Azure
diff --git a/‎Solutions/Recorded Future/Data/Solution_RecordedFuture.json‎
Lines changed: 1 addition & 1 deletion b/‎Solutions/Recorded Future/Data/Solution_RecordedFuture.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Solutions/Recorded Future/Package/3.2.17.zip‎
45.7 KB b/‎Solutions/Recorded Future/Package/3.2.17.zip‎
45.7 KB
diff --git a/‎Solutions/Recorded Future/Package/mainTemplate.json‎
Lines changed: 148 additions & 94 deletions b/‎Solutions/Recorded Future/Package/mainTemplate.json‎
Lines changed: 148 additions & 94 deletions
diff --git a/‎Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json‎
Lines changed: 18 additions & 6 deletions b/‎Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json‎
Lines changed: 18 additions & 6 deletions
diff --git a/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-Domain-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions b/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-Domain-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-Hash-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions b/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-Hash-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-IP-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions b/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-IP-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-URL-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions b/‎Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-URL-IndicatorImport/azuredeploy.json‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎Solutions/Recorded Future/Playbooks/IndicatorImport/readme.md‎
Lines changed: 1 addition & 1 deletion b/‎Solutions/Recorded Future/Playbooks/IndicatorImport/readme.md‎
Lines changed: 1 addition & 1 deletion
@@ -36,7 +36,7 @@
     "Workbooks/RecordedFutureMalwareThreatHunting.json"
   ],
   "BasePath": "Users\\emangsten\\git\\github\\Azure-Sentinel\\Solutions\\Recorded Future",
-  "Version": "3.2.16",
+  "Version": "3.2.17",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false
 
@@ -1,6 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.0.0.0",
+    "contentVersion": "1.4.0.0",
     "metadata": {
         "title": "RecordedFuture-Playbook-Alert-Importer",
         "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.",
@@ -11,7 +11,7 @@
             "After deployment, open the playbook to configure all connections and press save."
         ],
         "prerequisitesDeployTemplateFile": "",
-        "lastUpdateTime": "2024-07-09T00:00:00.000Z",
+        "lastUpdateTime": "2025-08-12T00:00:00.000Z",
         "entities": [],
         "tags": [ "Alert" ],
         "support": {
@@ -30,7 +30,7 @@
             {
                 "version": "1.1",
                 "title": "RecordedFuture-Playbook-Alert-Importer",
-                "notes": [ "Changed default search parameters for playbook alert serach." ]
+                "notes": [ "Changed default search parameters for playbook alert search." ]
             },
             {
                 "version": "1.2",
@@ -41,6 +41,11 @@
                 "version": "1.3",
                 "title": "RecordedFuture-Playbook-Alert-Importer",
                 "notes": [ "Added Incident creation." ]
+            },
+            {
+                "version": "1.4",
+                "title": "RecordedFuture-Playbook-Alert-Importer",
+                "notes": [ "Added parameter for Microsoft Sentinel workspace name, Updated formatting for incident description" ]
             }
         ]
     },
@@ -55,6 +60,13 @@
             "metadata": {
                 "description": "Create Microsoft Sentinel incidents (possible values true/false)"
             }
+        },
+        "workspace_name": {
+            "defaultValue": "",
+            "metadata": {
+                "description": "Microsoft Sentinel Workspace name"
+            },
+            "type": "string"
         }
     },
     "variables": {
@@ -146,7 +158,7 @@
                                                     "title": "@body('Get_Playbook_Alert_by_ID')?['title']",
                                                     "severity": "Medium",
                                                     "status": "New",
-                                                    "description": "**Recorded Future Alert**\n@{body('Get_Playbook_Alert_by_ID')?['title']}\nPlaybook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}\nPlaybook Alert Type: @{items('For_each')?['category']}\nPlaybook Alert Priority:  @{items('For_each')?['priority']}\nPlaybook Alert Status: @{item()?['status']}\nPlaybook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}\n[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})\n\nEvidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\n\ncreated_date:  @{items('For_each')?['created']}\nupdated_date: @{items('For_each')?['updated']}\n\n",
+                                                    "description": "**Recorded Future Alert**\n@{body('Get_Playbook_Alert_by_ID')?['title']}\n\nPlaybook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}\n\nPlaybook Alert Type: @{items('For_each')?['category']}\n\nPlaybook Alert Priority:  @{items('For_each')?['priority']}\n\nPlaybook Alert Status: @{item()?['status']}\n\nPlaybook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}\n\n[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})\n\nEvidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\n\ncreated_date:  @{items('For_each')?['created']}\n\nupdated_date: @{items('For_each')?['updated']}\n\n",
                                                     "tagsToAdd": {
                                                         "TagsToAdd": [
                                                             {
@@ -158,7 +170,7 @@
                                                         ]
                                                     }
                                                 },
-                                                "path": "/Incidents/subscriptions/5129b3ff-c0c6-4e86-bd1c-70e5fcd579cf/resourceGroups/RF-SaaS-V3.2.2/workspaces/RF-SaaS-V3-2-2"
+                                                "path": "[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]"
                                             }
                                         }
                                     },
@@ -263,7 +275,7 @@
             "location": "[resourceGroup().location]",
             "tags": {
                 "hidden-SentinelTemplateName": "PlaybookAlert-Import",
-                "hidden-SentinelTemplateVersion": "1.3"
+                "hidden-SentinelTemplateVersion": "1.4"
             },
             "identity": {
                 "type": "SystemAssigned"
 
