Skip to main content

Microsoft Defender for Endpoint

This Integration is part of the Microsoft Defender for Endpoint Pack.#

Overview#


Use the Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) integration for preventative protection, post-breach detection, automated investigation, and response.

Microsoft Defender Advanced Threat Protection Playbook#


Microsoft Defender Advanced Threat Protection Get Machine Action Status

Use Cases#


  • Fetching incidents.
  • Managing machines and performing actions on them.
  • Blocking files and applications.
  • Uploading and digesting threat indicators for the actions of allow, block, or alert.

Authentication#


For more details about the authentication used in this integration, see Microsoft Integrations - Authentication.

Note: If you previously configured the Windows Defender ATP integration, you need to perform the authentication flow again for this integration and enter the authentication parameters you receive when configuring the integration instance.

Required Permissions#

  • AdvancedQuery.Read.All - Application
  • Alert.ReadWrite.All - Application
  • File.Read.All - Application
  • Ip.Read.All - Application
  • Machine.CollectForensics - Application
  • Machine.Isolate - Application
  • Machine.ReadWrite.All - Application
  • Machine.RestrictExecution - Application
  • Machine.Scan - Application
  • Machine.StopAndQuarantine - Application
  • ThreatIndicators.ReadWrite.OwnedBy - Application. Please note - this permission is only used for the deprecated indicators command. If you are not using the deprecated indicators command, it is not required.
  • Url.Read.All - Application
  • User.Read.All - Application
  • Ti.ReadWrite (Read and write IOCs belonging to the app) - Application
  • Vulnerability.Read.All - Application

Configure Microsoft Defender for Endpoint on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Microsoft Defender for Endpoint.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionExample
    NameA meaningful name for the integration instance.XXXXX Instance Alpha
    Host URLThe URL to the Microsoft Defender for Endpoint server, including the scheme.https://api.securitycenter.windows.com
    IDThe ID used to gain access to the integration.N/A
    TokenA piece of data that servers use to verify for authenticity.eea810f5-a6f6
    Certificate ThumbprintUsed for certificate authentication. As appears in the "Certificates & secrets" page of the app.A97BF50B7BB6D909CE8CAAF9FA8109A571134C33
    Private KeyUsed for certificate authentication. The private key of the registered certificate.eea810f5-a6f6
    Fetch IncidentsWhether to fetch the incidents.N/A
    Incident TypeThe type of incident to select.Phishing
    Status to filter out alerts for fetching as incidentsThe property values are, "New", "InProgress" or "Resolved". Comma-separated lists are supported, e.g., New,Resolved.New,In Progress,Resolved
    Severity to filter out alerts for fetching as incidentsThe property values are, "Informational", "Low", "Medium" and "High". Comma-separated lists are supported, e.g., Medium,High.Medium,High
    Trust any Certificate (Not Secure)When selected, certificates are not checked.N/A
    Use system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.https://proxyserver.com
    First Fetch TimestampThe first timestamp to be fetched in number, time unit format.12 hours, 7 days
    self-deployedUse a self-deployed Azure Application.N/A
  1. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#

  • id
  • incidentId
  • investigationId
  • assignedTo
  • severity
  • status
  • classification
  • determination
  • investigationState
  • detectionSource
  • category
  • threatFamilyName
  • title
  • description
  • alertCreationTime
  • firstEventTime
  • lastEventTime
  • lastUpdateTime
  • resolvedTime
  • machineId
  • computerDnsName
  • aadTenantId
  • relatedUser
  • comments
  • evidence

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. microsoft-atp-isolate-machine
  2. microsoft-atp-unisolate-machine
  3. microsoft-atp-get-machines
  4. microsoft-atp-get-file-related-machines
  5. microsoft-atp-get-machine-details
  6. microsoft-atp-run-antivirus-scan
  7. microsoft-atp-list-alerts
  8. microsoft-atp-update-alert
  9. microsoft-atp-advanced-hunting
  10. microsoft-atp-create-alert
  11. microsoft-atp-get-alert-related-user
  12. microsoft-atp-get-alert-related-files
  13. microsoft-atp-get-alert-related-ips
  14. microsoft-atp-get-alert-related-domains
  15. microsoft-atp-list-machine-actions-details
  16. microsoft-atp-collect-investigation-package
  17. microsoft-atp-get-investigation-package-sas-uri
  18. microsoft-atp-restrict-app-execution
  19. microsoft-atp-remove-app-restriction
  20. microsoft-atp-stop-and-quarantine-file
  21. microsoft-atp-list-investigations
  22. microsoft-atp-start-investigation
  23. microsoft-atp-get-domain-statistics
  24. microsoft-atp-get-domain-alerts
  25. microsoft-atp-get-domain-machines
  26. microsoft-atp-get-file-statistics
  27. microsoft-atp-get-file-alerts
  28. microsoft-atp-get-ip-statistics
  29. microsoft-atp-get-ip-alerts
  30. microsoft-atp-get-user-alerts
  31. microsoft-atp-get-user-machines
  32. microsoft-atp-add-remove-machine-tag
  33. microsoft-atp-indicator-list (deprecated)
  34. microsoft-atp-indicator-get-by-id (deprecated)
  35. microsoft-atp-indicator-create-network (deprecated)
  36. microsoft-atp-indicator-create-file (deprecated)
  37. microsoft-atp-indicator-update (deprecated)
  38. microsoft-atp-indicator-delete (deprecated)
  39. microsoft-atp-sc-indicator-list
  40. microsoft-atp-sc-indicator-get-by-id
  41. microsoft-atp-sc-indicator-create
  42. microsoft-atp-sc-indicator-update
  43. microsoft-atp-sc-indicator-delete
  44. microsoft-atp-list-machines-by-vulnerability
  45. microsoft-atp-get-file-info
  46. endpoint
  47. microsoft-atp-indicator-batch-update
  48. microsoft-atp-get-alert-by-id
  49. microsoft-atp-request-and-download-investigation-package

1. microsoft-atp-isolate-machine#


Isolates a machine from accessing external network.

Required Permissions#

Machine.Isolate

Base Command#

microsoft-atp-isolate-machine

Input#
Argument NameDescriptionRequired
machine_idA comma-separated list of machine IDs to be used for isolation. e.g., 0a3250e0693a109f1affc9217be9459028aa8426,0a3250e0693a109f1affc9217be9459028aa8424.Required
commentA comment to associate with the action.Required
isolation_typeFull isolation or selective isolation. (Restrict only limited set of applications from accessing the network). Possible values are: Full, Selective.Required
Context Output#
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe machine action ID.
MicrosoftATP.MachineAction.TypeStringType of the machine action.
MicrosoftATP.MachineAction.ScopeUnknownScope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringComment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1" ,"SHA256", and "MD5".
Command example#

!microsoft-atp-isolate-machine comment=isolate_test_3 isolation_type=Full machine_id="12342c13fef,12342c13fef8f06606"

Context Example#
{
"MicrosoftATP": {
"MachineAction": [
{
"ComputerDNSName": "desktop-s2455r8",
"CreationDateTimeUtc": "2022-01-25T14:25:52.6227941Z",
"ID": "1f3098e20464",
"LastUpdateTimeUtc": null,
"MachineID": "12342c13fef",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "isolate_test_3",
"Scope": "Full",
"Status": "Pending",
"Type": "Isolate"
},
{
"ComputerDNSName": "desktop-s2455r9",
"CreationDateTimeUtc": "2022-01-25T14:25:53.2395007Z",
"ID": "6d39a3da0744",
"LastUpdateTimeUtc": null,
"MachineID": "12342c13fef8f06606",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "isolate_test_3",
"Scope": "Full",
"Status": "Pending",
"Type": "Isolate"
}
]
}
}
Human Readable Output#
The isolation request has been submitted successfully:#
IDTypeRequestorRequestorCommentStatusMachineIDComputerDNSName
1f3098e20464Isolate2f48b784-5da5-4e61-9957-012d2630f1e4isolate_test_3Pending12342c13fefdesktop-s2455r8
6d39a3da0744Isolate2f48b784-5da5-4e61-9957-012d2630f1e4isolate_test_3Pending12342c13fef8f06606desktop-s2455r9

2. microsoft-atp-unisolate-machine#


Remove a machine from isolation.

Required Permissions#

Machine.Isolate

Base Command#

microsoft-atp-unisolate-machine

Input#
Argument NameDescriptionRequired
machine_idA comma-separated list of machine IDs to be used to stop the isolation. e.g., 0a3250e0693a109f1affc9217be9459028aa8426,0a3250e0693a109f1affc9217be9459028aa8424.Required
commentComment to associate with the action.Required
Context Output#
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe machine action ID.
MicrosoftATP.MachineAction.TypeStringType of the action.
MicrosoftATP.MachineAction.ScopeUnknownScope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe fileIdentifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1" ,"SHA256", and "MD5".
Command example#

!microsoft-atp-unisolate-machine comment=unisolate_test machine_id="4899036531e3,f70f9fe6b29"

Context Example#
{
"MicrosoftATP": {
"MachineAction": [
{
"ComputerDNSName": "desktop-s2455r8",
"CreationDateTimeUtc": "2022-01-25T14:23:01.3053556Z",
"ID": "488176cc",
"LastUpdateTimeUtc": null,
"MachineID": "4899036531e3",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "unisolate_test",
"Scope": null,
"Status": "Pending",
"Type": "Unisolate"
},
{
"ComputerDNSName": "desktop-s2455r9",
"CreationDateTimeUtc": "2022-01-25T14:23:01.8421701Z",
"ID": "a6422c40",
"LastUpdateTimeUtc": null,
"MachineID": "f70f9fe6b29",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "unisolate_test",
"Scope": null,
"Status": "Pending",
"Type": "Unisolate"
}
]
}
}
Human Readable Output#

The request to stop the isolation has been submitted successfully:#

IDTypeRequestorRequestorCommentStatusMachineIDComputerDNSName
488176ccUnisolate2f48b784-5da5-4e61-9957-012d2630f1e4unisolate_testPending4899036531e3devicename_2
a6422c40Unisolate2f48b784-5da5-4e61-9957-012d2630f1e4unisolate_testPendingf70f9fe6b29devicename_1

3. microsoft-atp-get-machines#


Retrieves a collection of machines that have communicated with WDATP cloud in the last 30 days. Note, only ip or hostname can be a comma-separated list. If both are given as lists, an error will appear.

Base Command#

microsoft-atp-get-machines

Input#

Argument NameDescriptionRequired
hostnameA comma-separated list of computer DNS name.Optional
ipA comma-separated list of the last machine IPs to access the internet.Optional
risk_scoreThe machine risk score. Possible values are: Low, Medium, High.Optional
health_statusThe machine health status. Possible values are: Active, Inactive.Optional
os_platformThe machine's OS platform. Only a single platform can be added.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Machine.IDStringThe machine ID.
MicrosoftATP.Machine.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.Machine.FirstSeenDateThe first date and time the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last machine IP to access the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe machine health status.
MicrosoftATP.Machine.RBACGroupIDNumberThe machine RBAC group ID.
MicrosoftATP.Machine.RBACGroupNameStringThe machine RBAC group name.
MicrosoftATP.Machine.RiskScoreStringThe machine risk score.
MicrosoftATP.Machine.ExposureLevelStringThe machine exposure score.
MicrosoftATP.Machine.IsAADJoinedBooleanTrue if machine is AAD joined, False otherwise.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD Device ID.
MicrosoftATP.Machine.MachineTagsStringSet of machine tags.

Command example#

!microsoft-atp-get-machines hostname=desktop-s health_status=Active os_platform=Windows10 ip=1.2.3.4,1.2.3.5

Context Example#

{
"MicrosoftATP": {
"Machine": {
"AgentVersion": "10.8040.19041.1466",
"ComputerDNSName": "desktop-s",
"ExposureLevel": "Medium",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"HealthStatus": "Active",
"ID": "f70f9fe6b29",
"IPAddresses": [
{
"ipAddress": "1.2.3.4",
"macAddress": "1213123",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "1234::1234:1234:1234:1234",
"macAddress": "1213123",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "::1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
}
],
"IsAADJoined": true,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "1.2.3.4",
"LastSeen": "2022-01-26T11:14:22.9649216Z",
"MachineTags": [
"new test",
"test add tag",
"testing123"
],
"OSBuild": 19042,
"OSPlatform": "Windows10",
"OSProcessor": "x64",
"OSVersion": "20H2",
"RBACGroupID": 0,
"RiskScore": "Medium"
}
}
}

Human Readable Output#

Microsoft Defender ATP Machines:#

IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
f70f9fe6b29desktop-sWindows101.2.3.4127.0.0.1ActiveMediumMedium

4. microsoft-atp-get-file-related-machines#


Gets a collection of machines related to a given file's SHA1 hash.

