Recorded Future Playbooks: Threat Intelligence Integration Discontinued Due to Microsoft API Deprecation

What Changed

Microsoft Sentinel has deprecated four Recorded Future Playbooks that automated threat intelligence ingestion from Recorded Future’s Command & Control feeds into Microsoft Defender for Endpoint. The affected playbooks are:

• RecordedFuture-ImportToDefenderEndpoint — automated import of C&C IPs and weaponized domains
• RecordedFuture-TIforDefenderEndpoint — threat intelligence processor for prevention actions
• RecordedFuture_IP_SCF_ImportToDefenderEndpoint — Command & Control IP Security Control Feed importer
• RecordedFuture_IP_SCF_IndicatorProcessor — IP indicator processing workflow

Security Impact

Critical Integration Failure: Any deployments using these playbooks have lost automated threat intelligence ingestion capabilities. The underlying Microsoft Graph Security tiIndicators API (beta) and its submitTiIndicators endpoint have been deprecated by Microsoft, causing complete integration failure.

Detection Blind Spot: Organizations relying on these playbooks for automated blocking of Recorded Future’s Command & Control indicators in Defender for Endpoint no longer receive this threat intelligence feed. This represents a significant reduction in proactive threat blocking capabilities.

Migration Required: Recorded Future has provided alternative integration paths, but existing deployments require immediate attention to restore threat intelligence functionality.

Affected Capabilities

• Automated C&C IP blocking — no longer functional
• Weaponized domain prevention — no longer operational
• Daily threat intelligence updates — integration broken
• Recorded Future Security Control Feeds — ingestion pipeline disabled

Organizations using these playbooks should immediately review Recorded Future’s migration documentation and implement alternative threat intelligence ingestion methods.

Affected Files

Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/RecordedFuture-ImportToDefenderEndpoint.json
Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/RecordedFuture-TIforDefenderEndpoint.json
Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/readme.md
Playbooks/RecordedFuture_IP_SCF/RecordedFuture_IP_SCF_ImportToDefenderEndpoint.json
Playbooks/RecordedFuture_IP_SCF/RecordedFuture_IP_SCF_IndicatorProcessor.json
Playbooks/RecordedFuture_IP_SCF/readme.md