@@ -1,6 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.2.0.0",
+    "contentVersion": "1.3.0.0",
       "metadata": {
         "title": "RecordedFuture-Domain-IndicatorImport",
         "description": "This playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.",
@@ -12,7 +12,7 @@
             "After deployment, open the playbook to configure all connections and press save."
         ],
         "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
-        "lastUpdateTime": "2025-01-29T00:00:00.000Z",
+        "lastUpdateTime": "2025-08-12T00:00:00.000Z",
         "entities": [],
         "tags": [ "Threat Intelligence" ],
         "support": {
@@ -37,6 +37,11 @@
                 "version": "1.2",
                 "title": "Minor rename",
                 "notes": [ "Rename logic app block for consistency." ]
+            },
+            {
+                "version": "1.3",
+                "title": "Deterministic STIX ID added",
+                "notes": [ "Added fetching of deterministic STIX ID, to avoid duplicate IOCs" ]
             }
         ]
     },
@@ -134,6 +139,9 @@
                                                 },
                                                 "riskString": {
                                                     "type": "string"
+                                                },
+                                                "stix_id": {
+                                                    "type": "string"
                                                 }
                                             },
                                             "type": "object"
@@ -153,7 +161,7 @@
                                             "confidence": "@int(body('Parse_JSON')?['Risk'])",
                                             "created": "@{utcNow()}",
                                             "description": "Recorded Future - Domains - Command and Control Activity",
-                                            "id": "indicator--@{guid()}",
+                                            "id": "@{body('Parse_JSON')?['stix_id']}",
                                             "indicator_types": [
                                                 "malicious-activity"
                                             ],
@@ -225,7 +233,7 @@
             "apiVersion": "2017-07-01",
             "tags": {
                 "hidden-SentinelTemplateName": "RecordedFuture-Domain-IndicatorImport",
-                "hidden-SentinelTemplateVersion": "1.2"
+                "hidden-SentinelTemplateVersion": "1.3"
             },
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]"
 
@@ -1,6 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.2.0.0",
+    "contentVersion": "1.3.0.0",
   "metadata": {
         "title": "RecordedFuture-Hash-IndicatorImport",
         "description": "This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.",
@@ -12,7 +12,7 @@
             "After deployment, open the playbook to configure all connections and press save."
         ],
         "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
-        "lastUpdateTime": "2025-01-30T00:00:00.000Z",
+        "lastUpdateTime": "2025-08-12T00:00:00.000Z",
         "entities": [],
         "tags": [ "Threat Intelligence" ],
         "support": {
@@ -37,6 +37,11 @@
                 "version": "1.2",
                 "title": "Minor rename",
                 "notes": [ "Rename logic app block for consistency." ]
+            },
+            {
+                "version": "1.3",
+                "title": "Deterministic STIX ID added",
+                "notes": [ "Added fetching of deterministic STIX ID, to avoid duplicate IOCs" ]
             }
         ]
     },
@@ -135,6 +140,9 @@
                                                 },
                                                 "riskString": {
                                                     "type": "string"
+                                                },
+                                                "stix_id": {
+                                                    "type": "string"
                                                 }
                                             },
                                             "type": "object"
@@ -154,7 +162,7 @@
                                             "confidence": "@int(body('Parse_JSON')?['Risk'])",
                                             "created": "@{utcNow()}",
                                             "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites",
-                                            "id": "indicator--@{guid()}",
+                                            "id": "@{body('Parse_JSON')?['stix_id']}",
                                             "indicator_types": [
                                                 "malicious-activity"
                                             ],
@@ -226,7 +234,7 @@
             "apiVersion": "2017-07-01",
             "tags": {
                 "hidden-SentinelTemplateName": "RecordedFuture-Hash-IndicatorImport",
-                "hidden-SentinelTemplateVersion": "1.2"
+                "hidden-SentinelTemplateVersion": "1.3"
             },
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]"
 
