type": "integer", + "default": 10, + "x-ms-visibility": "advanced", + "description": "Maximum number of records", + "x-ms-summary": "Maximum number of records" + }, + { + "name": "from", + "in": "query", + "required": false, + "type": "integer", + "description": "Records from offset", + "x-ms-visibility": "advanced", + "x-ms-summary": "Records from offset" + } + ], + "description": "Search Alert Notifications" + } + }, + "/alert/{id}": { + "get": { + "tags": [ + "Alerts" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "$ref": "#/definitions/AlertLookup" + } + } + }, + "summary": "Lookup Alert Notification", + "description": "Lookup Alert Notification", + "operationId": "[[variables('_operationId-Alert_Not_Lookup')]", + "parameters": [ + { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "description": "Alert Notification ID", + "x-ms-visibility": "important", + "x-ms-summary": "Alert Notification ID", + "x-ms-url-encoding": "single" + } + ], + "x-ms-visibility": "advanced" + } + }, + "/fusion/files": { + "get": { + "tags": [ + "Fusion Files" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "RiskString": { + "type": "string" + }, + "EvidenceDetails": { + "type": "object", + "properties": { + "EvidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "Rule": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "CriticalityLabel": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + }, + "MitigationString": { + "type": "string" + }, + "Criticality": { + "type": "integer" + } + } + } + } + } + } + } + } + } + } + }, + "summary": "Recorded Future RiskLists and SCF Download", + "description": "Recorded Future RiskList & Security Control Feeds Download", + "operationId": "[[variables('_operationId-Rislk_List_Download')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "path", + "in": "query", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "enum": [ + "/public/MicrosoftAzure/ip_default.json", + "/public/MicrosoftAzure/ip_gt_90.json", + "/public/MicrosoftAzure/ip_active_c2.json", + "/public/MicrosoftAzure/ip_current_c2.json", + "/public/MicrosoftAzure/ip_botnet.json", + "/public/MicrosoftAzure/ip_insikt.json", + "/public/MicrosoftAzure/ip_phishing.json", + "/public/MicrosoftAzure/domain_default.json", + "/public/MicrosoftAzure/domain_gt_90.json", + "/public/MicrosoftAzure/domain_c2_dns.json", + "/public/MicrosoftAzure/domain_ransomware_payment.json", + "/public/MicrosoftAzure/domain_recent_weaponized.json", + "/public/MicrosoftAzure/domain_insikt.json", + "/public/MicrosoftAzure/domain_covid_lure.json", + "/public/MicrosoftAzure/domain_phishing.json", + "/public/MicrosoftAzure/url_gt_90.json", + "/public/MicrosoftAzure/url_c2.json", + "/public/MicrosoftAzure/url_ransomware_distribution.json", + "/public/MicrosoftAzure/url_compromised.json", + "/public/MicrosoftAzure/url_insikt.json", + "/public/MicrosoftAzure/url_malware_verdict.json", + "/public/MicrosoftAzure/hash_targeting_vulns.json", + "/public/MicrosoftAzure/hash_observed_testing.json", + "/public/MicrosoftAzure/hash_malware_ssl.json", + "/public/MicrosoftAzure/vuln_default.json", + "/public/MicrosoftAzure/vuln_gt_90.json", + "/public/MicrosoftAzure/vuln_recent_active_malware.json", + "/public/MicrosoftAzure/vuln_recent_exploit_kit.json", + "/public/MicrosoftAzure/vuln_recent_ransomware.json", + "/public/MicrosoftAzure/vuln_recent_rat.json", + "/public/MicrosoftAzure/vuln_recent_poc_remote.json", + "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json", + "/public/MicrosoftAzure/vuln_exploited_itw_malware.json", + "/public/MicrosoftAzure/vuln_critical_cyber_signal.json", + "/public/prevent/c2_communicating_ips.json", + "/public/prevent/weaponized_domains.json", + "/public/prevent/weaponized_urls.json", + "/public/ukraine/ukraine_russia_ip.csv", + "/public/ukraine/ukraine_russia_domain.csv", + "/public/ukraine/ukraine_russia_hash.csv", + "/public/ukraine/ukraine_russia_url.csv" + ], + "x-ms-editor-options": { + "items": [ + { + "title": "IP - Default RiskList", + "value": "/public/MicrosoftAzure/ip_default.json" + }, + { + "title": "IP - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/ip_gt_90.json" + }, + { + "title": "IP - Actively Communicating C&C Server", + "value": "/public/MicrosoftAzure/ip_active_c2.json" + }, + { + "title": "IP - Current C&C Server", + "value": "/public/MicrosoftAzure/ip_current_c2.json" + }, + { + "title": "IP - Recent Botnet Traffic", + "value": "/public/MicrosoftAzure/ip_botnet.json" + }, + { + "title": "IP - Recently Reported by Insikt Group", + "value": "/public/MicrosoftAzure/ip_insikt.json" + }, + { + "title": "IP - Phishing Host", + "value": "/public/MicrosoftAzure/ip_phishing.json" + }, + { + "title": "IP - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_ip.csv" + }, + { + "title": "DOMAIN - Default RiskList", + "value": "/public/MicrosoftAzure/domain_default.json" + }, + { + "title": "DOMAIN - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/domain_gt_90.json" + }, + { + "title": "DOMAIN - C&C DNS Name", + "value": "/public/MicrosoftAzure/domain_c2_dns.json" + }, + { + "title": "DOMAIN - Ransomware Payment DNS Name", + "value": "/public/MicrosoftAzure/domain_ransomware_payment.json" + }, + { + "title": "DOMAIN - Recently Active Weaponized Domain", + "value": "/public/MicrosoftAzure/domain_recent_weaponized.json" + }, + { + "title": "DOMAIN - Recently Reported by Insikt Group", + "value": "/public/MicrosoftAzure/domain_insikt.json" + }, + { + "title": "DOMAIN - Recent COVID-19-Related Domain Lure: Malicious", + "value": "/public/MicrosoftAzure/domain_covid_lure.json" + }, + { + "title": "DOMAIN - Recent Phishing Lure: Malicious", + "value": "/public/MicrosoftAzure/domain_phishing.json" + }, + { + "title": "DOMAIN - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_domain.csv" + }, + { + "title": "URL - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/url_gt_90.json" + }, + { + "title": "URL - C&C URL", + "value": "/public/MicrosoftAzure/url_c2.json" + }, + { + "title": "URL - Ransomware Distribution URL", + "value": "/public/MicrosoftAzure/url_ransomware_distribution.json" + }, + { + "title": "URL - Compromised URL", + "value": "/public/MicrosoftAzure/url_compromised.json" + }, + { + "title": "URL - Recently Reported by Insikt Group", + "value": "/public/MicrosoftAzure/url_insikt.json" + }, + { + "title": "URL - Positive Malware Verdict", + "value": "/public/MicrosoftAzure/url_malware_verdict.json" + }, + { + "title": "URL - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_url.csv" + }, + { + "title": "HASH - Recently Active Targeting Vulnerabilities in the Wild", + "value": "/public/MicrosoftAzure/hash_targeting_vulns.json" + }, + { + "title": "HASH - Observed in Underground Virus Testing Sites ", + "value": "/public/MicrosoftAzure/hash_observed_testing.json" + }, + { + "title": "HASH - Malware SSL Certificate Fingerprint", + "value": "/public/MicrosoftAzure/hash_malware_ssl.json" + }, + { + "title": "HASH - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_hash.csv" + }, + { + "title": "(SCF) Security Control Feed: Command and Control IPs", + "value": "/public/prevent/c2_communicating_ips.json" + }, + { + "title": "(SCF) Security Control Feed: Weaponized Domains", + "value": "/public/prevent/weaponized_domains.json" + }, + { + "title": "(SCF) Security Control Feed: Weaponized URLs", + "value": "/public/prevent/weaponized_urls.json" + }, + { + "title": "VULNERABILITY - Default RiskList", + "value": "/public/MicrosoftAzure/vuln_default.json" + }, + { + "title": "VULNERABILITY - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/vuln_gt_90.json" + }, + { + "title": "VULNERABILITY - Exploited in the Wild by Recently Active Malware", + "value": "/public/MicrosoftAzure/vuln_recent_active_malware.json" + }, + { + "title": "VULNERABILITY - Recently Linked to Exploit Kit", + "value": "/public/MicrosoftAzure/vuln_recent_exploit_kit.json" + }, + { + "title": "VULNERABILITY - Recently Linked to Ransomware", + "value": "/public/MicrosoftAzure/vuln_recent_ransomware.json" + }, + { + "title": "VULNERABILITY - Recently Linked to Remote Access Trojan", + "value": "/public/MicrosoftAzure/vuln_recent_rat.json" + }, + { + "title": "VULNERABILITY - Recent Verified Proof of Concept Available Using Remote Execution", + "value": "/public/MicrosoftAzure/vuln_recent_poc_remote.json" + }, + { + "title": "VULNERABILITY - Recently Observed Exploit/Tool Development in the Wild", + "value": "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json" + }, + { + "title": "VULNERABILITY - Exploited in the Wild by Malware", + "value": "/public/MicrosoftAzure/vuln_exploited_itw_malware.json" + }, + { + "title": "VULNERABILITY - Cyber Exploit Signal: Critical", + "value": "/public/MicrosoftAzure/vuln_critical_cyber_signal.json" + } + ] + }, + "description": "Path to file", + "x-ms-summary": "Path to file" + } + ] + } + }, + "/soar/lookup": { + "post": { + "tags": [ + "SOAR", + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "counts": { + "type": "object", + "properties": { + "returned": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + }, + "data": { + "type": "object", + "properties": { + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "risk": { + "type": "object", + "properties": { + "context": { + "type": "object" + }, + "level": { + "type": "number" + }, + "rule": { + "type": "object" + }, + "score": { + "type": "number" + } + } + } + } + } + } + } + } + } + } + } + }, + "summary": "SOAR API - Look up multiple entities", + "description": "SOAR API - Look up multiple entities (Specific Access is Required)", + "operationId": "[[variables('_operationId-Soar_Bulk_Lookup')]", + "x-ms-visibility": "important", + "consumes": [ + "application/json" + ], + "parameters": [ + { + "name": "body", + "in": "body", + "required": false, + "schema": { + "type": "object", + "properties": { + "ip": { + "type": "array", + "items": { + "type": "string", + "description": "An IP or array of IPs: array[string]", + "title": "IP", + "x-ms-visibility": "important" + }, + "description": "Ip" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "description": "An URL or array of URLs: array[string]", + "title": "URL", + "x-ms-visibility": "important" + }, + "description": "Url" + }, + "domain": { + "type": "array", + "items": { + "type": "string", + "description": "A domain or array of domains: array[string]", + "title": "Domain", + "x-ms-visibility": "important" + }, + "description": "Domain" + }, + "hash": { + "type": "array", + "items": { + "type": "string", + "description": "A hash or array of hashes: array[string]", + "title": "HASH", + "x-ms-visibility": "advanced" + }, + "description": "Hash" + }, + "vulnerability": { + "type": "array", + "items": { + "type": "string", + "description": "A vulnerability ID or an array of vulnerability IDs: array[string]", + "title": "Vulnerability", + "x-ms-visibility": "advanced" + }, + "description": "Vulnerability" + } + } + } + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/threat/indicators/actors": { + "post": { + "tags": [ + "Threat Hunt", + "STIX" + ], + "summary": "Fetch Threat Indicators for Actors in STIX format.", + "parameters": [ + { + "name": "body", + "in": "body", + "schema": { + "type": "object", + "properties": { + "actors": { + "type": "array", + "items": { + "type": "string", + "example": "QCwdoU" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + } + }, + "watchlists": { + "type": "array", + "items": { + "type": "string" + } + }, + "trigger_score_ip": { + "type": "integer", + "example": 85 + }, + "trigger_score_url": { + "type": "integer", + "example": 85 + }, + "trigger_score_domain": { + "type": "integer", + "example": 85 + }, + "trigger_score_hash": { + "type": "integer", + "example": 85 + }, + "valid_until_delta_hours": { + "type": "integer", + "example": 1 + }, + "threat_hunt_description": { + "type": "string", + "example": "Lazarus Group high risk" + } + }, + "x-ms-visibility": "important" + }, + "required": true, + "x-ms-visibility": "important" + } + ], + "responses": { + "200": { + "description": "List of Threat Indicator in STIX format.", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatHuntActors" + } + } + } + } + }, + "operationId": "[[variables('_operationId-STIX_Indicators')]", + "description": "Fetch Threat Indicators for Actors in STIX format.", + "x-ms-visibility": "important" + } + }, + "/threat/indicators/malware": { + "post": { + "tags": [ + "Threat Hunt", + "STIX" + ], + "summary": "Fetch Threat Indicators for Malware in STIX format.", + "parameters": [ + { + "name": "body", + "in": "body", + "schema": { + "type": "object", + "properties": { + "malware": { + "type": "array", + "items": { + "type": "string", + "example": "LnK3Q6" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + } + }, + "watchlists": { + "type": "array", + "items": { + "type": "string" + } + }, + "trigger_score_ip": { + "type": "integer", + "example": 85 + }, + "trigger_score_url": { + "type": "integer", + "example": 85 + }, + "trigger_score_domain": { + "type": "integer", + "example": 85 + }, + "trigger_score_hash": { + "type": "integer", + "example": 85 + }, + "valid_until_delta_hours": { + "type": "integer", + "example": 1 + }, + "threat_hunt_description": { + "type": "string", + "example": "Cobalt Strike Beacon high risk" + } + }, + "x-ms-visibility": "important" + }, + "required": true, + "x-ms-visibility": "important" + } + ], + "responses": { + "200": { + "description": "List of Threat Indicator in STIX format.", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatHuntMalware" + } + } + } + } + }, + "operationId": "[[variables('_operationId-STIX_MalwareIndicators')]", + "description": "Fetch Threat Indicators for Malware in STIX format.", + "x-ms-visibility": "important" + } + } + }, + "x-ms-connector-metadata": [ + { + "propertyName": "Website", + "propertyValue": "https://www.recordedfuture.com" + }, + { + "propertyName": "Privacy Policy", + "propertyValue": "https://www.recordedfuture.com/privacy-policy/" + }, + { + "propertyName": "Categories", + "propertyValue": "AI;Data" + } + ], + "definitions": { + "Links": { + "type": "object", + "title": "links", + "description": "High Confidence Evidence Based Links", + "x-ms-visibility": "important", + "properties": { + "technical": { + "type": "object", + "title": "technical", + "description": "Technical links generated through network traffic analysis, malware analysis, infrastructure analysis and more", + "x-ms-visibility": "important", + "properties": { + "start_date": { + "type": "string", + "title": "startDate", + "description": "Link start date", + "x-ms-visibility": "important" + }, + "stop_date": { + "type": "string", + "title": "stopDate", + "description": "Link stop date", + "x-ms-visibility": "important" + }, + "entities": { + "type": "array", + "title": "entities", + "description": "Related entities", + "x-ms-visibility": "important", + "items": { + "$ref": "#/definitions/LinkEntities" + } + } + } + }, + "research": { + "type": "object", + "title": "research", + "description": "Research links discovered by Insikt Group", + "x-ms-visibility": "important", + "properties": { + "start_date": { + "type": "string", + "title": "startDate", + "description": "Link start