Required Permissions#

Machine.ReadWrite.All

Base Command#

microsoft-atp-get-file-related-machines

Input#

Argument NameDescriptionRequired
file_hashA comma-separated list of file SHA1 hash to get the related machines.Required

Context Output#

PathTypeDescription
MicrosoftATP.FileMachine.Machines.IDStringThe machine ID.
MicrosoftATP.FileMachine.Machines.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.FileMachine.Machines.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.FileMachine.Machines.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.FileMachine.Machines.OSPlatformStringThe operating system platform.
MicrosoftATP.FileMachine.Machines.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.FileMachine.Machines.OSBuildNumberOperating system build number.
MicrosoftATP.FileMachine.Machines.LastIPAddressStringThe last IP on the machine.
MicrosoftATP.FileMachine.Machines.LastExternalIPAddressStringThe last machine IP to access the internet.
MicrosoftATP.FileMachine.Machines.HelathStatusStringThe machine health status.
MicrosoftATP.FileMachine.Machines.RBACGroupIDNumberThe machine RBAC group ID.
MicrosoftATP.FileMachine.Machines.RBACGroupNameStringThe machine RBAC group name.
MicrosoftATP.FileMachine.Machines.RiskScoreStringThe machine risk score.
MicrosoftATP.FileMachine.Machines.ExposureLevelStringThe machine exposure score.
MicrosoftATP.FileMachine.Machines.IsAADJoinedBooleanTrue if machine is AAD joined, False otherwise.
MicrosoftATP.FileMachine.Machines.AADDeviceIDstringThe AAD Device ID.
MicrosoftATP.FileMachine.Machines.MachineTagsStringSet of machine tags.
MicrosoftATP.FileMachine.FileStringThe machine related file hash.

Command example#

!microsoft-atp-get-file-related-machines file_hash=1234567891acvgfdertukthgfdertyjhgfdset54,1234567891acvgfdertukthgfdertyjhgfdset53

Context Example#

{
"MicrosoftATP": {
"FileMachine": [
{
"File": "1234567891acvgfdertukthgfdertyjhgfdset54",
"Machines": [
{
"AgentVersion": "10.8040.19041.1466",
"ComputerDNSName": "desktop-s9",
"ExposureLevel": "Medium",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"HealthStatus": "Active",
"ID": "f70f9fe6",
"IPAddresses": [
{
"ipAddress": "1.2.3.4",
"macAddress": "123456789121",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "1234::1234:1234:3177:11dc",
"macAddress": "123456789121",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "::1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
}
],
"IsAADJoined": true,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "1.2.3.4",
"LastSeen": "2022-01-25T11:14:39.7435843Z",
"MachineTags": [
"new test",
"test add tag",
"testing123"
],
"OSBuild": 19042,
"OSPlatform": "Windows10",
"OSProcessor": "x64",
"OSVersion": "20H2",
"RBACGroupID": 0,
"RiskScore": "Medium"
}
]
},
{
"File": "1234567891acvgfdertukthgfdertyjhgfdset53",
"Machines": [
{
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"AgentVersion": "10.8040.19041.1466",
"ComputerDNSName": "desktop-s8",
"ExposureLevel": "Medium",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"HealthStatus": "Active",
"ID": "48990365",
"IPAddresses": [
{
"ipAddress": "1.2.3.5",
"macAddress": "005056941386",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "123::1234:dd40:bc6e:23e1",
"macAddress": "123456789123",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "::1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
}
],
"IsAADJoined": true,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "1.2.3.5",
"LastSeen": "2022-01-25T11:19:44.718919Z",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"OSBuild": 19043,
"OSPlatform": "Windows10",
"OSProcessor": "x64",
"OSVersion": "21H1",
"RBACGroupID": 0,
"RiskScore": "Low"
}
]
}
]
}
}

Human Readable Output#

Microsoft Defender ATP machines related to files ['1234567891acvgfdertukthgfdertyjhgfdset54', '1234567891acvgfdertukthgfdertyjhgfdset53']#

IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
f70f9fe6desktop-s9Windows101.2.3.4127.0.0.1ActiveMediumMedium
48990365desktop-s8Windows101.2.3.5127.0.0.1ActiveLowMedium

5. microsoft-atp-get-machine-details#


Gets a machine's details by its identity.

Required Permissions#

Machine.ReadWrite.All

Base Command#

microsoft-atp-get-machine-details

Input#

Argument NameDescriptionRequired
machine_idA comma-separated list of machine IDs used to get the machine details, e.g., 0a3250e0693a109f1affc9217be9459028aa8426,0a3250e0693a109f1affc9217be9459028aa8424.Required

Context Output#

PathTypeDescription
MicrosoftATP.Machine.IDStringThe machine ID.
MicrosoftATP.Machine.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.Machine.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last machine IP to access the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe machine health status.
MicrosoftATP.Machine.RBACGroupIDNumberThe machine RBAC group ID.
MicrosoftATP.Machine.RBACGroupNameStringThe machine RBAC group name.
MicrosoftATP.Machine.RiskScoreStringThe machine risk score.
MicrosoftATP.Machine.ExposureLevelStringThe machine exposure level.
MicrosoftATP.Machine.IsAADJoinedBooleanTrue if machine is AAD joined, False otherwise.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD Device ID.
MicrosoftATP.Machine.MachineTagsStringSet of machine tags.
MicrosoftATP.Machine.NetworkInterfaces.MACAddressStringMAC Address for the Network interface.
MicrosoftATP.Machine.NetworkInterfaces.IPAddressesStringIP Address(es) for the Network interface.
MicrosoftATP.Machine.NetworkInterfaces.TypeStringType of the Network interface (e.g. Ethernet).
MicrosoftATP.Machine.NetworkInterfaces.StatusStringStatus for the Network interface (e.g. Up, Down).

Command example#

!microsoft-atp-get-machine-details machine_id=f70f9fe6b29,4899036531e

Context Example#

{
"MicrosoftATP": {
"Machine": [
{
"AgentVersion": "10.8040.19041.1466",
"ComputerDNSName": "desktop-s9",
"ExposureLevel": "Medium",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"HealthStatus": "Active",
"ID": "f70f9fe6",
"IPAddresses": [
{
"ipAddress": "1.2.3.4",
"macAddress": "1234645645",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "1234::1234:1234:3177:11dc",
"macAddress": "1234645645",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "::1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
}
],
"IsAADJoined": true,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "1.2.3.4",
"LastSeen": "2022-01-25T11:14:39.7435843Z",
"MachineTags": [
"new test",
"test add tag",
"testing123"
],
"OSBuild": 19042,
"OSPlatform": "Windows10",
"OSProcessor": "x64",
"OSVersion": "20H2",
"RBACGroupID": 0,
"RiskScore": "Medium"
},
{
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"AgentVersion": "10.8040.19041.1466",
"ComputerDNSName": "desktop-s8",
"ExposureLevel": "Medium",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"HealthStatus": "Active",
"ID": "48990365",
"IPAddresses": [
{
"ipAddress": "1.2.3.5",
"macAddress": "1234645645",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "1234::1234:1234:bc6e:23e1",
"macAddress": "1234645645",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "::1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
}
],
"IsAADJoined": true,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "1.2.3.5",
"LastSeen": "2022-01-25T11:19:44.718919Z",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"OSBuild": 19043,
"OSPlatform": "Windows10",
"OSProcessor": "x64",
"OSVersion": "21H1",
"RBACGroupID": 0,
"RiskScore": "Low"
}
]
}
}

Human Readable Output#

Microsoft Defender ATP machines ['f70f9fe6b29','4899036531e'] details:#

IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevelIPAddresses
f70f9fe6desktop-s9Windows101.2.3.4127.0.0.1ActiveMediumMedium1. | MAC : 1234645645 | IP Addresses : 1.2.3.4,1234:🔢1234:3177:11dc | Type : Ethernet | Status : Up
2. | MAC : | IP Addresses : 127.0.0.1,::1 | Type : SoftwareLoopback | Status : Up
48990365desktop-s8Windows101.2.3.5127.0.0.1ActiveLowMedium1. | MAC : 1234645645 | IP Addresses : 1.2.3.5,1234:🔢1234:bc6e:23e1 | Type : Ethernet | Status : Up
2. | MAC : | IP Addresses : 127.0.0.1,::1 | Type : SoftwareLoopback | Status : Up

6. microsoft-atp-run-antivirus-scan#


Initiates Microsoft Defender Antivirus scan on a machine.

Required Permissions#

Machine.Scan

Base Command#

microsoft-atp-run-antivirus-scan

Input#

Argument NameDescriptionRequired
machine_idA comma-separated list of machine IDs to run the scan on.Required
commentA comment to associate with the action.Required
scan_typeDefines the type of the scan. Possible values are: Quick, Full.Required

Context Output#

PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe machine action ID.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeUnknownThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1" ,"SHA256", and "MD5".

Command example#

!microsoft-atp-run-antivirus-scan machine_id=f70f9fe6,48990365 comment=test3 scan_type=Quick

Context Example#

{
"MicrosoftATP": {
"MachineAction": [
{
"ComputerDNSName": "desktop-s9",
"CreationDateTimeUtc": "2022-01-25T17:57:18.7944822Z",
"ID": "98cf0adc",
"LastUpdateTimeUtc": null,
"MachineID": "f70f9fe6",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "test3",
"Scope": "Quick",
"Status": "Pending",
"Type": "RunAntiVirusScan"
},
{
"ComputerDNSName": "desktop-s8",
"CreationDateTimeUtc": "2022-01-25T17:57:20.0458595Z",
"ID": "ecee8124",
"LastUpdateTimeUtc": null,
"MachineID": "48990365",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "test3",
"Scope": "Quick",
"Status": "Pending",
"Type": "RunAntiVirusScan"
}
]
}
}

Human Readable Output#

Antivirus scan successfully triggered#

IDTypeRequestorRequestorCommentStatusMachineIDComputerDNSName
98cf0adcRunAntiVirusScan2f48b784-5da5-4e61-9957-012d2630f1e4test3Pendingf70f9fe6desktop-s9
ecee8124RunAntiVirusScan2f48b784-5da5-4e61-9957-012d2630f1e4test3Pending48990365desktop-s8

7. microsoft-atp-list-alerts#


Gets a list of alerts that are present on the system. Filtering can be done on a single argument only.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-list-alerts

Input#

Argument NameDescriptionRequired
severityAlert severity. Possible values are: High, Medium, Low, Informational.Optional
statusAlert status. Possible values are: New, InProgress, Resolved.Optional
categoryAlert category; only one can be added.Optional
limitThe maximum number of files to display. Default is 50.Optional
creation_timeThe creation timestamp from which to get alerts (<number> <time unit>, e.g., 12 hours, 7 days).Optional

Context Output#

PathTypeDescription
MicrosoftATP.Alert.IDStringThe alert ID.
MicrosoftATP.Alert.IncidentIDNumberThe Incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe Investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the Investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe alert Classification.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family.
MicrosoftATP.Alert.TitleStringThe alert title.
MicrosoftATP.Alert.DescriptionStringThe alert description.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time in which the status of the alert was changed to 'Resolved'.
MicrosoftATP.Alert.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe alert comment string.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert comment created by string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe alert comment created time date.
MicrosoftATP.Alert.EvidenceUnknownEvidence related to the alert.
MicrosoftATP.Alert.DetectorIDStringThe ID of the detector that triggered the alert.
MicrosoftATP.Alert.ThreatNameStringThe threat name.
MicrosoftATP.Alert.RelatedUserStringDetails of the user related to a specific alert.
MicrosoftATP.Alert.MitreTechniquesStringMITRE Enterprise technique ID.
MicrosoftATP.Alert.RBACGroupNameStringThe device RBAC group name.

Command example#

!microsoft-atp-list-alerts category=Malware severity=Informational status=Resolved creation_time="3 days" limit=1

Context Example#

{
"MicrosoftATP": {
"Alert": {
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2022-02-07T10:26:40.05748Z",
"AssignedTo": "Automation",
"Category": "Malware",
"Classification": null,
"Comments": [
{
"Comment": null,
"CreatedBy": null,
"CreatedTime": null
}
],
"ComputerDNSName": "win2016-msde-agent.msde.lab.demisto",
"Description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.",
"DetectionSource": "WindowsDefenderAv",
"DetectorID": "d60f5b90-ecd8-4d77-8186-a801597ec762",
"Determination": null,
"Evidence": [
{
"aadUserId": null,
"accountName": null,
"detectionStatus": "Prevented",
"domainName": null,
"entityType": "File",
"evidenceCreationTime": "2022-02-07T10:26:40.24Z",
"fileName": "example.com",
"filePath": "C:\\Users\\admin\\Downloads",
"ipAddress": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"parentProcessId": null,
"processCommandLine": null,
"processCreationTime": null,
"processId": null,
"registryHive": null,
"registryKey": null,
"registryValue": null,
"registryValueType": null,
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"url": null,
"userPrincipalName": null,
"userSid": null
}
],
"FirstEventTime": "2022-02-07T10:20:52.2188896Z",
"ID": "da637798264000574516_1915313662",
"IncidentID": 648,
"InvestigationID": 675,
"InvestigationState": "SuccessfullyRemediated",
"LastEventTime": "2022-02-07T10:20:52.2571395Z",
"LastUpdateTime": "2022-02-07T10:57:13.93Z",
"MachineID": "4cceb3c642212014e0e9553aa8b59e999ea515ff",
"MitreTechniques": [],
"RBACGroupName": null,
"RelatedUser": null,
"ResolvedTime": "2022-02-07T10:57:13.773683Z",
"Severity": "Informational",
"Status": "Resolved",
"ThreatFamilyName": "Test_File",
"ThreatName": "Test_File",
"Title": "'Test_File' malware was prevented"
}
}
}

Human Readable Output#

Microsoft Defender ATP alerts with limit of 1:#

IDTitleDescriptionIncidentIDSeverityStatusCategoryThreatFamilyNameMachineID
da637798264000574516_1915313662'Test_File' malware was preventedMalware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.

This detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.
648InformationalResolvedMalwareTest_File4cceb3c642212014e0e9553aa8b59e999ea515ff

8. microsoft-atp-update-alert#


Updates the properties of an alert entity.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-update-alert

Input#
Argument NameDescriptionRequired
alert_idThe alert ID to update.Required
statusThe alert status to update. Possible values: "New", "InProgress", and "Resolved".Optional
assigned_toThe owner of the alert.Optional
classificationThe specification of the alert. Possible values: "Unknown", "FalsePositive", "TruePositive".Optional
determinationThe determination of the alert. Possible values: "NotAvailable", "Apt", "Malware", "SecurityPersonnel", "SecurityTesting", "UnwantedSoftware", and "Other".Optional
commentThe comment to be added to the alert.Optional
Context Output#
PathTypeDescription
MicrosoftATP.Alert.IDStringThe ID of the alert.
MicrosoftATP.Alert.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe alert classification.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family of the alert.
MicrosoftATP.Alert.TitleStringThe title of the alert.
MicrosoftATP.Alert.DescriptionStringThe description of the alert.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.Alert.MachineIDStringThe ID of the machine that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe comment string of the alert.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert's comment created by the string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe time and date the alert's comment was created.
Command Example#

!microsoft-atp-update-alert alert_id=da637200417169017725_183736971 status=InProgress

Context Example#
{
"MicrosoftATP.Alert": {
"Status": "InProgress",
"ID": "da637200417169017725_183736971"
}
}
Human Readable Output#

The alert da637200417169017725_183736971 has been updated successfully

9. microsoft-atp-advanced-hunting#


Runs programmatic queries in Microsoft Defender ATP Portal (https://securitycenter.windows.com/hunting). You can only run a query on data from the last 30 days. The maximum number of rows is 10,000. The number of executions is limited to 15 calls per minute, and 15 minutes of running time every hour, and 4 hours of running time a day.

Required Permissions#

AdvancedQuery.Read.All

Base Command#

microsoft-atp-advanced-hunting

Input#
Argument NameDescriptionRequired
queryThe query to run.Required
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
Context Output#
PathTypeDescription
MicrosoftATP.Hunt.ResultStringThe query results.
Command Example#

!microsoft-atp-advanced-hunting query="DeviceLogonEvents | take 1 | project DeviceId, ReportId, tostring(Timestamp)"

Context Example#
{
"MicrosoftATP.Hunt.Result": [
{
"DeviceId": "4899036531e374137f63289c3267bad772c13fef",
"Timestamp": "2020-02-23T07:14:42.1599815Z",
"ReportId": "35275"
}
]
}
Human Readable Output#
Hunt results#
TimestampDeviceIdReportId
2020-02-23T07:14:42.1599815Z4899036531e374137f63289c3267bad772c13fef35275

10. microsoft-atp-create-alert#


Creates a new alert entity using event data, as obtained from the Advanced Hunting.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-create-alert

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine on which the event was identified.Required
severityThe severity of the alert. Severity of the alert. Possible values: "Low", "Medium", and "High".Required
titleThe title of the alert.Required
descriptionThe description of the alert.Required
recommended_actionRecommended action for the security officer to take when analyzing the alert.Required
event_timeThe time of the event, as obtained from the advanced query.Required
report_idThe report ID, as obtained from the advanced query.Required
categoryThe category of the alert.Required
Context Output#
PathTypeDescription
MicrosoftATP.Alert.IDStringThe ID of the alert.
MicrosoftATP.Alert.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe classification of the alert.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family of the alert.
MicrosoftATP.Alert.TitleStringThe title of the alert.
MicrosoftATP.Alert.DescriptionStringThe description of the alert.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.Alert.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe comment string of the alert.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert's comment created by the string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example#

!microsoft-atp-create-alert category=Backdoor description="test" report_id=20279 event_time=2020-02-23T07:22:07.1532018Z machine_id=deviceid_2 recommended_action="runAntiVirusScan" severity=Low title="testing alert"

Context Example#
{
"MicrosoftATP.Alert": {
"Category": "Backdoor",
"ThreatFamilyName": null,
"Severity": "Low",
"LastEventTime": "2020-02-23T07:22:07.1532018Z",
"FirstEventTime": "2020-02-23T07:22:07.1532018Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "TENANT-ID",
"AlertCreationTime": "2020-03-22T15:44:23.5446957Z",
"Status": "New",
"Description": "test",
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "testing alert",
"InvestigationID": 10,
"Determination": null,
"IncidentID": 18,
"AssignedTo": null,
"DetectionSource": "CustomerTI",
"ResolvedTime": null,
"ID": "da637204886635759335_1480542752",
"LastUpdateTime": "2020-03-22T15:44:24.6533333Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": []
}
}
Human Readable Output#
Alert created:#
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637204886635759335_1480542752testing alerttest18LowNewBackdoor4899036531e374137f63289c3267bad772c13fef

11. microsoft-atp-get-alert-related-user#


Retrieves the user associated with a specific alert.

Required Permissions#

User.Read.All

Base Command#

microsoft-atp-get-alert-related-user

Input#
Argument NameDescriptionRequired
idThe ID of the alert.Required
Context Output#
PathTypeDescription
MicrosoftATP.AlertUser.User.IDStringThe ID of the user.
MicrosoftATP.AlertUser.User.AccountNameStringThe account name.
MicrosoftATP.AlertUser.User.AccountDomainStringThe account domain.
MicrosoftATP.AlertUser.User.AccountSIDStringThe account SID.
MicrosoftATP.AlertUser.User.FirstSeenDateThe user first seen date and time.
MicrosoftATP.AlertUser.User.LastSeenDateThe user last seen date and time.
MicrosoftATP.AlertUser.User.MostPrevalentMachineIDStringThe most prevalent machine ID.
MicrosoftATP.AlertUser.User.LeastPrevalentMachineIDStringThe least prevalent machine ID.
MicrosoftATP.AlertUser.User.LogonTypesStringThe user logon types.
MicrosoftATP.AlertUser.User.LogonCountNumberThe user logon count.
MicrosoftATP.AlertUser.User.DomainAdminNumberThe domain admin.
MicrosoftATP.AlertUser.User.NetworkUserNumberThe network admin.
MicrosoftATP.AlertUser.AlertIDStringThe ID of the alert.
Command Example#

!microsoft-atp-get-alert-related-user id=da637175364995825348_1865170845

Context Example#
{
"MicrosoftATP.AlertUser": {
"User": {
"LeastPrevalentMachineID": "4899036531e374137f63289c3267bad772c13fef",
"MostPrevalentMachineID": "4899036531e374137f63289c3267bad772c13fef",
"LogonCount": 1,
"NetworkUser": false,
"DomainAdmin": false,
"LogonTypes": null,
"AccountName": "demisto",
"LastSeen": "2020-03-03T12:32:51Z",
"AccountSID": "S-1-5-21-4197691174-1403503641-4006700887-1001",
"AccountDomain": "desktop-s2455r8",
"ID": "desktop-s2455r8\\demisto",
"FirstSeen": "2020-02-23T07:14:42Z"
},
"AlertID": "da637175364995825348_1865170845"
}
}
Human Readable Output#
Alert Related User:#
AccountDomainAccountNameAccountSIDDomainAdminFirstSeenIDLastSeenLeastPrevalentMachineIDLogonCountMostPrevalentMachineIDNetworkUser
desktop-s2455r8demistoS-1-5-21-4197691174-1403503641-4006700887-1001false2020-02-23T07:14:42Zdesktop-s2455r8\demisto2020-03-03T12:32:51Z4899036531e374137f63289c3267bad772c13fef14899036531e374137f63289c3267bad772c13feffalse

12. microsoft-atp-get-alert-related-files#


Retrieves the files associated to a specific alert.

Required Permissions#

File.Read.All

Base Command#

microsoft-atp-get-alert-related-files

Input#
Argument NameDescriptionRequired
idThe ID of the alert.Required
limitThe limit of files to display.Optional
offsetThe page from which to get the related files.Optional
Context Output#
PathTypeDescription
MicrosoftATP.AlertFile.Files.FilePublisherStringThe file's publisher.
MicrosoftATP.AlertFile.Files.SizeNumberThe size of the file.
MicrosoftATP.AlertFile.Files.GlobalLastObservedDateThe last time the file was observed.
MicrosoftATP.AlertFile.Files.Sha1StringThe SHA1 hash of the file.
MicrosoftATP.AlertFile.Files.IsValidCertificateNumberWhether the signing of the certificate was successfully verified by the Microsoft Defender ATP agent.
MicrosoftATP.AlertFile.Files.Sha256StringThe SHA256 hash of the file.
MicrosoftATP.AlertFile.Files.SignerStringThe file signer.
MicrosoftATP.AlertFile.Files.GlobalPrevalenceNumberThe file prevalence across the organization.
MicrosoftATP.AlertFile.Files.DeterminationValueStringThe determination of the file's value.
MicrosoftATP.AlertFile.Files.GlobalFirstObservedDateThe first time the file was observed.
MicrosoftATP.AlertFile.Files.FileTypeStringThe type of the file.
MicrosoftATP.AlertFile.Files.SignerHashStringThe hash of the signing certificate.
MicrosoftATP.AlertFile.Files.IssuerStringThe file issuer.
MicrosoftATP.AlertFile.Files.IsPeFileNumberWether the file is portable executable.
MicrosoftATP.AlertFile.Files.DeterminationTypeStringThe determination type of the file.
MicrosoftATP.AlertFile.Files.FileProductNameUnknownThe product name of the file.
MicrosoftATP.AlertFile.Files.Md5StringThe MD5 hash of the file.
Command Example#

!microsoft-atp-get-alert-related-files id=da637175364995825348_1865170845

Context Example#
{
"MicrosoftATP.AlertFile": {
"Files": [
{
"DeterminationType": "Unknown",
"SignerHash": "84ec67b9ac9d7789bab500503a7862173f432adb",
"Sha1": "d487580502354c61808c7180d1a336beb7ad4624",
"IsPeFile": true,
"GlobalPrevalence": 45004,
"SizeInBytes": 181248,
"Signer": "Microsoft Windows",
"GlobalFirstObserved": "2019-03-21T22:37:42.7608151Z",
"IsValidCertificate": true,
"GlobalLastObserved": "2020-03-22T22:48:20.608421Z",
"Sha256": "f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3",
"Md5": "f1139811bbf61362915958806ad30211",
"Issuer": "Microsoft Windows Production PCA 2011"
},
{
"DeterminationType": "Unknown",
"SignerHash": "84ec67b9ac9d7789bab500503a7862173f432adb",
"Sha1": "36c5d12033b2eaf251bae61c00690ffb17fddc87",
"IsPeFile": true,
"GlobalPrevalence": 1316463,
"SizeInBytes": 451584,
"Signer": "Microsoft Windows",
"GlobalFirstObserved": "2019-03-21T08:31:08.1952647Z",
"IsValidCertificate": true,
"GlobalLastObserved": "2020-03-23T09:24:49.9664767Z",
"Sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"Md5": "cda48fc75952ad12d99e526d0b6bf70a",
"Issuer": "Microsoft Windows Production PCA 2011"
}
],
"AlertID": "da637175364995825348_1865170845"
}
}
Human Readable Output#
Alert da637175364995825348_1865170845 Related Files:#
Sha1Sha256SizeInBytes
d487580502354c61808c7180d1a336beb7ad4624f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3181248
36c5d12033b2eaf251bae61c00690ffb17fddc87908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53451584

13. microsoft-atp-get-alert-related-ips#


Retrieves the IP addresses associated to a specific alert.

Required Permissions#

Ip.Read.All

Base Command#

microsoft-atp-get-alert-related-ips

Input#
Argument NameDescriptionRequired
idThe ID of the alert.Required
limitThe limit of IP addresses to display.Optional
offsetThe page from which to get the related IP addresses.Optional
Context Output#
PathTypeDescription
MicrosoftATP.AlertIP.IPs.IpAddressStringThe address of the IP address.
MicrosoftATP.AlertIP.AlertIDStringThe ID of the alert.
Command Example#

!microsoft-atp-get-alert-related-ips id=da637200417169017725_183736971 limit=3 offset=0

Context Example#
{
"MicrosoftATP.AlertIP": {
"IPs": [],
"AlertID": "da637200417169017725_183736971"
}
}
Human Readable Output#

Alert da637200417169017725_183736971 Related IPs: []

14. microsoft-atp-get-alert-related-domains#


Retrieves the domains associated with a specific alert.

Required Permissions#

URL.Read.All

Base Command#

microsoft-atp-get-alert-related-domains

Input#
Argument NameDescriptionRequired
idThe ID of the alert.Required
limitThe limit of domains to display.Optional
offsetThe page from which to get the related domains.Optional
Context Output#
PathTypeDescription
MicrosoftATP.AlertDomain.Domains.DomainStringThe domain address.
MicrosoftATP.AlertDomain.AlertIDUnknownThe ID of the alert.
Command Example#

!microsoft-atp-get-alert-related-domains id=da637175364995825348_1865170845 limit=2 offset=0

Context Example#
{
"MicrosoftATP.AlertDomain": {
"Domains": [],
"AlertID": "da637175364995825348_1865170845"
}
}
Human Readable Output#

Alert da637175364995825348_1865170845 Related Domains: []

15. microsoft-atp-list-machine-actions-details#


Returns the machine's actions. If an action ID is set it returns the information on the specific action. Filtering can only be done on a single argument.

Required Permissions#

Machine.ReadWrite.All

Base Command#

microsoft-atp-list-machine-actions-details

Input#

Argument NameDescriptionRequired
idID of the action.Optional
statusThe machine action status. Possible values are: Pending, InProgress, Succeeded, Failed, TimeOut, Cancelled.Optional
machine_idA comma-separated list of machine IDs on which the action was executed.Optional
typeThe machine action type. Possible values are: RunAntiVirusScan, Offboard, CollectInvestigationPackage, Isolate, Unisolate, StopAndQuarantineFile, RestrictCodeExecution, UnrestrictCodeExecution.Optional
requestorThe ID of the user that executed the action, only one can be added.Optional
limitThe maximum number of machines to return. Default is 50.Optional

Context Output#

PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe machine action ID.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1" ,"SHA256", and "MD5".