@@ -1,6 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.2.0.0",
+    "contentVersion": "1.3.0.0",
     "metadata": {
         "title": "RecordedFuture-IP-IndicatorImport",
         "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.",
@@ -13,7 +13,7 @@
             "After deployment, open the playbook to configure all connections and press save."
         ],
         "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
-        "lastUpdateTime": "2025-01-30T17:00:00.000Z",
+        "lastUpdateTime": "2025-08-12T00:00:00.000Z",
         "entities": [],
         "tags": [ "Threat Intelligence" ],
         "support": {
@@ -37,6 +37,11 @@
                 "version": "1.2",
                 "title": "Minor rename",
                 "notes": [ "Rename logic app block for consistency." ]
+            },
+            {
+                "version": "1.3",
+                "title": "Deterministic STIX ID added",
+                "notes": [ "Added fetching of deterministic STIX ID, to avoid duplicate IOCs" ]
             }
         ]
     },
@@ -135,6 +140,9 @@
                                                 },
                                                 "riskString": {
                                                     "type": "string"
+                                                },
+                                                "stix_id": {
+                                                    "type": "string"
                                                 }
                                             },
                                             "type": "object"
@@ -154,7 +162,7 @@
                                             "confidence": "@int(body('Parse_JSON')?['Risk'])",
                                             "created": "@{utcNow()}",
                                             "description": "Recorded Future - IP - Actively Communicating C&C Server",
-                                            "id": "indicator--@{guid()}",
+                                            "id": "@{body('Parse_JSON')?['stix_id']}",
                                             "indicator_types": [
                                                 "malicious-activity"
                                             ],
@@ -226,7 +234,7 @@
             "apiVersion": "2017-07-01",
             "tags": {
                 "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport",
-                "hidden-SentinelTemplateVersion": "1.2"
+                "hidden-SentinelTemplateVersion": "1.3"
             },
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]"
 
@@ -1,6 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.2.0.0",
+    "contentVersion": "1.3.0.0",
     "metadata": {
         "title": "RecordedFuture-URL-IndicatorImport",
         "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.",
@@ -12,7 +12,7 @@
             "After deployment, open the playbook to configure all connections and press save."
         ],
         "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
-        "lastUpdateTime": "2025-01-30T00:00:00.000Z",
+        "lastUpdateTime": "2025-08-12T00:00:00.000Z",
         "entities": [],
         "tags": [ "Threat Intelligence" ],
         "support": {
@@ -37,6 +37,11 @@
                 "version": "1.2",
                 "title": "Minor rename",
                 "notes": [ "Rename logic app block for consistency." ]
+            },
+            {
+                "version": "1.3",
+                "title": "Deterministic STIX ID added",
+                "notes": [ "Added fetching of deterministic STIX ID, to avoid duplicate IOCs" ]
             }
         ]
     },
@@ -134,6 +139,9 @@
                                                 },
                                                 "riskString": {
                                                     "type": "string"
+                                                },
+                                                "stix_id": {
+                                                    "type": "string"
                                                 }
                                             },
                                             "type": "object"
@@ -153,7 +161,7 @@
                                             "confidence": "@int(body('Parse_JSON')?['Risk'])",
                                             "created": "@{utcNow()}",
                                             "description": "Recorded Future - URL - Recently Reported by Insikt Group",
-                                            "id": "indicator--@{guid()}",
+                                            "id": "@{body('Parse_JSON')?['stix_id']}",
                                             "indicator_types": [
                                                 "malicious-activity"
                                             ],
@@ -225,7 +233,7 @@
             "apiVersion": "2017-07-01",
             "tags": {
                 "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport",
-                "hidden-SentinelTemplateVersion": "1.2"
+                "hidden-SentinelTemplateVersion": "1.3"
             },
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]"
 
@@ -101,7 +101,7 @@ Its possible to adjust the cadence of Risk List download to reduce traffic and c
 The first step of IndicatorImport Playbooks is a recurrence step, adjust the cadence by modifying the interval and frequency parameters.\
 <img src="../Images/2023-12-12-10-00-53.png" width="1000">
 
-It is critical that you also adjust the expirationDateTime parameter in the final block of that logic app to be synchronized with the recurrence timing. Failure to do so can result in either:
+It is critical that you also adjust the ``valid_until`` parameter in the final block of that logic app to be synchronized with the recurrence timing. Failure to do so can result in either:
 * Duplication of indicators.
 * Having no active Recorded Future indicators the majority of the time.