What Changed
Added a RiskScoreThreshold parameter to the RecordedFuture-IOC_Enrichment Logic App that defaults to 5. IOCs with risk scores below this threshold will no longer generate comments on incidents.
Security Impact (Noise Reduction)
This change addresses analyst fatigue by filtering out low-risk IOC enrichments from incident comments. Previously, all IOCs regardless of risk score would generate enrichment comments, creating noise that could obscure high-priority intelligence.
The configurable threshold (default: 5) allows SOC teams to tune the noise floor based on their environment. Only IOCs meeting the risk score threshold will receive enrichment comments containing:
- Recorded Future Risk Score
- Triggered Risk Rules
- Risk Context
- OSINT references
- Previous detections
- Intelligence Card links
Operational Considerations
Teams using this playbook for automatic enrichment should review their current incident comment volume and adjust the threshold as needed. The parameter is configurable during deployment to match organizational risk tolerance.
Affected Files
Solutions/Recorded Future/Playbooks/Enrichment/RecordedFuture-IOC_Enrichment/azuredeploy.json
Solutions/Recorded Future/Playbooks/Enrichment/readme.md
(packaging artefacts: 3.2.18.zip, ReleaseNotes.md, Solution_RecordedFuture.json, mainTemplate.json)