Command example#

!microsoft-atp-list-machine-actions-details machine_id="f70f9fe6,48990365" type=RunAntiVirusScan status=Succeeded

Context Example#

{
"MicrosoftATP": {
"MachineAction": [
{
"ComputerDNSName": "desktop-s9",
"CreationDateTimeUtc": "2022-01-25T17:57:18.7944822Z",
"ID": "98cf0adc",
"LastUpdateTimeUtc": null,
"MachineID": "f70f9fe6",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "test3",
"Scope": "Quick",
"Status": "Succeeded",
"Type": "RunAntiVirusScan"
},
{
"ComputerDNSName": "desktop-s8",
"CreationDateTimeUtc": "2022-01-25T17:56:04.3073008Z",
"ID": "99a29fc5",
"LastUpdateTimeUtc": null,
"MachineID": "48990365",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RequestorComment": "test2",
"Scope": "Quick",
"Status": "Succeeded",
"Type": "RunAntiVirusScan"
}
]
}
}

Human Readable Output#

Machine actions Info:#

IDTypeRequestorRequestorCommentStatusMachineIDComputerDNSName
98cf0adcRunAntiVirusScan2f48b784-5da5-4e61-9957-012d2630f1e4test3Succeededf70f9fe6desktop-s9
99a29fc5RunAntiVirusScan2f48b784-5da5-4e61-9957-012d2630f1e4test2Succeeded48990365desktop-s8

16. microsoft-atp-collect-investigation-package#


Collects an investigation package from a machine.

Required Permissions#

Machine.CollectForensics

Base Command#

microsoft-atp-collect-investigation-package

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Required
Context Output#
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1", "SHA256", and "MD5".
Command Example#

!microsoft-atp-collect-investigation-package comment="testing" machine_id=f70f9fe6b29cd9511652434919c6530618f06606

Context Example#
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:08:05.8010798Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "CollectInvestigationPackage",
"ID": "fa952f94-d672-47a6-a637-70b91339c079",
"RequestorComment": "testing"
}
}
Human Readable Output#
Initiating collect investigation package from f70f9fe6b29cd9511652434919c6530618f06606 machine :#
IDTypeRequestorRequestorCommentStatusMachineID
fa952f94-d672-47a6-a637-70b91339c079CollectInvestigationPackage2f48b784-5da5-4e61-9957-012d2630f1e4testingPendingf70f9fe6b29cd9511652434919c6530618f06606

17. microsoft-atp-get-investigation-package-sas-uri#


Gets a URI that allows downloading of an investigation package.

Required Permissions#

Machine.CollectForensics

Base Command#

microsoft-atp-get-investigation-package-sas-uri

Input#
Argument NameDescriptionRequired
action_idThe action ID of the machine.Required
Context Output#
PathTypeDescription
MicrosoftATP.InvestigationURI.LinkStringThe investigation package URI.
Command Example#

!microsoft-atp-get-investigation-package-sas-uri action_id=6ae51f8f-68e6-4259-abae-0018fdf2e418

Context Example#
{
"MicrosoftATP.InvestigationURI": {
"Link": "https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=MIICYwYJKoZIhvcNAQcCoIICV"
}
}
Human Readable Output#

Success. This link is valid for a very short time and should be used immediately for downloading the package to a local storage: https: //userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=MIICYwYJKoZIhvcNAQcCoIICV

18. microsoft-atp-restrict-app-execution#


Restricts the execution of all applications on the machine except a predefined set.

Required Permissions#

Machine.RestrictExecution

Base Command#

microsoft-atp-restrict-app-execution

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Optional
Context Output#
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID the action was executed on.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1", "SHA256", and "MD5".
Command Example#

!microsoft-atp-restrict-app-execution machine_id=f70f9fe6b29cd9511652434919c6530618f06606 comment="test restrict app"

Context Example#
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:08:07.7643812Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "RestrictCodeExecution",
"ID": "264c80f0-1452-43fb-92d0-5515dd0b821e",
"RequestorComment": "test restrict app"
}
}
Human Readable Output#
Initiating Restrict execution of all applications on the machine f70f9fe6b29cd9511652434919c6530618f06606 except a predefined set:#
IDTypeRequestorRequestorCommentStatusMachineID
264c80f0-1452-43fb-92d0-5515dd0b821eRestrictCodeExecution2f48b784-5da5-4e61-9957-012d2630f1e4test restrict appPendingf70f9fe6b29cd9511652434919c6530618f06606

19. microsoft-atp-remove-app-restriction#


Enables the execution of any application on the machine.

Required Permissions#

Machine.RestrictExecution

Base Command#

microsoft-atp-remove-app-restriction

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Required
Context Output#
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID the action was executed on.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1", "SHA256", and "MD5".
Command Example#

!microsoft-atp-remove-app-restriction machine_id=f70f9fe6b29cd9511652434919c6530618f06606 comment="testing remove restriction"

Context Example#
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:08:08.5355244Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "UnrestrictCodeExecution",
"ID": "5e3cc0b8-b1a1-4a07-92bf-4d63ecec1b18",
"RequestorComment": "testing remove restriction"
}
}
Human Readable Output#
Removing applications restriction on the machine f70f9fe6b29cd9511652434919c6530618f06606:#
IDTypeRequestorRequestorCommentStatusMachineID
5e3cc0b8-b1a1-4a07-92bf-4d63ecec1b18UnrestrictCodeExecution2f48b784-5da5-4e61-9957-012d2630f1e4testing remove restrictionPendingf70f9fe6b29cd9511652434919c6530618f06606

20. microsoft-atp-stop-and-quarantine-file#


Stops the execution of a file on a machine and deletes it.

Required Permissions#

Machine.StopAndQuarantine

Base Command#

microsoft-atp-stop-and-quarantine-file

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine. When providing multiple values, each value is checked for the same hash.Required
file_hashThe file SHA1 hash to stop and quarantine on the machine. When providing multiple values, each value is checked for the same machine_id.Required
commentThe comment to associate with the action.Required
Context Output#
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier. Possible values: "SHA1", "SHA256", and "MD5".
Command Example#

!microsoft-atp-stop-and-quarantine-file comment="testing" file_hash=abe3ba25e5660c23dfe478d577cfacde5795870c machine_id=12345678

Context Example#

{ 'ID': '123',
'Type': 'StopAndQuarantineFile',
'Scope': None,
'Requestor': '123abc',
'RequestorComment': 'Test',
'Status': 'Pending',
'MachineID': '12345678',
'ComputerDNSName': None,
'CreationDateTimeUtc': '2020-03-20T14:21:49.9097785Z',
'LastUpdateTimeUtc': '2020-02-27T12:21:00.4568741Z',
'RelatedFileInfo': {'fileIdentifier': '87654321', 'fileIdentifierType': 'Sha1'}
}
Human Readable Output#
Stopping the execution of a file on 12345678 machine and deleting it:#
IDTypeRequestorRequestorCommentStatusMachineID
123StopAndQuarantineFile123abcTestPending12345678

21. microsoft-atp-list-investigations#


Retrieves a collection of investigations or retrieves a specific investigation by its ID.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-list-investigations

Input#
Argument NameDescriptionRequired
idThe ID can be the investigation ID or the investigation triggering an alert ID.Optional
limitThe limit of investigations to display.Optional
offsetThe page from which to get the investigations.Optional
Context Output#
PathTypeDescription
MicrosoftATP.Investigation.IDStringThe ID of the investigation.
MicrosoftATP.Investigation.StartTimeDateThe date and time when the investigation was created.
MicrosoftATP.Investigation.EndTimeDateThe date and time when the investigation was completed.
MicrosoftATP.Investigation.StateStringThe state of the investigation.
MicrosoftATP.Investigation.CancelledByUnknownThe ID of the user or application that cancelled that investigation.
MicrosoftATP.Investigation.StatusDetailsUnknownThe details of the state of the investigation.
MicrosoftATP.Investigation.MachineIDStringThe machine ID the investigation is executed on.
MicrosoftATP.Investigation.ComputerDNSNameStringThe machine DNS name the investigation is executed on.
MicrosoftATP.Investigation.TriggeringAlertIDStringThe alert ID that triggered the investigation.
Command Example#

!microsoft-atp-list-investigations limit=3 offset=0

Context Example#
{
"MicrosoftATP.Investigation": [
{
"CancelledBy": null,
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"TriggeringAlertID": "da637200417169017725_183736971",
"ComputerDNSName": "desktop-s2455r8",
"StatusDetails": null,
"StartTime": "2020-03-17T11:35:17Z",
"EndTime": null,
"ID": "10"
},
{
"CancelledBy": null,
"InvestigationState": "PendingApproval",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"TriggeringAlertID": "da637200385941308230_1832866941",
"ComputerDNSName": "desktop-s2455r9",
"StatusDetails": null,
"StartTime": "2020-03-17T10:43:15Z",
"EndTime": null,
"ID": "9"
},
{
"CancelledBy": null,
"InvestigationState": "TerminatedBySystem",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"TriggeringAlertID": "da637189366671550108_395377714",
"ComputerDNSName": "desktop-s2455r9",
"StatusDetails": null,
"StartTime": "2020-03-04T16:37:50Z",
"EndTime": "2020-03-11T18:13:42Z",
"ID": "8"
}
]
}
Human Readable Output#
Investigations Info:#
IDStartTimeEndTimeInvestigationStateMachineIDComputerDNSNameTriggeringAlertID
102020-03-17T11:35:17ZPendingApproval4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8da637200417169017725_183736971
92020-03-17T10:43:15ZPendingApprovalf70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9da637200385941308230_1832866941
82020-03-04T16:37:50Z2020-03-11T18:13:42ZTerminatedBySystemf70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9da637189366671550108_395377714

22. microsoft-atp-start-investigation#


Starts an automated investigation on a machine.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-start-investigation

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Required
Context Output#
PathTypeDescription
MicrosoftATP.Investigation.IDStringThe ID of the investigation.
MicrosoftATP.Investigation.StartTimeDateThe date and time when the investigation was created.
MicrosoftATP.Investigation.EndTimeDateThe date and time when the investigation was completed.
MicrosoftATP.Investigation.StateStringThe state of the investigation.
MicrosoftATP.Investigation.CancelledByUnknownThe ID of the user or application that cancelled that investigation.
MicrosoftATP.Investigation.StatusDetailsUnknownThe details of the state of the investigation.
MicrosoftATP.Investigation.MachineIDStringThe machine ID the investigation is executed on.
MicrosoftATP.Investigation.ComputerDNSNameStringThe machine DNS name the investigation is executed on.
MicrosoftATP.Investigation.TriggeringAlertIDStringThe alert ID that triggered the investigation.
Command Example#

!microsoft-atp-start-investigation comment="testing" machine_id=f70f9fe6b29cd9511652434919c6530618f06606

Context Example#
{
"MicrosoftATP.Investigation": {
"CancelledBy": null,
"InvestigationState": "PendingApproval",
"MachineID": null,
"TriggeringAlertID": "da637205548921456173_375980286",
"ComputerDNSName": null,
"StatusDetails": null,
"StartTime": null,
"EndTime": null,
"ID": "da637205548921456173_375980286"
}
}
Human Readable Output#
Starting investigation da637205548921456173_375980286 on f70f9fe6b29cd9511652434919c6530618f06606 machine:#
IDInvestigationStateTriggeringAlertID
da637205548921456173_375980286PendingApprovalda637205548921456173_375980286

23. microsoft-atp-get-domain-statistics#


Retrieves statistics on the given domain.

Required Permissions#

URL.Read.All

Base Command#

microsoft-atp-get-domain-statistics

Input#
Argument NameDescriptionRequired
domainThe domain address.Required
Context Output#
PathTypeDescription
MicrosoftATP.DomainStatistics.Statistics.HostStringThe domain host.
MicrosoftATP.DomainStatistics.Statistics.OrgPrevalenceStringThe prevalence of the domain in the organization.
MicrosoftATP.DomainStatistics.Statistics.OrgFirstSeenDateThe first date and time the domain was seen in the organization.
MicrosoftATP.DomainStatistics.Statistics.OrgLastSeenDateThe last date and time the domain was seen in the organization.
Command Example#

!microsoft-atp-get-domain-statistics domain=google.com

Context Example#
{
"MicrosoftATP.DomainStatistics": {
"Domain": "google.com",
"Statistics": {
"OrgLastSeen": "2020-02-24T13:14:54Z",
"Host": "google.com",
"OrgFirstSeen": "2020-02-24T12:50:04Z",
"OrgPrevalence": "1"
}
}
}
Human Readable Output#
Statistics on google.com domain:#
HostOrgFirstSeenOrgLastSeenOrgPrevalence
google.com2020-02-24T12:50:04Z2020-02-24T13:14:54Z1

24. microsoft-atp-get-domain-alerts#


Retrieves a collection of alerts related to a given domain address.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-get-domain-alerts

Input#
Argument NameDescriptionRequired
domainThe domain address.Required
Context Output#
PathTypeDescription
MicrosoftATP.DomainAlert.DomainStringThe domain address.
MicrosoftATP.DomainAlert.Alerts.IDStringThe ID of the alert.
MicrosoftATP.DomainAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.DomainAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.DomainAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.DomainAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.DomainAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.DomainAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.DomainAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.DomainAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.DomainAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.DomainAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.DomainAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.DomainAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.DomainAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.DomainAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.DomainAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.DomainAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.DomainAlert.Alerts.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.DomainAlert.Alerts.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.DomainAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.DomainAlert.Alerts.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.DomainAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.DomainAlert.Alerts.Comments.CommentStringThe alert comment string.
MicrosoftATP.DomainAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.DomainAlert.Alerts.Comments.CreatedTimeDateThe alert comment create time and date.
Command Example#

!microsoft-atp-get-domain-alerts domain=google.com

Context Example#
{
"MicrosoftATP.DomainAlert": {
"Domain": "google.com",
"Alerts": []
}
}
Human Readable Output#
Domain google.com related alerts Info:#

No entries.

