RecordedFuture: Add IOC-Enrichment threshold

[aommm]

Change(s):
- Add RiskScoreThreshold to RecordedFuture-IOC_Enrichment logic app. If risk score is lower than threshold, won't post comment to incident

Version Updated:

• Yes

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

[v-shukore]

Hi @aommm, please fix arm-ttk validation failures. Thanks!!

[aommm]

Hi @v-shukore ,
I looked at the logs now and I would appreciate some assistance.

• General question: can I run the validation locally?

apiVersions Should Be Recent

• How can we see which resources the failures are referring to? I don't see it in the github action logs, it doesn't refer to in which files/lines the failure occurred.
• How to figure out a correct API version for e.g. Microsoft.OperationalInsights/workspaces/providers/contentTemplates?
  • When I now bump the API version for these resources, could this result in breaking changes?

URIs Should Be Properly Constructed

• Similar question here, how can I see where the failures occurred, which URIs is it referring to?

Thanks!

[aommm]

Hi @v-shukore , could you offer any guidance on this? 🙏

[v-shukore]

Hi @aommm, you can validate this locally. If the arm-ttk check is failing, please review the maintemplate.json file and update it accordingly. Thanks!

[aommm]

@v-shukore please see my questions above

[aommm]

@v-shukore we haven't changed anything relating to URLs or apiVersions so it's hard for us to know what to do about the failure. Could you offer any guidance on the questions above? We have customers waiting for this fix so would be nice to get this merged ASAP.

[aommm]

@v-atulyadav , could you give us any guidance here on how to proceed? It seems @v-shukore is not active anymore.

[v-shukore]

Hi @aommm, sorry for the delay. I am currently looking into this issue and will need some time. Thanks.

[v-shukore]

Hi @aommm, could you please update this branch with master once. Thanks!!

[aommm]

Thanks for the prompt reply @v-shukore , much appreciated :) I rebased the branch now

[v-shukore]

Hi @aommm, ARM‑TTK is still failing for the same issue. I’m reviewing this internally and will update you shortly. Thanks!

[aommm]

Hi @v-shukore , any update on this? 🙏

[aommm]

@v-shukore did you figure out what the errors mean or which part of mainTemplate.json is problematic?

[v-shukore]

Hi @aommm, could you please grant me the access of this branch I need to do some troubleshooting to find the cause of arm-ttk failure. Thanks!!

[aommm]

@v-shukore I don't have acess to these repository settings unfortunately. Alternatively, could you check out this branch and then create a new branch from it, that you push to the Azure/Azure-Sentinel remote?

[aommm]

@v-shukore / @v-atulyadav we would be grateful if you could expedite this. We have been waiting since 3rd of February (almost 6 weeks) and we still have no info on how to proceed. If you cannot do anything without push access then please say so, and I can contact various IT departments to see if I can get you access.

Also as previously mentioned, it's not possible for us to work on this ourselves since

1. the pipeline logs don't mention where the problem occurs.
2. we don't know how to run the validation locally.

In addition to helping us with this PR, it would be great if you could eventually address these two items. That would be helpful for the future and for other contributors. Thanks!

[v-shukore]

Hi @aommm, we checked and found that the issue continues because of a recent change in the Playbook. To fix it, please remove the URL from the Maybe_add_comment_to_incident_(V3)_-_URL parameter in the playbook and replace it with another word, as shown in the screenshot. Thanks!!

[aommm]

Hi @v-shukore , thanks for investigating! Looks like it was tricky to find the cause, but glad that you found it.

I pushed a fix now where I changed it from "URL" to "Url" - let's see if that works. Can you re-run the validation pipeline? (There was another step called Parse_JSON_-_Url which made me think that it may be OK to just change the casing)

[Copilot]

Pull request overview

Adds a configurable risk-score threshold to the Recorded Future IOC enrichment playbook to reduce incident comment noise by skipping comments for low-risk entities.

Changes:

• Added RiskScoreThreshold parameter and gating If conditions before adding incident comments in the logic app.
• Updated playbook documentation and solution release notes to describe the new threshold behavior.
• Bumped solution version metadata.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 8 comments.

File	Description
Solutions/Recorded Future/ReleaseNotes.md	Adds release note entry for the new threshold behavior/version.
Solutions/Recorded Future/Playbooks/Enrichment/readme.md	Documents the threshold-based comment suppression behavior.
Solutions/Recorded Future/Playbooks/Enrichment/RecordedFuture-IOC_Enrichment/azuredeploy.json	Implements RiskScoreThreshold and conditionally posts comments based on risk score.
Solutions/Recorded Future/Data/Solution_RecordedFuture.json	Updates solution version and base path metadata.

[aommm]

Hi @v-shukore , please have a look at the updated Release notes.

[v-shukore]

Hi @aommm, I ran arm-ttk locally, but it's still failing. I believe there might be another URL in the code, as shown in the screenshot below. Please update that as well and commit. Thanks!

[aommm]

Fixed and pushed, @v-shukore , please have a look!

[v-shukore]

Hi @aommm, I checked and the issue is still persisting. I tested locally by removing the entire URL word, and after that, arm-ttk did not fail. Please remove it and commit the changes as shown in the screenshot below. Thanks!

[aommm]

@v-shukore thanks for checking. I renamed it to something totally different now, please try again!