date", + "x-ms-visibility": "important" + }, + "stop_date": { + "type": "string", + "title": "stopDate", + "description": "Link stop date", + "x-ms-visibility": "important" + }, + "entities": { + "type": "array", + "title": "entities", + "description": "Related entities", + "x-ms-visibility": "important", + "items": { + "$ref": "#/definitions/LinkEntities" + } + } + } + } + } + }, + "LinkEntities": { + "type": "object", + "properties": { + "type": { + "type": "string", + "title": "type", + "description": "Enitity type", + "x-ms-visibility": "important" + }, + "name": { + "type": "string", + "title": "name", + "description": "Entity name", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "title": "score", + "description": "Risk score", + "x-ms-visibility": "important" + }, + "category": { + "type": "string", + "title": "category", + "description": "Entity category", + "x-ms-visibility": "important" + } + } + }, + "AlertSearch": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "review": { + "$ref": "#/definitions/AlertReview" + }, + "url": { + "$ref": "#/definitions/AlertURL" + }, + "rule": { + "$ref": "#/definitions/AlertRule" + }, + "triggered": { + "$ref": "#/definitions/AlertTriggered" + }, + "id": { + "$ref": "#/definitions/AlertID" + }, + "title": { + "$ref": "#/definitions/AlertTitle" + }, + "type": { + "$ref": "#/definitions/AlertType" + } + } + } + } + } + }, + "counts": { + "type": "object", + "properties": { + "returned": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + } + } + }, + "ThreatMapActors": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "threat_map": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "alias": { + "type": "array", + "items": { + "type": "string" + } + }, + "categories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "intent": { + "type": "integer", + "format": "int32" + }, + "opportunity": { + "type": "integer", + "format": "int32" + }, + "log_entries": { + "type": "array", + "items": { + "type": "object", + "properties": { + "watchlist": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "severity": { + "type": "integer", + "format": "int32" + }, + "axis": { + "type": "string" + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + } + } + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + }, + "ThreatHuntActors": { + "type": "array", + "items": { + "type": "object", + "properties": { + "confidence": { + "type": "integer", + "example": 89 + }, + "description": { + "type": "string", + "example": "Recorded Future - Threat Hunt - Threat Actor - DOMAIN - Lazarus Group (QCwdoU) - [Lazarus Group high risk]" + }, + "id": { + "type": "string", + "example": "indicator--321991ed-aca0-4e25-85a0-c1615c95074f" + }, + "indicator_types": { + "type": "array", + "items": { + "type": "string", + "example": "malicious-activity" + } + }, + "labels": { + "type": "array", + "items": { + "type": "string", + "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/QCwdoU\"}" + } + }, + "name": { + "type": "string", + "example": "akamaicontainer.com" + }, + "pattern": { + "type": "string", + "example": "[[[domain-name:value = 'akamaicontainer.com']" + }, + "pattern_type": { + "type": "string", + "example": "stix" + }, + "spec_version": { + "type": "string", + "example": "2.1" + }, + "type": { + "type": "string", + "example": "indicator" + }, + "created": { + "type": "string", + "example": "2023-09-20T19:09:35.993568+05:30" + }, + "modified": { + "type": "string", + "example": "2023-09-20T19:09:35.993568+05:30" + }, + "valid_from": { + "type": "string", + "example": "2023-09-20T19:09:35.993568+05:30" + }, + "valid_until": { + "type": "string", + "example": "2023-09-20T20:09:35.993568+05:30" + }, + "external_references": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_name": { + "type": "string", + "example": "Recorded Future" + }, + "description": { + "type": "string", + "example": "Recorded Future Entity card for Threat Actor: Lazarus Group (QCwdoU)" + }, + "external_id": { + "type": "string", + "example": "QCwdoU" + }, + "url": { + "type": "string", + "example": "https://app.recordedfuture.com/live/sc/entity/QCwdoU" + } + } + } + } + }, + "required": [ + "confidence", + "description", + "id", + "indicator_types", + "labels", + "name", + "pattern", + "pattern_type", + "spec_version", + "type", + "created", + "modified", + "valid_from", + "valid_until", + "external_references" + ] + } + }, + "ThreatMapMalware": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "threat_map": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "alias": { + "type": "array", + "items": { + "type": "string" + } + }, + "categories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "intent": { + "type": "integer", + "format": "int32" + }, + "opportunity": { + "type": "integer", + "format": "int32" + }, + "log_entries": { + "type": "array", + "items": { + "type": "object", + "properties": { + "watchlist": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "severity": { + "type": "integer", + "format": "int32" + }, + "axis": { + "type": "string" + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + } + } + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + }, + "ThreatHuntMalware": { + "type": "array", + "items": { + "type": "object", + "properties": { + "confidence": { + "type": "integer", + "example": 89 + }, + "description": { + "type": "string", + "example": "Recorded Future - Threat Hunt - Threat Malware - DOMAIN - Cobalt Strike Beacon Malware (LnK3Q6) - [Cobalt Strike Beacon high risk]" + }, + "id": { + "type": "string", + "example": "indicator--321991ed-aca0-4e25-85a0-c1615c75074f" + }, + "indicator_types": { + "type": "array", + "items": { + "type": "string", + "example": "malicious-activity" + } + }, + "labels": { + "type": "array", + "items": { + "type": "string", + "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/LnK3Q6\"}" + } + }, + "name": { + "type": "string", + "example": "masterunis.net" + }, + "pattern": { + "type": "string", + "example": "[[[domain-name:value = 'masterunis.net']" + }, + "pattern_type": { + "type": "string", + "example": "stix" + }, + "spec_version": { + "type": "string", + "example": "2.1" + }, + "type": { + "type": "string", + "example": "indicator" + }, + "created": { + "type": "string", + "example": "2023-09-20T19:09:35.993568+05:30" + }, + "modified": { + "type": "string", + "example": "2023-09-20T19:09:35.993568+05:30" + }, + "valid_from": { + "type": "string", + "example": "2023-09-20T19:09:35.993568+05:30" + }, + "valid_until": { + "type": "string", + "example": "2023-09-20T20:09:35.993568+05:30" + }, + "external_references": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_name": { + "type": "string", + "example": "Recorded Future" + }, + "description": { + "type": "string", + "example": "Recorded Future Entity card for Malware: Cobalt Strike Beacon (LnK3Q6)" + }, + "external_id": { + "type": "string", + "example": "LnK3Q6" + }, + "url": { + "type": "string", + "example": "https://app.recordedfuture.com/live/sc/entity/LnK3Q6" + } + } + } + } + }, + "required": [ + "confidence", + "description", + "id", + "indicator_types", + "labels", + "name", + "pattern", + "pattern_type", + "spec_version", + "type", + "created", + "modified", + "valid_from", + "valid_until", + "external_references" + ] + } + }, + "AlertLookup": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "review": { + "$ref": "#/definitions/AlertReview" + }, + "entities": { + "$ref": "#/definitions/AlertEntities" + }, + "url": { + "$ref": "#/definitions/AlertURL" + }, + "rule": { + "$ref": "#/definitions/AlertRule" + }, + "triggered": { + "$ref": "#/definitions/AlertTriggered" + }, + "id": { + "$ref": "#/definitions/AlertID" + }, + "counts": { + "type": "object", + "properties": { + "references": { + "type": "integer" + }, + "entities": { + "type": "integer" + }, + "documents": { + "type": "integer" + } + } + }, + "title": { + "$ref": "#/definitions/AlertTitle" + }, + "type": { + "$ref": "#/definitions/AlertType" + } + } + } + } + }, + "AlertReview": { + "type": "object", + "properties": { + "assignee": { + "type": "string" + }, + "status": { + "type": "string" + }, + "noteDate": { + "type": "string" + }, + "noteAuthor": { + "type": "string" + }, + "note": { + "type": "string" + } + } + }, + "AlertEntities": { + "type": "array", + "items": { + "type": "object", + "properties": { + "trend": { + "type": "object", + "additionalProperties": true + }, + "documents": { + "type": "array", + "items": { + "type": "object", + "properties": { + "references": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fragment": { + "type": "string" + }, + "entities": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + }, + "language": { + "type": "string" + } + } + } + }, + "source": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "title": { + "type": "string" + }, + "url": { + "type": "string" + } + } + } + }, + "risk": { + "type": "object", + "additionalProperties": true + }, + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + } + }, + "AlertURL": { + "type": "string" + }, + "AlertRule": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "url": { + "type": "string" + } + } + }, + "AlertTriggered": { + "type": "string" + }, + "AlertID": { + "type": "string" + }, + "AlertTitle": { + "type": "string" + }, + "AlertType": { + "type": "string" + } + }, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "X-RFToken" + } + }, + "security": [ + { + "API Key": "[variables('TemplateEmptyArray')]" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId10'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId10')]", + "contentId": "[variables('_playbookContentId10')]", + "kind": "LogicAppsCustomConnector", + "version": "[variables('playbookVersion10')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId10')]", + "contentKind": "LogicAppsCustomConnector", + "displayName": "RecordedFuture-CustomConnector", + "contentProductId": "[variables('_playbookcontentProductId10')]", + "id": "[variables('_playbookcontentProductId10')]", + "version": "[variables('playbookVersion10')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName11')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion11')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-ThreatMap-Importer", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + } + }, + "variables": { + "RecordedFutureCustomConnectorConnectionName": "Recordedfuture-CustomConnector", + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Map_actors": { + "type": "ApiConnection", + "inputs": { + "headers": { + "Content-Type": "application/json" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/map/actors" + } + }, + "Parse_JSON": { + "inputs": { + "content": "@body('Fetch_Threat_Map_actors')", + "schema": { + "properties": { + "data": { + "properties": { + "date": { + "type": "string" + }, + "threat_map": { + "items": { + "properties": { + "alias": { + "items": { + "type": "string" + }, + "type": "array" + }, + "categories": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "intent": { + "type": "integer" + }, + "log_entries": { + "items": { + "properties": { + "axis": { + "type": "string" + }, + "date": { + "type": "string" + }, + "entity": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "severity": { + "type": "integer" + }, + "watchlist": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "axis", + "date", + "entity", + "severity" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "opportunity": { + "type": "integer" + } + }, + "required": [ + "alias", + "categories", + "id", + "intent", + "log_entries", + "name", + "opportunity" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "runAfter": { + "Fetch_Threat_Map_actors": [ + "Succeeded" + ] + }, + "type": "ParseJson" + }, + "Send_Data_-_Save_full_ThreatMap_response": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{body('Parse_JSON')?['data']?['threat_map']}", + "headers": { + "Log-Type": "RecordedFutureThreatMap" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFutureCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatMap-Importer", + "hidden-SentinelTemplateVersion": "1.2", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId11')]", + "contentId": "[variables('_playbookContentId11')]", + "kind": "Playbook", + "version": "[variables('playbookVersion11')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ThreatMap-Importer", + "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", + "prerequisites": [ + "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", + "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-03-08T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ThreatMap-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + }, + { + "version": "1.2", + "title": "Default Recurrence", + "notes": [ + "Changed Default Recurrence to 24." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId11')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-ThreatMap-Importer", + "contentProductId": "[variables('_playbookcontentProductId11')]", + "id": "[variables('_playbookcontentProductId11')]", + "version": "[variables('playbookVersion11')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName12')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion12')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-MalwareThreatMap-Importer", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + } + }, + "variables": { + "RecordedFutureCustomConnectorConnectionName": "RecordedFuture-CustomConnector", + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Map_malware": { + "type": "ApiConnection", + "inputs": { + "body": { + "categories": [ + null + ], + "malware": [ + null + ], + "watchlists": [ + null + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/map/malware" + } + }, + "Parse_JSON": { + "runAfter": { + "Fetch_Threat_Map_malware": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Fetch_Threat_Map_malware')", + "schema": { + "properties": { + "data": { + "properties": { + "date": { + "type": "string" + }, + "threat_map": { + "items": { + "properties": { + "alias": { + "items": { + "type": "string" + }, + "type": "array" + }, + "categories": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "log_entries": { + "items": { + "properties": { + "axis": { + "type": "string" + }, + "date": { + "type": "string" + }, + "entity": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "severity": { + "type": "integer" + }, + "watchlist": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "axis", + "date", + "entity", + "severity" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "opportunity": { + "type": "integer" + }, + "prevalence": { + "type": "integer" + } + }, + "required": [ + "alias", + "categories", + "id", + "prevalence", + "log_entries", + "name", + "opportunity" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_Data_-_Save_full_ThreatMap_Malware_Response": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{body('Parse_JSON')?['data']?