25. microsoft-atp-get-domain-machines#


Retrieves a collection of machines that have communicated with a given domain address.

Required Permissions#

Machine.ReadWrite.All

Base Command#

microsoft-atp-get-domain-machines

Input#
Argument NameDescriptionRequired
domainThe domain address.Required
Context Output#
PathTypeDescription
MicrosoftATP.DomainMachine.DomainStringThe domain address.
MicrosoftATP.DomainMachine.Machines.IDStringThe ID of the machine.
MicrosoftATP.DomainMachine.Machines.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.DomainMachine.Machines.FirstSeenDateThe first date and time when the machine was observed by Microsoft Defender ATP.
MicrosoftATP.DomainMachine.Machines.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.DomainMachine.Machines.OSPlatformStringThe operating system platform.
MicrosoftATP.DomainMachine.Machines.OSVersionStringThe operating system version.
MicrosoftATP.DomainMachine.Machines.OSProcessorStringThe operating system processor.
MicrosoftATP.DomainMachine.Machines.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.DomainMachine.Machines.LastExternalIPAddressStringThe last IP address the machine accessed.
MicrosoftATP.DomainMachine.Machines.OSBuildNumberThe operating system build number.
MicrosoftATP.DomainMachine.Machines.HealthStatusStringThe health status of the machine.
MicrosoftATP.DomainMachine.Machines.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.DomainMachine.Machines.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.DomainMachine.Machines.RiskScoreStringThe risk score of the machine.
MicrosoftATP.DomainMachine.Machines.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.DomainMachine.Machines.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.DomainMachine.Machines.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.DomainMachine.Machines.MachineTagsStringThe set of machine tags.
Command Example#

!microsoft-atp-get-domain-machines domain=google.com

Context Example#
{
"MicrosoftATP.DomainMachine": {
"Domain": "google.com",
"Machines": [
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"ComputerDNSName": "desktop-s2455r8",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.71",
"OSVersion": "1909",
"RiskScore": "High",
"ID": "4899036531e374137f63289c3267bad772c13fef",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"LastSeen": "2020-03-23T08:10:41.473428Z"
}
]
}
}
Human Readable Output#
Machines that have communicated with google.com domain:#
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8Windows10192.168.1.7181.166.99.236ActiveHighMedium

26. microsoft-atp-get-file-statistics#


Retrieves statistics for the given file.

Required Permissions#

File.Read.All

Base Command#

microsoft-atp-get-file-statistics

Input#
Argument NameDescriptionRequired
file_hashThe file SHA1 hash to get statistics on.Required
Context Output#
PathTypeDescription
MicrosoftATP.FileStatistics.Sha1StringThe file SHA1 hash.
MicrosoftATP.FileStatistics.Statistics.OrgPrevalenceStringThe prevalence of the file in the organization.
MicrosoftATP.FileStatistics.Statistics.OrgFirstSeenDateThe first date and time the file was seen in the organization.
MicrosoftATP.FileStatistics.Statistics.OrgLastSeenDateThe last date and time the file was seen in the organization.
MicrosoftATP.FileStatistics.Statistics.GlobalPrevalenceStringThe global prevalence of the file.
MicrosoftATP.FileStatistics.Statistics.GlobalFirstObservedDateThe first global observation date and time of the file.
MicrosoftATP.FileStatistics.Statistics.GlobalLastObservedDateThe last global observation date and time of the file.
MicrosoftATP.FileStatistics.Statistics.TopFileNamesStringThe top names of the file.
Command Example#

!microsoft-atp-get-file-statistics file_hash=9fe3ba25e5660c23dfe478d577cfacde5795870c

Context Example#
{
"MicrosoftATP.FileStatistics": {
"Sha1": "9fe3ba25e5660c23dfe478d577cfacde5795870c",
"Statistics": {
"TopFileNames": [
"lsass.exe"
],
"GlobalFirstObserved": "2019-04-03T04:10:18.1001071Z",
"GlobalPrevalence": "1355899",
"OrgPrevalence": "0",
"GlobalLastObserved": "2020-03-23T09:24:54.169574Z"
}
}
}
Human Readable Output#
Statistics on 9fe3ba25e5660c23dfe478d577cfacde5795870c file:#
GlobalFirstObservedGlobalLastObservedGlobalPrevalenceOrgPrevalenceTopFileNames
2019-04-03T04:10:18.1001071Z2020-03-23T09:24:54.169574Z13558990lsass.exe

27. microsoft-atp-get-file-alerts#


Retrieves a collection of alerts related to a given file hash.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-get-file-alerts

Input#
Argument NameDescriptionRequired
file_hashThe file SHA1 hash to get statistics on.Required
Context Output#
PathTypeDescription
MicrosoftATP.FileAlert.Sha1StringThe file SHA1 hash.
MicrosoftATP.FileAlert.Alerts.IDStringThe ID of the alert.
MicrosoftATP.FileAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.FileAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.FileAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.FileAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.FileAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.FileAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.FileAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.FileAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.FileAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.FileAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.FileAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.FileAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.FileAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.FileAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.FileAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.FileAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.FileAlert.Alerts.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.FileAlert.Alerts.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.FileAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.FileAlert.Alerts.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.FileAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.FileAlert.Alerts.Comments.CommentStringThe alert comment string.
MicrosoftATP.FileAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.FileAlert.Alerts.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example#

!microsoft-atp-get-file-alerts file_hash=9fe3ba25e5660c23dfe478d577cfacde5795870c

Context Example#
{
"MicrosoftATP.FileAlert": {
"Sha1": "9fe3ba25e5660c23dfe478d577cfacde5795870c",
"Alerts": [
{
"Category": "None",
"ThreatFamilyName": null,
"Severity": "Medium",
"LastEventTime": "2020-03-15T13:59:14.2438912Z",
"FirstEventTime": "2020-03-15T13:59:14.2438912Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "TENANT-ID",
"AlertCreationTime": "2020-03-17T11:55:31.890247Z",
"Status": "New",
"Description": "Created for test",
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "test alert",
"InvestigationID": 10,
"Determination": null,
"IncidentID": 15,
"AssignedTo": null,
"DetectionSource": "CustomerTI",
"ResolvedTime": null,
"ID": "da637200429318902470_-1583197054",
"LastUpdateTime": "2020-03-17T11:55:33.0233333Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": [
{
"userPrincipalName": null,
"processId": 656,
"sha1": "9fe3ba25e5660c23dfe478d577cfacde5795870c",
"parentProcessCreationTime": null,
"domainName": null,
"url": null,
"processCommandLine": "lsass.exe",
"entityType": "Process",
"processCreationTime": "2020-03-13T16:58:59Z",
"aadUserId": null,
"fileName": "lsass.exe",
"sha256": null,
"parentProcessId": 512,
"userSid": null,
"filePath": "c:\\windows\\system32\\lsass.exe",
"accountName": null,
"ipAddress": null
}
]
}
]
}
}
Human Readable Output#
File 9fe3ba25e5660c23dfe478d577cfacde5795870c related alerts Info:#
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637200429318902470_-1583197054test alertCreated for test15MediumNewNone4899036531e374137f63289c3267bad772c13fef

28. microsoft-atp-get-ip-statistics#


Retrieves statistics for the given IP address.

Required Permissions#

Ip.Read.All

Base Command#

microsoft-atp-get-ip-statistics

Input#
Argument NameDescriptionRequired
ipThe IP address.Required
Context Output#
PathTypeDescription
MicrosoftATP.IPStatistics.Statistics.IPAddressStringThe IP address.
MicrosoftATP.IPStatistics.Statistics.OrgPrevalenceStringThe prevalence of the IP address in the organization.
MicrosoftATP.IPStatistics.Statistics.OrgFirstSeenDateThe first date and time the IP address was seen in the organization.
MicrosoftATP.IPStatistics.Statistics.OrgLastSeenDateThe last date and time the IP address was seen in the organization.
Command Example#

!microsoft-atp-get-ip-statistics ip=8.8.8.8

Context Example#
{
"MicrosoftATP.IPStatistics": {
"Statistics": {
"OrgLastSeen": "2020-03-01T15:19:40Z",
"OrgPrevalence": "1",
"OrgFirstSeen": "2020-02-22T12:52:35Z"
},
"IPAddress": "8.8.8.8"
}
}
Human Readable Output#
Statistics on 8.8.8.8 IP:#
OrgFirstSeenOrgLastSeenOrgPrevalence
2020-02-22T12:52:35Z2020-03-01T15:19:40Z1

29. microsoft-atp-get-ip-alerts#


Retrieves a collection of alerts related to a given IP address.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-get-ip-alerts

Input#
Argument NameDescriptionRequired
ipThe Ip address.Required
Context Output#
PathTypeDescription
MicrosoftATP.IPAlert.IPAddressStringThe IP address.
MicrosoftATP.IPAlert.Alerts.IDStringThe alert ID.
MicrosoftATP.IPAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.IPAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.IPAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.IPAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.IPAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.IPAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.IPAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.IPAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.IPAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.IPAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.IPAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.IPAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.IPAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.IPAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.IPAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.IPAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.IPAlert.Alerts.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.IPAlert.Alerts.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.IPAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.IPAlert.Alerts.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.IPAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.IPAlert.Alerts.Comments.CommentStringThe alert's comment string.
MicrosoftATP.IPAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.IPAlert.Alerts.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example#

!microsoft-atp-get-ip-alerts ip=8.8.8.8

Context Example#
{
"MicrosoftATP.IPAlert": {
"Alerts": [],
"IPAddress": "8.8.8.8"
}
}
Human Readable Output#
IP 8.8.8.8 related alerts Info:#

No entries.

30. microsoft-atp-get-user-alerts#


Retrieves a collection of alerts related to a given user ID.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-get-user-alerts

Input#
Argument NameDescriptionRequired
usernameThe user ID. The ID is not the full UPN, but only the username. For example, to retrieve alerts for "user1@test.com" use "user1".Required
Context Output#
PathTypeDescription
MicrosoftATP.UserAlert.UsernameStringThe name of the user.
MicrosoftATP.UserAlert.Alerts.IDStringThe ID of the alert.
MicrosoftATP.UserAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.UserAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.UserAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.UserAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.UserAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.UserAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.UserAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.UserAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.UserAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.UserAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.UserAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.UserAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.UserAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.UserAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.UserAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.UserAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.UserAlert.Alerts.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.UserAlert.Alerts.ResolvedTimeDateThe date and time when the status of the alert was changed to "Resolved".
MicrosoftATP.UserAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.UserAlert.Alerts.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.UserAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.UserAlert.Alerts.Comments.CommentStringThe comment string of the alert.
MicrosoftATP.UserAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.UserAlert.Alerts.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example#

!microsoft-atp-get-user-alerts username=demisto

Context Example#
{
"MicrosoftATP.UserAlert": {
"Username": "demisto",
"Alerts": [
{
"Category": "DefenseEvasion",
"ThreatFamilyName": null,
"Severity": "Medium",
"LastEventTime": "2020-02-17T11:39:09.9948632Z",
"FirstEventTime": "2020-02-17T11:37:11.4901408Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "TENANT-ID",
"AlertCreationTime": "2020-02-17T11:40:33.5724218Z",
"Status": "InProgress",
"Description": "A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.",
"InvestigationState": "Benign",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "Suspicious process injection observed",
"InvestigationID": 1,
"Determination": null,
"IncidentID": 7,
"AssignedTo": "Automation",
"DetectionSource": "WindowsDefenderAtp",
"ResolvedTime": null,
"ID": "da637175364336494657_410871946",
"LastUpdateTime": "2020-03-17T11:29:55.0066667Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": [
{
"userPrincipalName": null,
"processId": 11192,
"sha1": "36c5d12033b2eaf251bae61c00690ffb17fddc87",
"parentProcessCreationTime": "2020-02-17T08:03:34.9841426Z",
"domainName": null,
"url": null,
"processCommandLine": "\"powershell.exe\" ",
"entityType": "Process",
"processCreationTime": "2020-02-17T12:38:47.6521977Z",
"aadUserId": null,
"fileName": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"parentProcessId": 9008,
"userSid": null,
"filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"accountName": null,
"ipAddress": null
},
{
"userPrincipalName": null,
"processId": 12508,
"sha1": "d487580502354c61808c7180d1a336beb7ad4624",
"parentProcessCreationTime": "2020-02-17T12:38:47.6521977Z",
"domainName": null,
"url": null,
"processCommandLine": "\"notepad.exe\"",
"entityType": "Process",
"processCreationTime": "2020-02-17T12:41:04.9040946Z",
"aadUserId": null,
"fileName": "notepad.exe",
"sha256": "f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3",
"parentProcessId": 11192,
"userSid": null,
"filePath": "C:\\Windows\\System32",
"accountName": null,
"ipAddress": null
},
{
"userPrincipalName": null,
"processId": null,
"sha1": null,
"parentProcessCreationTime": null,
"domainName": "DESKTOP-S2455R8",
"url": null,
"processCommandLine": null,
"entityType": "User",
"processCreationTime": null,
"aadUserId": null,
"fileName": null,
"sha256": null,
"parentProcessId": null,
"userSid": "S-1-5-21-4197691174-1403503641-4006700887-1001",
"filePath": null,
"accountName": "demisto",
"ipAddress": null
},
{
"userPrincipalName": null,
"processId": 8936,
"sha1": "d487580502354c61808c7180d1a336beb7ad4624",
"parentProcessCreationTime": "2020-02-17T12:38:47.6521977Z",
"domainName": null,
"url": null,
"processCommandLine": "\"notepad.exe\"",
"entityType": "Process",
"processCreationTime": "2020-02-17T12:39:16.3783602Z",
"aadUserId": null,
"fileName": "notepad.exe",
"sha256": "f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3",
"parentProcessId": 11192,
"userSid": null,
"filePath": "C:\\Windows\\System32",
"accountName": null,
"ipAddress": null
}
]
}
]
}
]
}
}
Human Readable Output#
User XSOAR related alerts Info:#
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637175364336494657_410871946Suspicious process injection observedA process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. As a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.7MediumInProgressDefenseEvasion4899036531e374137f63289c3267bad772c13fef

31. microsoft-atp-get-user-machines#


Retrieves a collection of machines related to a given user ID.

