diff --git a/Solutions/Recorded Future/Playbooks/ThreatHunting/readme.md b/Solutions/Recorded Future/Playbooks/ThreatHunting/readme.md index 7a83587ea02..ba1461dfb81 100644 --- a/Solutions/Recorded Future/Playbooks/ThreatHunting/readme.md +++ b/Solutions/Recorded Future/Playbooks/ThreatHunting/readme.md @@ -7,9 +7,6 @@ Threat hunting is the proactive and iterative process of searching for and detec - More about Automated threat hunt (requires Recorded Future login) -> [!NOTE] -> If your Recorded Future Enterprise is using [multi-org](https://support.recordedfuture.com/hc/articles/4402787600787-Multi-Org-for-Modules), then threat hunting currently does not work for sub-orgs. See [known issues](../readme.md#threat-hunting-for-multi-orgs) for more detail. - # Playbooks ## RecordedFuture-ThreatMap-Importer @@ -100,7 +97,7 @@ If recurrence is changed from default (24h), also change `valid_until_delta_hour

-Expand Advance parameters +Expand Advanced parameters It's possible to restrict indicators downloaded by actor or malware. If several downloads are running use the `Threat Hunt description` field to keep them apart. ![alt text](Images/advanceindicatorconfig.png) @@ -108,4 +105,11 @@ It's possible to restrict indicators downloaded by actor or malware. If several Find individual Ids the treat map workbook once it setup by open `Open Generic Details`. ![alt text](Images/GenericDetails.png) -
\ No newline at end of file + + +## Threat hunting for multi-orgs + +If your Recorded Future Enterprise is using [multi-org](https://support.recordedfuture.com/hc/articles/4402787600787-Multi-Org-for-Modules), then which threat map you see depends on which API key is used. + +- If the API key is tied to one specific organisation, then you will see that organisation's threat map. +- If the API key is tied to multiple organisations (not recommended), then you will see the first threat map available, which could belong to any of your organisations. \ No newline at end of file diff --git a/Solutions/Recorded Future/Playbooks/readme.md b/Solutions/Recorded Future/Playbooks/readme.md index 0e2ca8e34dc..cac855e2acb 100644 --- a/Solutions/Recorded Future/Playbooks/readme.md +++ b/Solutions/Recorded Future/Playbooks/readme.md @@ -285,12 +285,6 @@ When reporting issues or errors to Recorded Future on logic apps. Please include ![alt text](Images/LogicAppVersion.png) # Known Issues -## Threat hunting for multi-orgs -If your Recorded Future Enterprise is configured as [multi-org](https://support.recordedfuture.com/hc/articles/4402787600787-Multi-Org-for-Modules), **it is not currently possible** to do threat hunting for any organisations except your primary organisation. If you try to use an API key connected to a sub-org that is not your primary organisation for threat hunting, you will receive the following error: - -``` -{"message":"User doesn't have access to the given organization","status_code":403} -``` ## Version 3.0 Microsoft Sentinel playbook upgrade experience can result in the following error: ```Cannot read properties of null (reading 'parameters')```