['threat_map']}", + "headers": { + "Log-Type": "RecordedFutureThreatMapMalware" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFutureCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + }, + "zoneRedundancy": "Enabled" + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatMapMalware-Importer", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId12')]", + "contentId": "[variables('_playbookContentId12')]", + "kind": "Playbook", + "version": "[variables('playbookVersion12')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ThreatMapMalware-Importer", + "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", + "prerequisites": [ + "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", + "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-MalwareThreatMap-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId12')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-MalwareThreatMap-Importer", + "contentProductId": "[variables('_playbookcontentProductId12')]", + "id": "[variables('_playbookcontentProductId12')]", + "version": "[variables('playbookVersion12')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName13')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion13')]", + "parameters": { + "PlaybookName": { + "defaultValue": "ActorThreatHunt-IndicatorImport", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String", + "metadata": { + "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" + } + } + }, + "variables": { + "RecordedFuture-CustomConnectorConnectionName": "Recordedfuture-CustomConnector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Indicators_for_Actors_in_STIX_format": { + "type": "ApiConnection", + "inputs": { + "body": { + "trigger_score_domain": 65, + "trigger_score_hash": 65, + "trigger_score_ip": 65, + "trigger_score_url": 65, + "valid_until_delta_hours": 24 + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/indicators/actors" + } + }, + "For_each": { + "foreach": "@body('Fetch_Threat_Indicators_for_Actors_in_STIX_format')", + "actions": { + "RecordedFuture-ThreatIntelligenceImport": { + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": "@items('For_each')", + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Fetch_Threat_Indicators_for_Actors_in_STIX_format": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFuture-CustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", + "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId13')]", + "contentId": "[variables('_playbookContentId13')]", + "kind": "Playbook", + "version": "[variables('playbookVersion13')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", + "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:02:00Z", + "tags": [ + "Threat Hunting" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ActorThreatMap-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId13')]", + "contentKind": "Playbook", + "displayName": "ActorThreatHunt-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId13')]", + "id": "[variables('_playbookcontentProductId13')]", + "version": "[variables('playbookVersion13')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName14')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion14')]", + "parameters": { + "PlaybookName": { + "defaultValue": "MalwareThreatHunt-IndicatorImport", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String", + "metadata": { + "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" + } + } + }, + "variables": { + "Recordedfuture-CustomconnectorConnectionName": "Recordedfuture-CustomConnector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Indicators_for_Malware_in_STIX_format": { + "type": "ApiConnection", + "inputs": { + "body": { + "trigger_score_domain": 65, + "trigger_score_hash": 65, + "trigger_score_ip": 65, + "trigger_score_url": 65, + "valid_until_delta_hours": 24 + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/indicators/malware" + } + }, + "For_each": { + "foreach": "@body('Fetch_Threat_Indicators_for_Malware_in_STIX_format')", + "actions": { + "RecordedFuture-ThreatIntelligenceImport": { + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": "@items('For_each')", + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Fetch_Threat_Indicators_for_Malware_in_STIX_format": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFuture-CustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", + "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + } + }, + "zoneRedundancy": "Enabled" + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('Recordedfuture-CustomconnectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId14')]", + "contentId": "[variables('_playbookContentId14')]", + "kind": "Playbook", + "version": "[variables('playbookVersion14')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", + "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:02:00Z", + "tags": [ + "Threat Hunting" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-MalwareThreatHunt-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId14')]", + "contentKind": "Playbook", + "displayName": "MalwareThreatHunt-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId14')]", + "id": "[variables('_playbookcontentProductId14')]", + "version": "[variables('playbookVersion14')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFuturePlaybookAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Playbook Alerts Overview; templateRelativePath=RecordedFuturePlaybookAlertOverview.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "RecordedFuturePlaybookAlerts_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureAlertOverview Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." + }, + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Alerts Overview; templateRelativePath=RecordedFutureAlertOverview.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "RecordedFuturePortalAlerts_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId3')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook3-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureDomainCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Domain Correlation; templateRelativePath=RecordedFutureDomainCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId3')]", + "contentId": "[variables('_workbookContentId3')]", + "kind": "Workbook", + "version": "[variables('workbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId3')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook3-name')]", + "contentProductId": "[variables('_workbookcontentProductId3')]", + "id": "[variables('_workbookcontentProductId3')]", + "version": "[variables('workbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureHashCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId4')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook4-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureHashCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Hash Correlation; templateRelativePath=RecordedFutureHashCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId4')]", + "contentId": "[variables('_workbookContentId4')]", + "kind": "Workbook", + "version": "[variables('workbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId4')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook4-name')]", + "contentProductId": "[variables('_workbookcontentProductId4')]", + "id": "[variables('_workbookcontentProductId4')]", + "version": "[variables('workbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureIPCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId5')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook5-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId5'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureIPCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - IP