Required Permissions#

Machine.ReadWrite.All

Base Command#

microsoft-atp-get-user-machines

Input#
Argument NameDescriptionRequired
usernameThe user ID. The ID is not the full UPN, but only the user name. For example, to retrieve machines for "user1@test.com" use "user1".Required
Context Output#
PathTypeDescription
MicrosoftATP.UserMachine.UsernameStringThe name of the user.
MicrosoftATP.UserMachine.Machines.IDStringThe ID of the machine.
MicrosoftATP.UserMachine.Machines.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.UserMachine.Machines.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.UserMachine.Machines.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.UserMachine.Machines.OSPlatformStringThe operating system platform.
MicrosoftATP.UserMachine.Machines.OSVersionStringThe operating system version.
MicrosoftATP.UserMachine.Machines.OSProcessorStringThe operating system processor.
MicrosoftATP.v.Machines.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.UserMachine.Machines.LastExternalIPAddressStringThe last IP address through which the machine accessed the internet.
MicrosoftATP.UserMachine.Machines.OSBuildNumberThe operating system build number.
MicrosoftATP.UserMachine.Machines.HealthStatusStringThe health status of the machine.
MicrosoftATP.UserMachine.Machines.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.UserMachine.Machines.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.UserMachine.Machines.RiskScoreStringThe risk score of the machine.
MicrosoftATP.UserMachine.Machines.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.UserMachine.Machines.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.UserMachine.Machines.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.UserMachine.Machines.MachineTagsStringThe set of machine tags.
Command Example#

!microsoft-atp-get-user-machines username=demisto

Context Example#
{
"MicrosoftATP.UserMachine": {
"Username": "demisto",
"Machines": [
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"ComputerDNSName": "desktop-s2455r8",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.71",
"OSVersion": "1909",
"RiskScore": "High",
"ID": "4899036531e374137f63289c3267bad772c13fef",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"LastSeen": "2020-03-23T08:10:41.473428Z"
},
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
}
]
}
}
Human Readable Output#
Machines that are related to user XSOAR:#
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8Windows10192.168.1.7181.166.99.236ActiveHighMedium
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows10192.168.1.7381.166.99.236ActiveMediumMedium

32. microsoft-atp-add-remove-machine-tag#


Adds or removes a tag on a specific machine.

Required Permissions#

Machine.ReadWrite.All

Base Command#

microsoft-atp-add-remove-machine-tag

Input#
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
actionThe action to use for the tag.Required
tagThe name of the tag.Required
Context Output#
PathTypeDescription
MicrosoftATP.Machine.IDStringThe ID of the machine.
MicrosoftATP.Machine.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Machine.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last IP address through which the machine accessed the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe health status of the machine.
MicrosoftATP.Machine.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.Machine.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.Machine.RiskScoreStringThe risk score of the machine.
MicrosoftATP.Machine.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.Machine.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.Machine.MachineTagsStringThe set of machine tags.
Command Example#

!microsoft-atp-add-remove-machine-tag action=Add machine_id=f70f9fe6b29cd9511652434919c6530618f06606 tag="test add tag"

Context Example#
{
"MicrosoftATP.Machine": {
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
}
}
Human Readable Output#
Succeed to Add tag to f70f9fe6b29cd9511652434919c6530618f06606:#
IDComputerDNSNameOSPlatformLastExternalIPAddressHealthStatusRiskScoreExposureLevelMachineTags
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows1081.166.99.236ActiveMediumMediumtest add tag, testing123

microsoft-atp-indicator-list#


Deprecated. Use the microsoft-atp-sc-indicator-list command instead. Lists all indicators by the ID that the system creates when the indicator is ingested.

Base Command#

microsoft-atp-indicator-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 50.Optional
page_sizeSpecify the page size of the result set. Maximum is 200. Default value is 50.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert.
MicrosoftATP.Indicators.additionalInformationStringA catchall area into which extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation is typically not be used by the targetProduct security tool.
MicrosoftATP.Indicators.azureTenantIdStringStamped by the system when the indicator is ingested. The Azure Active Directory tenant ID of submitting client.
MicrosoftATP.Indicators.confidenceNumberAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest.
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.diamondModelStringThe area of the Diamond Model in which this indicator exists. Possible values are: "unknown", "adversary", "capability", "infrastructure", "victim".
MicrosoftATP.Indicators.domainNameStringDomain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain.
MicrosoftATP.Indicators.emailEncodingStringThe type of text encoding used in the email.
MicrosoftATP.Indicators.emailLanguageStringThe language of the email.
MicrosoftATP.Indicators.emailRecipientStringRecipient email address.
MicrosoftATP.Indicators.emailSenderAddressStringEmail address of the attacker
MicrosoftATP.Indicators.emailSenderNameStringDisplay name of the attacker
MicrosoftATP.Indicators.emailSourceDomainStringDomain used in the email.
MicrosoftATP.Indicators.emailSourceIpAddressStringSource IP address of the email.
MicrosoftATP.Indicators.emailSubjectStringSubject line of the email.
MicrosoftATP.Indicators.emailXMailerStringX-Mailer value used in the email.
MicrosoftATP.Indicators.expirationDateTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.externalIdStringAn identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
MicrosoftATP.Indicators.fileCompileDateTimeDateDateTime when the file was compiled. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileCreatedDateTimeDateDateTime when the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileHashTypeStringThe type of hash stored in fileHashValue. Possible values are: "unknown", "sha1", "sha256", "md5", "authenticodeHash256", "lsHash", and "ctph".
MicrosoftATP.Indicators.fileHashValueStringThe file hash value.
MicrosoftATP.Indicators.fileMutexNameStringMutex name used in file-based detections.
MicrosoftATP.Indicators.fileNameStringName of the file if the indicator is file-based. Supports comma-separate list of file names.
MicrosoftATP.Indicators.filePackerStringThe packer used to build the file in question.
MicrosoftATP.Indicators.filePathStringPath of the file indicating a compromise. May be a Windows or *nix style.
MicrosoftATP.Indicators.fileSizeNumberSize of the file in bytes.
MicrosoftATP.Indicators.fileTypeStringText description of the type of file. For example, “Word Document” or “Binary”.
MicrosoftATP.Indicators.ingestedDateTimeDateStamped by the system when the indicator is ingested. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.isActiveBooleanUsed to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
MicrosoftATP.Indicators.knownFalsePositivesStringScenarios in which the indicator may cause false positives. This should be human-readable text.
MicrosoftATP.Indicators.lastReportedDateTimeDateThe last time the indicator was seen. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.networkCidrBlockStringCIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination cannot be identified.
MicrosoftATP.Indicators.networkDestinationAsnNumberThe destination autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkDestinationCidrBlockStringCIDR Block notation representation of the destination network in this indicator.
MicrosoftATP.Indicators.networkDestinationIPv4StringIPv4 IP address destination.
MicrosoftATP.Indicators.networkDestinationIPv6StringIPv6 IP address destination.
MicrosoftATP.Indicators.networkDestinationPortNumberTCP port destination.
MicrosoftATP.Indicators.networkIPv4StringIPv4 IP address.
MicrosoftATP.Indicators.networkIPv6StringIPv6 IP address.
MicrosoftATP.Indicators.networkPortNumberTCP port.
MicrosoftATP.Indicators.networkProtocolNumberDecimal representation of the protocol field in the IPv4 header.
MicrosoftATP.Indicators.networkSourceAsnNumberThe source autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkSourceCidrBlockStringCIDR Block notation representation of the source network in this indicator.
MicrosoftATP.Indicators.networkSourceIPv4StringIPv4 IP address source.
MicrosoftATP.Indicators.networkSourceIPv6StringIPv6 IP address source.
MicrosoftATP.Indicators.networkSourcePortNumberTCP port source.
MicrosoftATP.Indicators.passiveOnlyBooleanDetermines if the indicator should trigger an event that is visible to an end user. When set to ‘true,’ security tools will not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action. Default value is false.
MicrosoftATP.Indicators.severityNumberSeverity of the malicious behavior identified by the data within the indicator. Possible values are 0 – 5, where 5 is the most severe and zero is not severe at all. Default is 3
MicrosoftATP.Indicators.targetProductStringA string value representing a single security product to which the indicator should be applied.
MicrosoftATP.Indicators.threatTypeStringEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
MicrosoftATP.Indicators.tlpLevelStringTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, and red.
MicrosoftATP.Indicators.urlStringUniform Resource Locator. This URL complies with RFC 1738.
MicrosoftATP.Indicators.userAgentStringUser-Agent string from a web request that could indicate compromise.
MicrosoftATP.Indicators.vendorInformationStringInformation about the vendor.

Command Example#

!microsoft-atp-indicator-list

Context Example#

{
"MicrosoftATP": {
"Indicators": {
"action": "block",
"activityGroupNames": [],
"azureTenantId": "TENANT-ID",
"description": "Title: Indicator Jacoviya.net of type DomainName, Description: Blob!",
"domainName": "jacoviya.net",
"expirationDateTime": "2020-09-02T17:08:46Z",
"id": "16",
"ingestedDateTime": "2020-08-26T17:08:49.158136Z",
"isActive": true,
"killChain": [],
"malwareFamilyNames": [],
"severity": 2,
"tags": [],
"targetProduct": "Microsoft Defender ATP"
}
}
}

Human Readable Output#

Indicators from Microsoft ATP:#

idactionseveritydomainName
16block2jacoviya.net

microsoft-atp-indicator-get-by-id#


Deprecated. Use the microsoft-atp-sc-indicator-get-by-id command instead. Gets an indicator by its ID.

Base Command#

microsoft-atp-indicator-get-by-id

Input#

Argument NameDescriptionRequired
indicator_idThe ID of the indicator to get.Required

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert.
MicrosoftATP.Indicators.additionalInformationStringA catchall area into which extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation will typically not be used by the targetProduct security tool.
MicrosoftATP.Indicators.azureTenantIdStringTimestamp when the indicator was ingested into the system.
MicrosoftATP.Indicators.confidenceNumberAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest.
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.diamondModelStringThe area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim.
MicrosoftATP.Indicators.domainNameStringDomain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain.
MicrosoftATP.Indicators.emailEncodingStringThe type of text encoding used in the email.
MicrosoftATP.Indicators.emailLanguageStringThe language of the email.
MicrosoftATP.Indicators.emailRecipientStringRecipient email address.
MicrosoftATP.Indicators.emailSenderAddressStringEmail address of the attacker
MicrosoftATP.Indicators.emailSenderNameStringDisplay name of the attacker
MicrosoftATP.Indicators.emailSourceDomainStringDomain used in the email.
MicrosoftATP.Indicators.emailSourceIpAddressStringSource IP address of the email.
MicrosoftATP.Indicators.emailSubjectStringSubject line of the email.
MicrosoftATP.Indicators.emailXMailerStringX-Mailer value used in the email.
MicrosoftATP.Indicators.expirationDateTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.externalIdStringAn identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
MicrosoftATP.Indicators.fileCompileDateTimeDateDateTime when the file was compiled. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileCreatedDateTimeDateDateTime when the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileHashTypeStringThe type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
MicrosoftATP.Indicators.fileHashValueStringThe file hash value.
MicrosoftATP.Indicators.fileMutexNameStringMutex name used in file-based detections.
MicrosoftATP.Indicators.fileNameStringName of the file if the indicator is file-based. Supports comma-separate list of file names.
MicrosoftATP.Indicators.filePackerStringThe packer used to build the file in question.
MicrosoftATP.Indicators.filePathStringPath of the file indicating a compromise. May be a Windows or *nix style.
MicrosoftATP.Indicators.fileSizeNumberSize of the file in bytes.
MicrosoftATP.Indicators.fileTypeStringText description of the type of file. For example, “Word Document” or “Binary”.
MicrosoftATP.Indicators.ingestedDateTimeDateStamped by the system when the indicator is ingested. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.isActiveBooleanUsed to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
MicrosoftATP.Indicators.knownFalsePositivesStringScenarios in which the indicator may cause false positives. This should be human-readable text.
MicrosoftATP.Indicators.lastReportedDateTimeDateThe last time the indicator was seen. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.networkCidrBlockStringCIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination cannot be identified.
MicrosoftATP.Indicators.networkDestinationAsnNumberThe destination autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkDestinationCidrBlockStringCIDR Block notation representation of the destination network in this indicator.
MicrosoftATP.Indicators.networkDestinationIPv4StringIPv4 IP address destination.
MicrosoftATP.Indicators.networkDestinationIPv6StringIPv6 IP address destination.
MicrosoftATP.Indicators.networkDestinationPortNumberTCP port destination.
MicrosoftATP.Indicators.networkIPv4StringIPv4 IP address.
MicrosoftATP.Indicators.networkIPv6StringIPv6 IP address.
MicrosoftATP.Indicators.networkPortNumberTCP port.
MicrosoftATP.Indicators.networkProtocolNumberDecimal representation of the protocol field in the IPv4 header.
MicrosoftATP.Indicators.networkSourceAsnNumberThe source autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkSourceCidrBlockStringCIDR Block notation representation of the source network in this indicator.
MicrosoftATP.Indicators.networkSourceIPv4StringIPv4 IP address source.
MicrosoftATP.Indicators.networkSourceIPv6StringIPv6 IP address source.
MicrosoftATP.Indicators.networkSourcePortNumberTCP port source.
MicrosoftATP.Indicators.passiveOnlyBooleanDetermines if the indicator should trigger an event that is visible to an end user. When set to ‘true,’ security tools will not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action. Default value is false.
MicrosoftATP.Indicators.severityNumberSeverity of the malicious behavior identified by the data within the indicator. Possible values are 0 – 5, where 5 is the most severe and zero is not severe at all. Default is 3
MicrosoftATP.Indicators.targetProductStringA string value representing a single security product to which the indicator should be applied.
MicrosoftATP.Indicators.threatTypeStringEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
MicrosoftATP.Indicators.tlpLevelStringTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, or amber.
MicrosoftATP.Indicators.urlStringUniform Resource Locator. This URL complies with RFC 1738.
MicrosoftATP.Indicators.userAgentStringUser-Agent string from a web request that could indicate compromise.
MicrosoftATP.Indicators.vendorInformationStringInformation about the vendor.

