Recorded Future Identity: Prepares for Microsoft Defender Portal Migration by Deprecating Legacy Incident Creation

What Changed

The Recorded Future Identity solution (v3.1.3) has been updated to prepare for Microsoft Defender Portal migration. The primary change is the deprecation of the RFI-Playbook-Alert-Importer-LAW-Sentinel playbook that creates incidents via Logic Apps, as these incidents do not appear in the unified Microsoft Defender portal.

Migration Impact

Breaking Change Alert: Deployments using the RFI-Playbook-Alert-Importer-LAW-Sentinel playbook will lose incident visibility when organizations migrate to Microsoft Defender Portal. The deprecated playbook creates incidents via the Azure Sentinel Logic Apps connector, which Microsoft no longer supports in the unified portal.

Recommended Migration Path:

1. Switch to RFI-Playbook-Alert-Importer-LAW playbook to write identity exposure data to Log Analytics
2. Deploy new Analytic Rule RecordedFutureIdentityExposure to create incidents from the RecordedFutureIdentity_PlaybookAlertResults_CL table

Security Impact

Organizations continuing to use the deprecated playbook face a detection blind spot - identity exposure alerts from Recorded Future will not generate visible incidents in Microsoft Defender Portal. This impacts SOC teams ability to investigate and respond to compromised identity events.

The new Analytic Rule approach maintains detection coverage while ensuring compatibility with Microsoft unified security portal. Identity exposure data continues to be ingested and processed; only the incident creation mechanism changes.

Content Updates

• Analytic Rule Added: RecordedFutureIdentityExposure.yaml creates incidents from identity exposure data
• Playbook Deprecated: RFI-Playbook-Alert-Importer-LAW-Sentinel marked as deprecated with migration warnings
• Documentation Updated: README extensively revised with deprecation notices and migration guidance
• Custom Table Schema: Added validation for RecordedFutureIdentity_PlaybookAlertResults_CL table structure

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/RecordedFutureIdentity_PlaybookAlertResults_CL.json
Solutions/Recorded Future Identity/Analytic Rules/IncidentCreation/RecordedFutureIdentityExposure.yaml
Solutions/Recorded Future Identity/Playbooks/RFI-Playbook-Alert-Importer-LAW-Sentinel/azuredeploy.json
Solutions/Recorded Future Identity/Playbooks/RFI-Playbook-Alert-Importer-LAW/azuredeploy.json
Solutions/Recorded Future Identity/Playbooks/readme.md
(packaging artefacts: 3.1.3.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RecordedFutureIdentity.json, createUiDefinition.json, mainTemplate.json)