Correlation; templateRelativePath=RecordedFutureIPCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId5')]", + "contentId": "[variables('_workbookContentId5')]", + "kind": "Workbook", + "version": "[variables('workbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId5')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook5-name')]", + "contentProductId": "[variables('_workbookcontentProductId5')]", + "id": "[variables('_workbookcontentProductId5')]", + "version": "[variables('workbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureURLCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId6')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook6-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId6'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureURLCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - URL Correlation; templateRelativePath=RecordedFutureURLCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId6')]", + "contentId": "[variables('_workbookContentId6')]", + "kind": "Workbook", + "version": "[variables('workbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId6')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook6-name')]", + "contentProductId": "[variables('_workbookcontentProductId6')]", + "id": "[variables('_workbookcontentProductId6')]", + "version": "[variables('workbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId7')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook7-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId7'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureThreatActorHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Threat Actor Hunting; templateRelativePath=RecordedFutureThreatActorHunting.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId7')]", + "contentId": "[variables('_workbookContentId7')]", + "kind": "Workbook", + "version": "[variables('workbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId7')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook7-name')]", + "contentProductId": "[variables('_workbookcontentProductId7')]", + "id": "[variables('_workbookcontentProductId7')]", + "version": "[variables('workbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId8')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook8-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId8'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureMalwareThreatHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Malware Threat Hunting; templateRelativePath=RecordedFutureMalwareThreatHunting.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId8')]", + "contentId": "[variables('_workbookContentId8')]", + "kind": "Workbook", + "version": "[variables('workbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId8')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook8-name')]", + "contentProductId": "[variables('_workbookcontentProductId8')]", + "id": "[variables('_workbookcontentProductId8')]", + "version": "[variables('workbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.2.9", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Recorded Future", + "publisherDisplayName": "Recorded Future Support Team", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

\n

Underlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n\n

Workbooks: 8, Analytic Rules: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-IOC_Enrichment')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Playbook-Alert-Importer')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Alert-Importer')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ThreatIntelligenceImport')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Domain-IndicatorImport')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Hash-IndicatorImport')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-IP-IndicatorImport')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-URL-IndicatorImport')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Sandbox_Enrichment-Url')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ThreatMap-Importer')]", + "version": "[variables('playbookVersion11')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ThreatMapMalware-Importer')]", + "version": "[variables('playbookVersion12')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ActorThreatHunt-IndicatorImport')]", + "version": "[variables('playbookVersion13')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-MalwareThreatHunt-IndicatorImport')]", + "version": "[variables('playbookVersion14')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId2')]", + "version": "[variables('workbookVersion2')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId3')]", + "version": "[variables('workbookVersion3')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId4')]", + "version": "[variables('workbookVersion4')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId5')]", + "version": "[variables('workbookVersion5')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId6')]", + "version": "[variables('workbookVersion6')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId7')]", + "version": "[variables('workbookVersion7')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId8')]", + "version": "[variables('workbookVersion8')]" + } + ] + }, + "firstPublishDate": "2021-11-01", + "lastPublishDate": "2023-09-19", + "providers": [ + "Recorded Future" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json index 70b1d3e6f7..5c10d03675 100644 --- a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json @@ -2,46 +2,63 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "RecordedFuture-Alert-Importer", + "author": { + "name": "Recorded Future" + }, "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], + "entities": [], + "lastUpdateTime": "2024-09-20T00:00:00.000Z", "postDeployment": [ "After deployment, open the playbook to configure all connections and press save." ], - "lastUpdateTime": "2024-08-23T00:00:00.000Z", - "entities": [], - "tags": [ "Alert" ], - "support": { - "tier": "Partner", - "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" - }, - "author": { - "name": "Recorded Future" - }, + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], "releaseNotes": [ { - "version": "1.0", + "notes": [ + "Initial version" + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "Initial version" ] + "version": "1.0" }, - { - "version": "1.1", + { + "notes": [ + "Fixed ARM encoding" + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "Fixed ARM encoding" ] + "version": "1.1" }, - { - "version": "1.2", + { + "notes": [ + "API connector renaming." + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "API connector renaming." ] + "version": "1.2" }, - { - "version": "1.3", + { + "notes": [ + "Encoding and latest_event_date fix." + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.3" + }, + { + "notes": [ + "More JSON encoding fixes, and add utm parameter to links" + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "Encoding and latest_event_date fix." ] + "version": "1.4" } - ] + ], + "support": { + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator", + "tier": "Partner" + }, + "tags": [ + "Alert" + ], + "title": "RecordedFuture-Alert-Importer" }, "parameters": { "PlaybookName": { @@ -49,73 +66,46 @@ "type": "string" }, "create_incident": { - "type": "string", "metadata": { "description": "Create Microsoft Sentinel incidents (possible values true/false)" - } + }, + "type": "string" }, "workspace_name": { - "type": "string", "defaultValue": "", "metadata": { - "description" : "Microsoft Sentinel Workspace name" - } + "description": "Microsoft Sentinel Workspace name" + }, + "type": "string" } }, - "variables": { - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2" - }, "resources": [ { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[resourceGroup().location]", + "name": "[parameters('PlaybookName')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - }, - "create_incident": { - "type": "string", - "defaultValue": "[parameters('create_incident')]" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 1 - }, - "type": "Recurrence" - } - }, "actions": { "For_each_triggered_alert": { - "foreach": "@body('Search_Triggered_Alerts')?