RFPD-77178: log ingestion api 2

Solutions/Recorded Future Identity/Analytic Rules/IncidentCreation/RecordedFutureIdentityExposure.yaml

@@ -11,6 +11,10 @@ triggerThreshold: 0
 tactics:
   - CredentialAccess
 relevantTechniques: []
+requiredDataConnectors:
+  - connectorId: RecordedFutureIdentityAlertImporter
+    dataTypes:
+      - RFI_PlaybookAlertResults_V2_CL
 query: |
   RFI_PlaybookAlertResults_V2_CL
   | where TimeGenerated >= now(-15m)

Solutions/Recorded Future Identity/Data Connectors/azuredeploy-alert-importer.json

@@ -211,7 +211,7 @@
                     "id": "RecordedFutureIdentityAlertImporter",
                     "title": "Recorded Future Identity - Playbook Alert Importer",
                     "publisher": "Recorded Future",
-                    "descriptionMarkdown": "Imports Recorded Future Identity Playbook Alerts into Microsoft Sentinel via the Azure Monitor Logs Ingestion API. Enables incident creation via Analytic Rules on the `RFI_PlaybookAlertResults_V2_CL` table.",
+                    "descriptionMarkdown": "Imports Recorded Future Identity Playbook Alerts into Microsoft Sentinel. Enables incident creation via Analytic Rules on the `RFI_PlaybookAlertResults_V2_CL` table. For full installation details, see the [readme](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future%20Identity/Playbooks/readme.md).",
                     "graphQueries": [
                         {
                             "metricName": "Playbook Alert Results",
@@ -266,7 +266,7 @@
                         "customs": [
                             {
                                 "name": "Azure Subscription",
-                                "description": "Contributor permissions required to deploy ARM templates (Data Connectors infrastructure and playbook)."
+                                "description": "Step 1 (Data Connectors infrastructure) requires **Monitoring Contributor** and **Log Analytics Contributor** on the resource group. Step 3 (playbook) requires **Owner** or **Role Based Access Control Administrator** when deploying with automatic role assignment (`create_role_assignment=true`), otherwise **Contributor** suffices."
                             },
                             {
                                 "name": "Recorded Future API Token",
@@ -277,11 +277,19 @@
                     "instructionSteps": [
                         {
                             "title": "Step 1 \u2014 Deploy Data Connectors infrastructure",
-                            "description": "Deploys the shared Data Collection Endpoint (DCE), Data Collection Rule (DCR), Log Analytics table (`RFI_PlaybookAlertResults_V2_CL`), and this connector definition tile.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Frecordedfuture%2FAzure-Sentinel%2FRFPD-77178-log-ingestion-api%2FSolutions%2FRecorded%20Future%20Identity%2FData%20Connectors%2Fazuredeploy-alert-importer.json)"
+                            "description": "Deploys the shared Data Collection Endpoint (DCE), Data Collection Rule (DCR), Log Analytics table (`RFI_PlaybookAlertResults_V2_CL`), and this connector definition tile.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%2520Future%2520Identity/Data%2520Connectors/azuredeploy-alert-importer.json)"
                         },
                         {
-                            "title": "Step 2 \u2014 Deploy the RFI-Playbook-Alert-Importer-LAW playbook",
-                            "description": "Deploys the Logic App that imports Recorded Future Identity Playbook Alerts and writes them to the Log Analytics table via the Logs Ingestion API using Managed Identity.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Frecordedfuture%2FAzure-Sentinel%2FRFPD-77178-log-ingestion-api%2FSolutions%2FRecorded%20Future%20Identity%2FPlaybooks%2FRFI-Playbook-Alert-Importer-LAW%2Fazuredeploy.json)\n\nAfter deployment, open the Logic App and authorize the different connectors, then enable the Logic App."
+                            "title": "Step 2 \u2014 Deploy RFI-CustomConnector",
+                            "description": "The custom connector handles authentication towards the Recorded Future API. Deploy it once \u2014 it is shared by the playbook.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%2520Future%2520Identity/Playbooks/Connectors/RFI-CustomConnector-0-2-0/azuredeploy.json)"
+                        },
+                        {
+                            "title": "Step 3 \u2014 Deploy RFI-Playbook-Alert-Importer-LAW",
+                            "description": "Deploys the Logic App that imports Recorded Future Identity Playbook Alerts and writes them to the Log Analytics table using Managed Identity. Set `create_role_assignment=false` if your organization requires manual role assignment (see permissions above). After deployment, authorize the connectors and enable the Logic App.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%2520Future%2520Identity/Playbooks/RFI-Playbook-Alert-Importer-LAW/azuredeploy.json)"
+                        },
+                        {
+                            "title": "Step 4 \u2014 Deploy Analytics Rule",
+                            "description": "Creates Microsoft Sentinel incidents from the `RFI_PlaybookAlertResults_V2_CL` table. The rule is also available under **Microsoft Sentinel \u2192 Configuration \u2192 Analytics \u2192 Rule Templates**.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%2520Future%2520Identity/Analytic%2520Rules/IncidentCreation/azuredeploy.json)"
                         }
                     ]
                 }