Command Example#

!microsoft-atp-indicator-get-by-id indicator_id=17

Context Example#

{
"MicrosoftATP": {
"Indicators": {
"action": "block",
"activityGroupNames": [],
"azureTenantId": "TENANT-ID",
"description": "Title: Indicator example.com of type DomainName, Description: A description!",
"domainName": "example.com",
"expirationDateTime": "2020-09-02T17:17:57Z",
"id": "17",
"ingestedDateTime": "2020-08-26T17:18:00.0537984Z",
"isActive": true,
"killChain": [],
"malwareFamilyNames": [],
"severity": 2,
"tags": [],
"targetProduct": "Microsoft Defender ATP"
}
}
}

Human Readable Output#

Indicators from Microsoft ATP:#

idactionseveritydomainName
17block2example.com

microsoft-atp-indicator-create-network#


Deprecated. Use the microsoft-atp-sc-indicator-create command instead. Creates a network indicator.

Base Command#

microsoft-atp-indicator-create-network

Input#

Argument NameDescriptionRequired
actionThe action to apply if the indicator is matched from within the targetProduct security tool.Required
descriptionBrief description (100 characters or less) of the threat represented by the indicator.Required
expiration_timeDateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days).Required
threat_typeEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, Cryptomining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList.Required
tlp_levelTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, or amber.Optional
confidenceAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100 with 100 being the highest.Optional
severityThe severity of the malicious behavior identified by the data within the indicator. Possible values are Informational, Low, MediumLow, MediumHigh, High, where 5 is the most severe and zero is not severe at all.Optional
tagsA comma-separated list that stores arbitrary tags/keywords.Optional
domain_nameDomain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain (For example, example.domain.net)Optional
network_cidr_blockCIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination cannot be identified.Optional
network_destination_asnThe destination autonomous system identifier of the network referenced in the indicator.Optional
network_destination_cidr_blockCIDR Block notation representation of the destination network in this indicator.Optional
network_destination_ipv4IPv4 IP address destination.Optional
network_destination_ipv6IPv6 IP address destination.
Optional
network_destination_portTCP port destination.Optional
network_ipv4IPv4 IP address. Use only if the Source and Destination cannot be identified.Optional
network_ipv6IPv6 IP address. Use only if the Source and Destination cannot be identified.Optional
network_portTCP port. Use only if the Source and Destination cannot be identified.Optional
network_protocolDecimal representation of the protocol field in the IPv4 header.Optional
network_source_asnThe source autonomous system identifier of the network referenced in the indicator.Optional
network_source_cidr_blockCIDR Block notation representation of the source network in this indicator.Optional
network_source_ipv4IPv4 IP address source.Optional
network_source_ipv6IPv6 IP address source.Optional
network_source_portTCP port source.Optional
urlUniform Resource Locator. This URL must comply with RFC 1738.Optional
user_agentUser-Agent string from a web request that could indicate compromise.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert.
MicrosoftATP.Indicators.additionalInformationStringA catchall area into which extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation will typically not be used by the targetProduct security tool.
MicrosoftATP.Indicators.azureTenantIdStringTimestamp when the indicator was ingested into the system.
MicrosoftATP.Indicators.confidenceNumberAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest.
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.diamondModelStringThe area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim.
MicrosoftATP.Indicators.domainNameStringDomain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain.
MicrosoftATP.Indicators.emailEncodingStringThe type of text encoding used in the email.
MicrosoftATP.Indicators.emailLanguageStringThe language of the email.
MicrosoftATP.Indicators.emailRecipientStringRecipient email address.
MicrosoftATP.Indicators.emailSenderAddressStringEmail address of the attacker
MicrosoftATP.Indicators.emailSenderNameStringDisplay name of the attacker
MicrosoftATP.Indicators.emailSourceDomainStringDomain used in the email.
MicrosoftATP.Indicators.emailSourceIpAddressStringSource IP address of the email.
MicrosoftATP.Indicators.emailSubjectStringSubject line of the email.
MicrosoftATP.Indicators.emailXMailerStringX-Mailer value used in the email.
MicrosoftATP.Indicators.expirationDateTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.externalIdStringAn identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
MicrosoftATP.Indicators.fileCompileDateTimeDateDateTime when the file was compiled. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileCreatedDateTimeDateDateTime when the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileHashTypeStringThe type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, or ctph. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
MicrosoftATP.Indicators.fileHashValueStringThe file hash value.
MicrosoftATP.Indicators.fileMutexNameStringMutex name used in file-based detections.
MicrosoftATP.Indicators.fileNameStringName of the file if the indicator is file-based. Supports comma-separate list of file names.
MicrosoftATP.Indicators.filePackerStringThe packer used to build the file in question.
MicrosoftATP.Indicators.filePathStringPath of the file indicating a compromise. May be a Windows or *nix style.
MicrosoftATP.Indicators.fileSizeNumberSize of the file in bytes.
MicrosoftATP.Indicators.fileTypeStringText description of the type of file. For example, “Word Document” or “Binary”.
MicrosoftATP.Indicators.ingestedDateTimeDateStamped by the system when the indicator is ingested. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.isActiveBooleanUsed to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
MicrosoftATP.Indicators.knownFalsePositivesStringScenarios in which the indicator may cause false positives. This should be human-readable text.
MicrosoftATP.Indicators.lastReportedDateTimeDateThe last time the indicator was seen. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.networkCidrBlockStringCIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination cannot be identified.
MicrosoftATP.Indicators.networkDestinationAsnNumberThe destination autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkDestinationCidrBlockStringCIDR Block notation representation of the destination network in this indicator.
MicrosoftATP.Indicators.networkDestinationIPv4StringIPv4 IP address destination.
MicrosoftATP.Indicators.networkDestinationIPv6StringIPv6 IP address destination.
MicrosoftATP.Indicators.networkDestinationPortNumberTCP port destination.
MicrosoftATP.Indicators.networkIPv4StringIPv4 IP address.
MicrosoftATP.Indicators.networkIPv6StringIPv6 IP address.
MicrosoftATP.Indicators.networkPortNumberTCP port.
MicrosoftATP.Indicators.networkProtocolNumberDecimal representation of the protocol field in the IPv4 header.
MicrosoftATP.Indicators.networkSourceAsnNumberThe source autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkSourceCidrBlockStringCIDR Block notation representation of the source network in this indicator.
MicrosoftATP.Indicators.networkSourceIPv4StringIPv4 IP address source.
MicrosoftATP.Indicators.networkSourceIPv6StringIPv6 IP address source.
MicrosoftATP.Indicators.networkSourcePortNumberTCP port source.
MicrosoftATP.Indicators.passiveOnlyBooleanDetermines if the indicator should trigger an event that is visible to an end user. When set to ‘true,’ security tools will not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action. Default value is false.
MicrosoftATP.Indicators.severityNumberSeverity of the malicious behavior identified by the data within the indicator. Possible values are 0 – 5, where 5 is the most severe and zero is not severe at all. Default is 3
MicrosoftATP.Indicators.targetProductStringA string value representing a single security product to which the indicator should be applied.
MicrosoftATP.Indicators.threatTypeStringEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
MicrosoftATP.Indicators.tlpLevelStringTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, or amber.
MicrosoftATP.Indicators.urlStringUniform Resource Locator. This URL complies with RFC 1738.
MicrosoftATP.Indicators.userAgentStringUser-Agent string from a web request that could indicate compromise.
MicrosoftATP.Indicators.vendorInformationStringInformation about the vendor.

Command Example#

!microsoft-atp-indicator-create-network action=unknown description="A description!" expiration_time="7 days" threat_type=CryptoMining domain_name="example.com"

Context Example#

{
"MicrosoftATP": {
"Indicators": {
"action": "block",
"activityGroupNames": [],
"azureTenantId": "TENANT-ID",
"description": "Title: Indicator example.com of type DomainName, Description: A description!",
"domainName": "example.com",
"expirationDateTime": "2020-09-02T17:17:57Z",
"id": "17",
"ingestedDateTime": "2020-08-26T17:18:00.0537984Z",
"isActive": true,
"killChain": [],
"malwareFamilyNames": [],
"severity": 2,
"tags": [],
"targetProduct": "Microsoft Defender ATP"
}
}
}

Human Readable Output#

Indicator 17 was successfully created:#

idactionseveritydomainName
17block2example.com

microsoft-atp-indicator-create-file#


Deprecated. Use the microsoft-atp-sc-indicator-create command instead. Creates a file indicator

Base Command#

microsoft-atp-indicator-create-file

Input#

Argument NameDescriptionRequired
actionThe action to apply if the indicator is matched from within the targetProduct security tool.Required
descriptionBrief description (100 characters or less) of the threat represented by the indicator.Required
expiration_timeDateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days).Required
threat_typeEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, Cryptomining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList.Required
tlp_levelTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, or amber.Optional
confidenceAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100 with 100 being the highest.Optional
severityThe severity of the malicious behavior identified by the data within the indicator. Possible values are Informational, Low, MediumLow, MediumHigh, High, where 5 is the most severe and zero is not severe at all.Optional
tagsA comma-separated list that stores arbitrary tags/keywords.Optional
file_compile_date_timeDateTime when the file was compiled. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'Optional
file_created_date_timeDateTime when the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'Optional
file_hash_typeThe type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, or ctph.Optional
file_hash_valueThe file hash value.Optional
file_mutex_nameMutex name used in file-based detections.Optional
file_nameName of the file if the indicator is file-based. Supports comma-separate list of file names.Optional
file_packerThe packer used to build the file in question.Optional
file_pathPath of the file indicating a compromise. Can be a Windows or *nix style path.Optional
file_sizeSize of the file in bytes.Optional
file_typeText description of the type of file. For example, “Word Document” or “Binary”.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert.
MicrosoftATP.Indicators.additionalInformationStringA catchall area into which extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation will typically not be used by the targetProduct security tool.
MicrosoftATP.Indicators.azureTenantIdStringTimestamp when the indicator was ingested into the system.
MicrosoftATP.Indicators.confidenceNumberAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest.
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.diamondModelStringThe area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim.
MicrosoftATP.Indicators.domainNameStringDomain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain.
MicrosoftATP.Indicators.emailEncodingStringThe type of text encoding used in the email.
MicrosoftATP.Indicators.emailLanguageStringThe language of the email.
MicrosoftATP.Indicators.emailRecipientStringRecipient email address.
MicrosoftATP.Indicators.emailSenderAddressStringEmail address of the attacker
MicrosoftATP.Indicators.emailSenderNameStringDisplay name of the attacker
MicrosoftATP.Indicators.emailSourceDomainStringDomain used in the email.
MicrosoftATP.Indicators.emailSourceIpAddressStringSource IP address of the email.
MicrosoftATP.Indicators.emailSubjectStringSubject line of the email.
MicrosoftATP.Indicators.emailXMailerStringX-Mailer value used in the email.
MicrosoftATP.Indicators.expirationDateTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.externalIdStringAn identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
MicrosoftATP.Indicators.fileCompileDateTimeDateDateTime when the file was compiled. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileCreatedDateTimeDateDateTime when the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileHashTypeStringThe type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, or ctph. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
MicrosoftATP.Indicators.fileHashValueStringThe file hash value.
MicrosoftATP.Indicators.fileMutexNameStringMutex name used in file-based detections.
MicrosoftATP.Indicators.fileNameStringName of the file if the indicator is file-based. Supports comma-separate list of file names.
MicrosoftATP.Indicators.filePackerStringThe packer used to build the file in question.
MicrosoftATP.Indicators.filePathStringPath of the file indicating a compromise. May be a Windows or *nix style.
MicrosoftATP.Indicators.fileSizeNumberSize of the file in bytes.
MicrosoftATP.Indicators.fileTypeStringText description of the type of file. For example, “Word Document” or “Binary”.
MicrosoftATP.Indicators.ingestedDateTimeDateStamped by the system when the indicator is ingested. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.isActiveBooleanUsed to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
MicrosoftATP.Indicators.knownFalsePositivesStringScenarios in which the indicator may cause false positives. This should be human-readable text.
MicrosoftATP.Indicators.lastReportedDateTimeDateThe last time the indicator was seen. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.networkCidrBlockStringCIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination cannot be identified.
MicrosoftATP.Indicators.networkDestinationAsnNumberThe destination autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkDestinationCidrBlockStringCIDR Block notation representation of the destination network in this indicator.
MicrosoftATP.Indicators.networkDestinationIPv4StringIPv4 IP address destination.
MicrosoftATP.Indicators.networkDestinationIPv6StringIPv6 IP address destination.
MicrosoftATP.Indicators.networkDestinationPortNumberTCP port destination.
MicrosoftATP.Indicators.networkIPv4StringIPv4 IP address.
MicrosoftATP.Indicators.networkIPv6StringIPv6 IP address.
MicrosoftATP.Indicators.networkPortNumberTCP port.
MicrosoftATP.Indicators.networkProtocolNumberDecimal representation of the protocol field in the IPv4 header.
MicrosoftATP.Indicators.networkSourceAsnNumberThe source autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkSourceCidrBlockStringCIDR Block notation representation of the source network in this indicator.
MicrosoftATP.Indicators.networkSourceIPv4StringIPv4 IP address source.
MicrosoftATP.Indicators.networkSourceIPv6StringIPv6 IP address source.
MicrosoftATP.Indicators.networkSourcePortNumberTCP port source.
MicrosoftATP.Indicators.passiveOnlyBooleanDetermines if the indicator should trigger an event that is visible to an end user. When set to ‘true,’ security tools will not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action. Default value is false.
MicrosoftATP.Indicators.severityNumberSeverity of the malicious behavior identified by the data within the indicator. Possible values are 0 – 5, where 5 is the most severe and zero is not severe at all. Default is 3
MicrosoftATP.Indicators.targetProductStringA string value representing a single security product to which the indicator should be applied.
MicrosoftATP.Indicators.threatTypeStringEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
MicrosoftATP.Indicators.tlpLevelStringTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, or amber.
MicrosoftATP.Indicators.urlStringUniform Resource Locator. This URL complies with RFC 1738.
MicrosoftATP.Indicators.userAgentStringUser-Agent string from a web request that could indicate compromise.
MicrosoftATP.Indicators.vendorInformationStringInformation about the vendor.

