What Changed
Microsoft Sentinel incidents created via the /azuresentinel Logic Apps connector do not appear in the unified Microsoft Defender portal incident queue. This is a breaking behavioral change for any Recorded Future deployment relying on playbook-driven incident creation.
Affected playbooks – incident creation removed:
| Playbook | Old Behavior | New Behavior |
|---|---|---|
| RecordedFuture-Alert-Importer | Created incidents directly | Writes to RecordedFuturePortalAlerts_CL only |
| RecordedFuture-Playbook-Alert-Importer | Created incidents directly | Writes to RecordedFuturePlaybookAlerts_CL only |
| RecordedFuture-Sandbox_StorageAccount | Created incidents directly | Writes to RecordedFutureSandboxResults_CL only |
| RecordedFuture-Sandbox_Outlook_Attachment | Created incidents directly | Writes to RecordedFutureSandboxResults_CL only |
The azuresentinel connector dependency is removed from all four playbooks.
New Analytic Rules for incident creation (replacing playbook behavior):
| Use Case | Analytic Rule | Source Table |
|---|---|---|
| Alerts | RecordedFutureAlerts | RecordedFuturePortalAlerts_CL |
| Playbook Alerts | RecordedFuturePlaybookAlerts | RecordedFuturePlaybookAlerts_CL |
| Sandbox Outlook Attachment | RecordedFutureSandboxOutlook | RecordedFutureSandboxResults_CL |
| Sandbox Storage Account | RecordedFutureSandboxStorage | RecordedFutureSandboxResults_CL |
Security Impact
Production gap for Defender portal users: If you have already migrated to the unified Microsoft Defender portal and are running Recorded Future playbook versions prior to v3.2.20, zero incidents are being created from Recorded Future alerts, playbook alerts, and sandbox results. The data is still being written to custom log tables, but without corresponding Analytic Rules enabled, no alerts or incidents surface.
Action required for existing deployments:
- Update all four affected playbooks to v3.2.20 builds.
- Deploy the four new Analytic Rule templates from Content Hub (available under Microsoft Sentinel -> Configuration -> Analytics -> Rule Templates).
- Verify the Custom Log Names in the Logic Apps match the table names the Analytic Rules query – a mismatch will silently drop incidents.
Note: There is a limitation of 3 fields available in the Analytic Rule alert description; additional context remains available by querying the custom log tables directly.
Notes
PR discussion context: the PR author confirmed the change is driven by Microsoft removing Logic Apps-based incident creation compatibility with the Defender portal. Copilot review flagged a version number inconsistency in documentation (some docs reference v4.0 while the solution ships as v3.2.20) – this does not affect functionality but may cause confusion during upgrade planning.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/RecordedFuturePlaybookAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/RecordedFuturePortalAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/RecordedFutureSandboxResults_CL.json
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFutureAlerts.yaml
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFuturePlaybookAlerts.yaml
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFutureSandboxEmailAttachment.yaml
Solutions/Recorded Future/Analytic Rules/IncidentCreation/RecordedFutureSandboxStorageAccount.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingDomainAllActors.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingHashAllActors.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingIPAllActors.yaml
Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json
Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json
Solutions/Recorded Future/Playbooks/Alerts/readme.md
Solutions/Recorded Future/Playbooks/Images/defender_analytics.png
Solutions/Recorded Future/Playbooks/Images/defender_hub.png
Solutions/Recorded Future/Playbooks/Images/defender_workbook.png
Solutions/Recorded Future/Playbooks/Images/playbook_templates.png
Solutions/Recorded Future/Playbooks/Images/threat_intel_contethub.png
Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json
Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json
Solutions/Recorded Future/Playbooks/Sandboxing/readme.md
Solutions/Recorded Future/Playbooks/ThreatHunting/RecordedFuture-ThreatMapMalware-Importer/azuredeploy.json
Solutions/Recorded Future/Playbooks/readme.md
(packaging artefacts: 3.2.20.zip, ReleaseNotes.md, Solution_RecordedFuture.json, createUiDefinition.json, mainTemplate.json)