Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recorded future: update readme #11702

Merged
merged 2 commits into from
Jan 23, 2025
Merged

Recorded future: update readme #11702

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
07ae726
docs: document behaviour for threathunting for multi-orgs
aommm Jan 23, 2025
f7e3575
docs: fix typo
aommm Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions Solutions/Recorded Future/Playbooks/ThreatHunting/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,6 @@ Threat hunting is the proactive and iterative process of searching for and detec

- <a href="https://support.recordedfuture.com/hc/en-us/articles/20849290045203-Automated-Threat-Hunting-with-Recorded-Future" target="_blank">More about Automated threat hunt</a> (requires Recorded Future login)

> [!NOTE]
> If your Recorded Future Enterprise is using [multi-org](https://support.recordedfuture.com/hc/articles/4402787600787-Multi-Org-for-Modules), then threat hunting currently does not work for sub-orgs. See [known issues](../readme.md#threat-hunting-for-multi-orgs) for more detail.

# Playbooks

## RecordedFuture-ThreatMap-Importer
Expand Down Expand Up @@ -100,12 +97,19 @@ If recurrence is changed from default (24h), also change `valid_until_delta_hour
<br/>
<br/>
<details>
<summary>Expand Advance parameters</summary>
<summary>Expand Advanced parameters</summary>
It's possible to restrict indicators downloaded by actor or malware. If several downloads are running use the `Threat Hunt description` field to keep them apart.

![alt text](Images/advanceindicatorconfig.png)

Find individual Ids the treat map workbook once it setup by open `Open Generic Details`.

![alt text](Images/GenericDetails.png)
</details>
</details>

## Threat hunting for multi-orgs

If your Recorded Future Enterprise is using [multi-org](https://support.recordedfuture.com/hc/articles/4402787600787-Multi-Org-for-Modules), then which threat map you see depends on which API key is used.

- If the API key is tied to one specific organisation, then you will see that organisation's threat map.
- If the API key is tied to multiple organisations (not recommended), then you will see the first threat map available, which could belong to any of your organisations.
6 changes: 0 additions & 6 deletions Solutions/Recorded Future/Playbooks/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,12 +285,6 @@ When reporting issues or errors to Recorded Future on logic apps. Please include
![alt text](Images/LogicAppVersion.png)

# Known Issues
## Threat hunting for multi-orgs
If your Recorded Future Enterprise is configured as [multi-org](https://support.recordedfuture.com/hc/articles/4402787600787-Multi-Org-for-Modules), **it is not currently possible** to do threat hunting for any organisations except your primary organisation. If you try to use an API key connected to a sub-org that is not your primary organisation for threat hunting, you will receive the following error:

```
{"message":"User doesn't have access to the given organization","status_code":403}
```

## Version 3.0
Microsoft Sentinel playbook upgrade experience can result in the following error: ```Cannot read properties of null (reading 'parameters')```
Expand Down
Loading