What Changed

Microsoft Sentinel incidents created via the /azuresentinel Logic Apps connector do not appear in the unified Microsoft Defender portal incident queue. This is a breaking behavioral change for any Recorded Future deployment relying on playbook-driven incident creation.

Affected playbooks – incident creation removed:

PlaybookOld BehaviorNew Behavior
RecordedFuture-Alert-ImporterCreated incidents directlyWrites to RecordedFuturePortalAlerts_CL only
RecordedFuture-Playbook-Alert-ImporterCreated incidents directlyWrites to RecordedFuturePlaybookAlerts_CL only
RecordedFuture-Sandbox_StorageAccountCreated incidents directlyWrites to RecordedFutureSandboxResults_CL only
RecordedFuture-Sandbox_Outlook_AttachmentCreated incidents directlyWrites to RecordedFutureSandboxResults_CL only

The azuresentinel connector dependency is removed from all four playbooks.

New Analytic Rules for incident creation (replacing playbook behavior):

Use CaseAnalytic RuleSource Table
AlertsRecordedFutureAlertsRecordedFuturePortalAlerts_CL
Playbook AlertsRecordedFuturePlaybookAlertsRecordedFuturePlaybookAlerts_CL
Sandbox Outlook AttachmentRecordedFutureSandboxOutlookRecordedFutureSandboxResults_CL
Sandbox Storage AccountRecordedFutureSandboxStorageRecordedFutureSandboxResults_CL

Security Impact

Production gap for Defender portal users: If you have already migrated to the unified Microsoft Defender portal and are running Recorded Future playbook versions prior to v3.2.20, zero incidents are being created from Recorded Future alerts, playbook alerts, and sandbox results. The data is still being written to custom log tables, but without corresponding Analytic Rules enabled, no alerts or incidents surface.

Action required for existing deployments:

  1. Update all four affected playbooks to v3.2.20 builds.
  2. Deploy the four new Analytic Rule templates from Content Hub (available under Microsoft Sentinel -> Configuration -> Analytics -> Rule Templates).
  3. Verify the Custom Log Names in the Logic Apps match the table names the Analytic Rules query – a mismatch will silently drop incidents.

Note: There is a limitation of 3 fields available in the Analytic Rule alert description; additional context remains available by querying the custom log tables directly.

Notes

PR discussion context: the PR author confirmed the change is driven by Microsoft removing Logic Apps-based incident creation compatibility with the Defender portal. Copilot review flagged a version number inconsistency in documentation (some docs reference v4.0 while the solution ships as v3.2.20) – this does not affect functionality but may cause confusion during upgrade planning.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/RecordedFuturePlaybookAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/RecordedFuturePortalAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/RecordedFutureSandboxResults_CL.json
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFutureAlerts.yaml
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFuturePlaybookAlerts.yaml
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFutureSandboxEmailAttachment.yaml
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFutureSandboxStorageAccount.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingDomainAllActors.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingHashAllActors.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingIPAllActors.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json
Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json
Solutions/Recorded Future/Playbooks/Alerts/readme.md
Solutions/Recorded Future/Playbooks/Images/defender_analytics.png
Solutions/Recorded Future/Playbooks/Images/defender_hub.png
Solutions/Recorded Future/Playbooks/Images/defender_workbook.png
Solutions/Recorded Future/Playbooks/Images/playbook_templates.png
Solutions/Recorded Future/Playbooks/Images/threat_intel_contethub.png
Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json
Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json
Solutions/Recorded Future/Playbooks/Sandboxing/readme.md
Solutions/Recorded Future/Playbooks/ThreatHunting/RecordedFuture-ThreatMapMalware-Importer/azuredeploy.json
Solutions/Recorded Future/Playbooks/readme.md
(packaging artefacts: 3.2.20.zip, ReleaseNotes.md, Solution_RecordedFuture.json, createUiDefinition.json, mainTemplate.json)