Azure-Sentinel RecordedFutureConnectorV2 Update

Required items, please complete

Change(s):

Updated all RecordedFuture playbooks to use new recordedfutureV2 powerplatform connector
Added new individual and solution playbook for Russia/Ukraine conflict Threat detection.
Improved documentation about dependencies between playbooks.

Reason for Change(s):

Updated to use V2 of PowerPlatform connector
Addition of Russia/Ukraine playbooks

Version Updated:

Solution 2.1.0

Testing Completed:

Yes, Solution mainTemplate custom deployment and UISandbox tested. Individual playbooks tested as custom deployment.

Checked that the validations are passing and have addressed any issues that are present:

Yes

Oct 05 '22 13:10 RecordedFutureOskbo

All CLA requirements met.

Oct 05 '22 14:10 ghost

Hi @devikamehra Can you please review playbooks and provide your feedback. Thanks

Oct 07 '22 04:10 v-mchatla

Hi @devikamehra Can you please review playbooks and provide your feedback. Thanks

Oct 12 '22 05:10 v-spadarthi

Hi @manishkumar1991, Could you please review the playbook changes and provide your feedback. Thanks

Oct 13 '22 11:10 v-mchatla

@RecordedFutureOskbo please confirm if you have used, our "playbook arm template generator tool" for generating the arm template of provided playbook, if not requesting you to please use the below link to generate the arm template and update the PR

https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator

Oct 17 '22 08:10 manishkumar1991

The playbooks that are updated in this release were created in 2020 well before the generator existed. I'll give the tool a try and regenerate all playbooks and solution

Oct 17 '22 11:10 RecordedFutureOskbo

Hi @RecordedFutureOskbo, Thanks for the prompt response. Please try generating with tool and let us know if you need any help over there. Thanks

Oct 18 '22 20:10 v-mchatla

Hi @RecordedFutureOskbo, I hope you have started working on it. Please let us know if you need any kind of help in the Playbook preparation and packaging. Thanks

Oct 21 '22 05:10 v-mchatla

Yes Im halfway in, I have to diff each Playbook and manual apply lots of small things like in this file. RecordedFuture_Generic_Detection_IndicatorProcessor.json

We have Logic apps calling other logic apps. The generated json contains hardcoded TenantID and id contains hardcoded subscriptionId. That I have to exchange to variabler like this "id": "/subscriptions/{GUID}/resourceGroups/OskarFree/providers/Microsoft.Logic/workflows/RecordedFuture_Generic_Detection_ImportToSentinel" to "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]"

Also the parameter parameters('PlaybookNameBatching') is removed in the generated result.

Oct 21 '22 06:10 RecordedFutureOskbo

Hi @RecordedFutureOskbo Thanks for the update. Let us know if you need any help. Thanks

Oct 25 '22 10:10 v-mchatla

Hi @RecordedFutureOskbo, Let us know if you need any help over there. Thanks

Oct 28 '22 05:10 v-mchatla

@microsoft-github-policy-service agree [company="Recorded Future"]

Oct 28 '22 09:10 RecordedFutureOskbo

@microsoft-github-policy-service agree company="Recorded Future"

Oct 28 '22 09:10 RecordedFutureOskbo

@v-mchatla @manishkumar1991 We are ready for review again. I have regenerated the playbooks using the e generator tool and retested them again.

Nov 01 '22 08:11 RecordedFutureOskbo

@RecordedFutureOskbo - Thanks for the update. @manishkumar1991 - Author has addressed your comments. can you please review and provide your feedback. Thanks

Nov 02 '22 03:11 v-mchatla

Hi @manishkumar1991, Can you please review the changes and provide your feedback. Thanks

Nov 04 '22 04:11 v-mchatla

Hi @manishkumar1991, It would be great if you can review and provide your sign off. Thanks

Nov 08 '22 06:11 v-mchatla

@RecordedFutureOskbo I can see that there are playbooks outside the solution and inside the solution as well, any specific reason on this ?

We kept the once outside the solution for legacy purposes. We have customers that installed playbooks one by one from GitHub. Do you advise us to go forward with solution playbooks only? Since it's possible to install them one by one also, we can do that as a separate PR.

Nov 10 '22 21:11 RecordedFutureOskbo

Hi @manishkumar1991, Can you please review the changes and provide your feedback. Thanks

Nov 16 '22 05:11 v-mchatla

Hi @manishkumar1991, Can you please review and provide your feedback. Thanks

Nov 18 '22 05:11 v-mchatla

@rahul0216, I would like to do the move/delete of playbooks from playbook folder to solution as a separate PR if that is ok? I have done an overhauled of all prerequisitesDeployTemplateFile and postDeployment and added correct entities to all enrichment playbooks.

Nov 22 '22 16:11 RecordedFutureOskbo

Hi @rahul0216, Can you please address the author's query. Thanks

Nov 25 '22 05:11 v-mchatla

@RecordedFutureOskbo Looks like you already created a separate PR for removal of playbooks from Playbook folder. Let me know once it is ready for review.

Nov 28 '22 07:11 rahul0216

@rahul0216 I will tag you in a PR for moving/removing playbooks into solutions.

Nov 28 '22 08:11 RecordedFutureOskbo

Hi @rahul0216, We can only close this PR once the other draft PR merged or can we merge it?

Nov 30 '22 04:11 v-mchatla

Hi @rahul0216, We can only close this PR once the other draft PR merged or can we merge it?

@rahul0216, @v-mchatla please merge this PR first to avoid merge conflicts. It will make testing on our side easier. Otherwise we have to update and retest this PR again.

Nov 30 '22 06:11 RecordedFutureOskbo

Hi @v-dvedak, Can you please merge it. I'm not getting the merge option for this PR. Thanks

Dec 05 '22 14:12 v-mchatla