['data']", "actions": { "Create_incident_if_parameter_is_set": { "actions": { "Add_comment_to_incident_(V3)": { - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": { "incidentArmId": "@body('Create_incident')?['id']", - "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" + "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'], '&utm_source=microsoft_sentinel')})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" }, "host": { "connection": { @@ -124,14 +114,18 @@ }, "method": "post", "path": "/Incidents/Comment" - } + }, + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" }, "Create_incident": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "body": { - "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", + "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'],'&utm_source=microsoft_sentinel')})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", "severity": "Medium", "status": "New", "tagsToAdd": { @@ -150,106 +144,12 @@ }, "method": "put", "path": "[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" - } - }, - "Parse_JSON_2": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] }, - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_triggered_alert')?['hits']", - "schema": { - "items": { - "properties": { - "analyst_note": {}, - "document": { - "properties": { - "authors": { - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - }, - "url": {} - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - }, - "primary_entity": {} - }, - "required": [ - "entities", - "document", - "fragment", - "id", - "language", - "primary_entity", - "analyst_note" - ], - "type": "object" - }, - "type": "array" - } - } + "type": "ApiConnection" } }, - "runAfter": { - "For_each_hit": [ - "Succeeded" - ] + "else": { + "actions": {} }, "expression": { "and": [ @@ -261,116 +161,18 @@ } ] }, + "runAfter": { + "For_each_hit": [ + "Succeeded" + ] + }, "type": "If" }, "For_each_hit": { - "foreach": "@items('For_each_triggered_alert')['hits']", "actions": { - "Parse_JSON": { - "runAfter": {}, - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_hit')", - "schema": { - "properties": { - "analyst_note": {}, - "document": { - "properties": { - "authors": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - }, - "url": {} - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - }, - "primary_entity": {} - }, - "type": "object" - } - } - }, "Send_Data_2": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { - "body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}", + "body": "{\n\"RuleName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['rule']?['name'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['title'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\ncoalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''),\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Fragment\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_hit')?['fragment'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\"}", "headers": { "Log-Type": "RecordedFuturePortalAlerts" }, @@ -381,13 +183,15 @@ }, "method": "post", "path": "/api/logs" - } + }, + "type": "ApiConnection" } }, - "runAfter": {}, + "foreach": "@items('For_each_triggered_alert')['hits']", "type": "Foreach" } }, + "foreach": "@body('Search_Triggered_Alerts')?['data']", "runAfter": { "Search_Triggered_Alerts": [ "Succeeded" @@ -396,8 +200,6 @@ "type": "Foreach" }, "Initialize_variable": { - "runAfter": {}, - "type": "InitializeVariable", "inputs": { "variables": [ { @@ -406,15 +208,11 @@ "value": "@{addHours(utcNow(), -24)}" } ] - } + }, + "runAfter": {}, + "type": "InitializeVariable" }, "Run_query_and_list_results": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))", "host": { @@ -431,16 +229,15 @@ "subscriptions": "[subscription().subscriptionId]", "timerange": "Last 7 days" } - } - }, - "Search_Triggered_Alerts": { + }, "runAfter": { - "Set_variable": [ - "Succeeded", - "Skipped" + "Initialize_variable": [ + "Succeeded" ] }, - "type": "ApiConnection", + "type": "ApiConnection" + }, + "Search_Triggered_Alerts": { "inputs": { "host": { "connection": { @@ -452,22 +249,53 @@ "queries": { "triggered": "[[@{addSeconds(variables('latest_event_date'),1)},@{utcNow()}]" } - } + }, + "runAfter": { + "Set_variable": [ + "Succeeded", + "Skipped" + ] + }, + "type": "ApiConnection" }, "Set_variable": { + "inputs": { + "name": "latest_event_date", + "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" + }, "runAfter": { "Run_query_and_list_results": [ "Succeeded" ] }, - "type": "SetVariable", - "inputs": { - "name": "latest_event_date", - "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" - } + "type": "SetVariable" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "create_incident": { + "defaultValue": "[parameters('create_incident')]", + "type": "string" } }, - "outputs": {} + "triggers": { + "Recurrence": { + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + } }, "parameters": { "$connections": { @@ -485,12 +313,12 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } - } + }, + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "recordedfuturev2": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]", @@ -499,82 +327,78 @@ } } } - } + }, + "provisioningState": "Succeeded", + "state": "Enabled" }, - "name": "[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[resourceGroup().location]", "tags": { "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", - "hidden-SentinelTemplateVersion": "1.3" - }, - "identity": { - "type": "SystemAssigned" + "hidden-SentinelTemplateVersion": "1.4" }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" - ] + "type": "Microsoft.Logic/workflows" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", "properties": { - "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('AzuremonitorlogsConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('AzuremonitorlogsConnectionName')]", "properties": { - "displayName": "[variables('AzuremonitorlogsConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('AzuremonitorlogsConnectionName')]" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('MicrosoftSentinelConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('MicrosoftSentinelConnectionName')]", "properties": { - "displayName": "[variables('MicrosoftSentinelConnectionName')]", - "customParameterValues": {}, - "parameterValueType": "Alternative", "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('Recordedfuturev2ConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('Recordedfuturev2ConnectionName')]", "properties": { - "displayName": "[variables('Recordedfuturev2ConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Recordedfuturev2')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('Recordedfuturev2ConnectionName')]" + }, + "type": "Microsoft.Web/connections" } - ] + ], + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2" + } } diff --git a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json index 6acce08904..80fa4f0a67 100644 --- a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json @@ -2,37 +2,50 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "RecordedFuture-Sandbox_Enrichment-Url", + "author": { + "name": "Recorded Future" + }, "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", - "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "entities": [ + "url" + ], + "lastUpdateTime": "2024-09-24T00:00:00.000Z", "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], + "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2024-01-12T00:00:00.000Z", - "entities": [ - "url" - ], - "tags": [ "Enrichment" ], - "support": { - "tier": "Partner", - "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" - }, - "author": { - "name": "Recorded Future" - }, "releaseNotes": [ { - "version": "1.0", + "notes": [ + "Initial version" + ], "title": "RecordedFuture-Sandbox_Enrichment-Url", - "notes": [ "Initial version" ] + "version": "1.0" }, { - "version": "1.1", + "notes": [ + "API connection rename." + ], "title": "API Connectors", - "notes": [ "API connection rename." ] + "version": "1.1" + }, + { + "notes": [ + "API connector rename." + ], + "title": "API Connectors", + "version": "1.2" } - ] + ], + "support": { + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator", + "tier": "Partner" + }, + "tags": [ + "Enrichment" + ], + "title": "RecordedFuture-Sandbox_Enrichment-Url" }, "parameters": { "PlaybookName": { @@ -40,54 +53,45 @@ "type": "string" }, "Sandbox API Key": { - "type": "string", "metadata": { "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)" - } + }, + "type": "string" } }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection" - }, "resources": [ { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[resourceGroup().location]", + "name": "[parameters('PlaybookName')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - }, - "Sandbox API Key": { - "defaultValue": "[parameters('Sandbox API Key')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", + "actions": { + "Define_sandbox_status": { "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "variables": [ + { + "name": "sandbox_status", + "type": "string" } - }, - "path": "/incident-creation" - } - } - }, - "actions": { + ] + }, + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, "Entities_-_Get_URLs": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", "host": { @@ -97,18 +101,13 @@ }, "method": "post", "path": "/entities/url" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "For_each": { - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "actions": { "Add_comment_to_incident_(V3)": { - "runAfter": { - "Get_the_full_report": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", @@ -121,15 +120,15 @@ }, "method": "post", "path": "/Incidents/Comment" - } - }, - "Get_the_full_report": { + }, "runAfter": { - "Wait_for_sandbox_report": [ + "Get_the_full_report": [ "Succeeded" ] }, - "type": "ApiConnection", + "type": "ApiConnection" + }, + "Get_the_full_report": { "inputs": { "headers": { "SandboxToken": "@parameters('Sandbox API Key')" @@ -141,23 +140,27 @@ }, "method": "get", "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" - } - }, - "Initialize_Sandbox_status": { + }, "runAfter": { - "Submit_url_samples": [ + "Wait_for_sandbox_report": [ "Succeeded" ] }, - "type": "SetVariable", + "type": "ApiConnection" + }, + "Initialize_Sandbox_status": { "inputs": { "name": "sandbox_status", "value": "@body('Submit_url_samples')?['status']" - } + }, + "runAfter": { + "Submit_url_samples": [ + "Succeeded" + ] + }, + "type": "SetVariable" }, "Submit_url_samples": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "body": { "url": "@items('For_each')?['Url']" @@ -173,27 +176,27 @@ }, "method": "post", "path": "/samples/url" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "Wait_for_sandbox_report": { "actions": { "Delay": { - "runAfter": { - "Set_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Wait", "inputs": { "interval": { "count": 2, "unit": "Minute" } - } + }, + "runAfter": { + "Set_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Wait" }, "Get_the_full_summary": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "headers": { "SandboxToken": "@parameters('Sandbox API Key')" @@ -205,59 +208,73 @@ }, "method": "get", "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "Set_sandbox_status": { + "inputs": { + "name": "sandbox_status", + "value": "@body('Get_the_full_summary')?['status']" + }, "runAfter": { "Get_the_full_summary": [ "Succeeded" ] }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Get_the_full_summary')?['status']" - } + "type": "SetVariable" } }, - "runAfter": { - "Initialize_Sandbox_status": [ - "Succeeded" - ] - }, "expression": "@equals(variables('sandbox_status'), 'reported')", "limit": { "count": 60, "timeout": "PT1H" }, + "runAfter": { + "Initialize_Sandbox_status": [ + "Succeeded" + ] + }, "type": "Until" } }, + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "runAfter": { "Define_sandbox_status": [ "Succeeded" ] }, "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" }, - "Define_sandbox_status": { - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", + "Sandbox API Key": { + "defaultValue": "[parameters('Sandbox API Key')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { "inputs": { - "variables": [ - { - "name": "sandbox_status", - "type": "string" + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } - ] - } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" } - }, - "outputs": {} + } }, "parameters": { "$connections": { @@ -265,66 +282,62 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } - } + }, + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "recordedfuturesandbo": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]", "connectionName": "recordedfuturesandbo", "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/recordedfuturesandbo')]" } } } - } - }, - "name": "[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[resourceGroup().location]", - "identity": { - "type": "SystemAssigned" + }, + "provisioningState": "Succeeded", + "state": "Enabled" }, "tags": { "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", - "hidden-SentinelTemplateVersion": "1.0" + "hidden-SentinelTemplateVersion": "1.2" }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] + "type": "Microsoft.Logic/workflows" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('RecordedfutureConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('RecordedfutureSandboxConnectionName')]", "properties": { - "displayName": "[variables('RecordedfutureConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/recordedfuturesandbo')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('RecordedfutureSandboxConnectionName')]" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('MicrosoftSentinelConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('MicrosoftSentinelConnectionName')]", "properties": { - "displayName": "[variables('MicrosoftSentinelConnectionName')]", - "customParameterValues": {}, - "parameterValueType": "Alternative", "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" } - ] + ], + "variables": { + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "RecordedfutureSandboxConnectionName": "RecordedFuture-SandboxConnector" + } } diff --git a/Solutions/Recorded Future/ReleaseNotes.md b/Solutions/Recorded Future/ReleaseNotes.md index 688949e5a9..7cf7ffc9bd 100644 --- a/Solutions/Recorded Future/ReleaseNotes.md +++ b/Solutions/Recorded Future/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.2.9 | 23-09-2024 | Updated RecordedFuture-Alert-Importer **Playbook** improved text encoding and added utm links | | 3.2.8 | 23-08-2024 | Updated RecordedFuture-Alert-Importer **Playbook** added text encoding and latest_event_date bugfix | | 3.2.7 | 01-08-2024 | Updated **Analytic rules** for entity mappings | | 3.2.6 | 03-08-2024 | Added incident creation to RecordedFuture-Alert-Importer **Playbook**.
Update concurrency in RecordedFuture-IOC_Enrichment **Playbook** |