Command Example#

!microsoft-atp-indicator-create-file action=allow description="A description" expiration_time="3 days" threat_type=Darknet confidence=23 file_hash_type=sha256 file_hash_value=50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c

Context Example#

{
"MicrosoftATP": {
"Indicators": {
"action": "allow",
"activityGroupNames": [],
"azureTenantId": "TENANT-ID",
"description": "Title: Indicator 50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c of type FileSha256, Description: A description",
"expirationDateTime": "2020-08-29T17:18:01Z",
"fileHashType": "sha256",
"fileHashValue": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
"id": "18",
"ingestedDateTime": "2020-08-26T17:18:03.5249643Z",
"isActive": true,
"killChain": [],
"malwareFamilyNames": [],
"severity": 2,
"tags": [],
"targetProduct": "Microsoft Defender ATP"
}
}
}

Human Readable Output#

Indicator 18 was successfully created:#

idactionseverityfileHashTypefileHashValue
18allow2sha25650d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c

microsoft-atp-indicator-update#


Deprecated. Use the microsoft-atp-sc-indicator-update command instead. Updates the specified indicator.

Base Command#

microsoft-atp-indicator-update

Input#

Argument NameDescriptionRequired
indicator_idThe ID of the indicator to update.Required
severityThe severity of the malicious behavior identified by the data within the indicator. Possible values are Informational, Low, MediumLow, MediumHigh, High, where High is the most severe and Informational is not severe at all.Optional
expiration_timeDateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days).Required
descriptionBrief description (100 characters or less) of the threat represented by the indicator.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert.
MicrosoftATP.Indicators.additionalInformationStringA catchall area into which extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation will typically not be used by the targetProduct security tool.
MicrosoftATP.Indicators.azureTenantIdStringTimestamp when the indicator was ingested into the system.
MicrosoftATP.Indicators.confidenceNumberAn integer representing the confidence with which the data within the indicator accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest.
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.diamondModelStringThe area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim.
MicrosoftATP.Indicators.domainNameStringDomain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain.
MicrosoftATP.Indicators.emailEncodingStringThe type of text encoding used in the email.
MicrosoftATP.Indicators.emailLanguageStringThe language of the email.
MicrosoftATP.Indicators.emailRecipientStringRecipient email address.
MicrosoftATP.Indicators.emailSenderAddressStringEmail address of the attacker
MicrosoftATP.Indicators.emailSenderNameStringDisplay name of the attacker
MicrosoftATP.Indicators.emailSourceDomainStringDomain used in the email.
MicrosoftATP.Indicators.emailSourceIpAddressStringSource IP address of the email.
MicrosoftATP.Indicators.emailSubjectStringSubject line of the email.
MicrosoftATP.Indicators.emailXMailerStringX-Mailer value used in the email.
MicrosoftATP.Indicators.expirationDateTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.externalIdStringAn identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
MicrosoftATP.Indicators.fileCompileDateTimeDateDateTime when the file was compiled. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileCreatedDateTimeDateDateTime when the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.fileHashTypeStringThe type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, or ctph. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
MicrosoftATP.Indicators.fileHashValueStringThe file hash value.
MicrosoftATP.Indicators.fileMutexNameStringMutex name used in file-based detections.
MicrosoftATP.Indicators.fileNameStringName of the file if the indicator is file-based. Supports comma-separate list of file names.
MicrosoftATP.Indicators.filePackerStringThe packer used to build the file in question.
MicrosoftATP.Indicators.filePathStringPath of the file indicating a compromise. May be a Windows or *nix style.
MicrosoftATP.Indicators.fileSizeNumberSize of the file in bytes.
MicrosoftATP.Indicators.fileTypeStringText description of the type of file. For example, “Word Document” or “Binary”.
MicrosoftATP.Indicators.ingestedDateTimeDateStamped by the system when the indicator is ingested. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.isActiveBooleanUsed to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
MicrosoftATP.Indicators.knownFalsePositivesStringScenarios in which the indicator may cause false positives. This should be human-readable text.
MicrosoftATP.Indicators.lastReportedDateTimeDateThe last time the indicator was seen. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.networkCidrBlockStringCIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination cannot be identified.
MicrosoftATP.Indicators.networkDestinationAsnNumberThe destination autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkDestinationCidrBlockStringCIDR Block notation representation of the destination network in this indicator.
MicrosoftATP.Indicators.networkDestinationIPv4StringIPv4 IP address destination.
MicrosoftATP.Indicators.networkDestinationIPv6StringIPv6 IP address destination.
MicrosoftATP.Indicators.networkDestinationPortNumberTCP port destination.
MicrosoftATP.Indicators.networkIPv4StringIPv4 IP address.
MicrosoftATP.Indicators.networkIPv6StringIPv6 IP address.
MicrosoftATP.Indicators.networkPortNumberTCP port.
MicrosoftATP.Indicators.networkProtocolNumberDecimal representation of the protocol field in the IPv4 header.
MicrosoftATP.Indicators.networkSourceAsnNumberThe source autonomous system identifier of the network referenced in the indicator.
MicrosoftATP.Indicators.networkSourceCidrBlockStringCIDR Block notation representation of the source network in this indicator.
MicrosoftATP.Indicators.networkSourceIPv4StringIPv4 IP address source.
MicrosoftATP.Indicators.networkSourceIPv6StringIPv6 IP address source.
MicrosoftATP.Indicators.networkSourcePortNumberTCP port source.
MicrosoftATP.Indicators.passiveOnlyBooleanDetermines if the indicator should trigger an event that is visible to an end user. When set to ‘true,’ security tools will not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action. Default value is false.
MicrosoftATP.Indicators.severityNumberSeverity of the malicious behavior identified by the data within the indicator. Possible values are 0 – 5, where 5 is the most severe and zero is not severe at all. Default is 3
MicrosoftATP.Indicators.targetProductStringA string value representing a single security product to which the indicator should be applied.
MicrosoftATP.Indicators.threatTypeStringEach indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
MicrosoftATP.Indicators.tlpLevelStringTraffic Light Protocol value for the indicator. Possible values are: unknown, white, green, or amber.
MicrosoftATP.Indicators.urlStringUniform Resource Locator. This URL complies with RFC 1738.
MicrosoftATP.Indicators.userAgentStringUser-Agent string from a web request that could indicate compromise.
MicrosoftATP.Indicators.vendorInformationStringInformation about the vendor.

Command Example#

!microsoft-atp-indicator-update expiration_time="2 days" indicator_id=18

Context Example#

{
"MicrosoftATP": {
"Indicators": {
"action": "allow",
"activityGroupNames": [],
"azureTenantId": "TENANT-ID",
"description": "Title: Indicator 50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c of type FileSha256, Description: A description",
"expirationDateTime": "2020-08-28T17:21:15Z",
"fileHashType": "sha256",
"fileHashValue": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
"id": "18",
"ingestedDateTime": "2020-08-26T17:18:03.5249643Z",
"isActive": true,
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Microsoft Defender ATP"
}
}
}

Human Readable Output#

Indicator ID: 18 was updated successfully.#

actionazureTenantIddescriptionexpirationDateTimefileHashTypefileHashValueidingestedDateTimeisActiveseveritytargetProduct
allowTENANT-IDTitle: Indicator 50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c of type FileSha256, Description: A description2020-08-28T17:21:15Zsha25650d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c182020-08-26T17:18:03.5249643Ztrue0Microsoft Defender ATP

microsoft-atp-indicator-delete#


Deprecated. Use the microsoft-atp-sc-indicator-delete command instead. Deletes the specified indicator.

Base Command#

microsoft-atp-indicator-delete

Input#

Argument NameDescriptionRequired
indicator_idThe ID of the indicator to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!microsoft-atp-indicator-delete indicator_id=18

Human Readable Output#

Indicator ID: 18 was successfully deleted

microsoft-atp-sc-indicator-list#


Lists all indicators by the ID that the system creates when the indicator is ingested.

Permissions#

Ti.ReadWrite

Base Command#

microsoft-atp-sc-indicator-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 50.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values: "unknown", "allow", "block", and "alert".
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.expirationTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.severityStringThe severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "Medium", and "High", where High is the most severe and Informational is not severe at all.
MicrosoftATP.Indicators.indicatorValueStringThe value of the indicator.
MicrosoftATP.Indicators.recommendedActionsStringRecommended actions for the indicator.
MicrosoftATP.Indicators.generateAlertBooleanWhether an alert was generated.
MicrosoftATP.Indicators.rbacGroupNamesUnknownA list of RBAC device group names where the indicator is exposed and active. Empty list if it is exposed to all devices.
MicrosoftATP.Indicators.mitreTechniquesUnknownA list of MITRE techniques.
MicrosoftATP.Indicators.indicatorTypeStringIndicator Type. Possible values: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
MicrosoftATP.Indicators.lastUpdateTimeDateThe last time the indicator was updated.
MicrosoftATP.Indicators.createdByDisplayNameStringDisplay name of the created app.
MicrosoftATP.Indicators.applicationStringThe application associated with the indicator.
MicrosoftATP.Indicators.titleStringIndicator title.
MicrosoftATP.Indicators.createdBySourceStringSource of indicator creation. For example, PublicApi.
MicrosoftATP.Indicators.historicalDetectionBooleanWhether a historical detection exists.
MicrosoftATP.Indicators.lastUpdatedByStringIdentity of the user/application that last updated the indicator.
MicrosoftATP.Indicators.creationTimeDateTimeUtcDateThe date and time when the indicator was created.
MicrosoftATP.Indicators.categoryNumberA number representing the indicator category.
MicrosoftATP.Indicators.createdByStringUnique identity of the user/application that submitted the indicator.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Domain.NameStringThe domain name, for example: "google.com".
IP.AddressStringIP address.
URL.DataStringThe URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!microsoft-atp-sc-indicator-list limit=2

Context Example#

{
"DBotScore": [
{
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "Microsoft Defender Advanced Threat Protection test"
},
{
"Indicator": "5.5.5.5",
"Score": 0,
"Type": "ip",
"Vendor": "Microsoft Defender Advanced Threat Protection test"
}
],
"IP": [
{
"Address": "1.1.1.1"
},
{
"Address": "5.5.5.5"
}
],
"MicrosoftATP": {
"Indicators": [
{
"action": "Allowed",
"category": 1,
"createdBy": "1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a",
"createdByDisplayName": "MS Graph ATP",
"createdBySource": "PublicApi",
"creationTimeDateTimeUtc": "2021-08-17T08:57:46.1460707Z",
"description": "description",
"expirationTime": "2021-08-18T08:57:45Z",
"generateAlert": false,
"historicalDetection": false,
"id": "5142",
"indicatorType": "IpAddress",
"indicatorValue": "1.1.1.1",
"lastUpdateTime": "2021-08-17T08:57:46.1563409Z",
"severity": "Low",
"title": "title"
},
{
"action": "Allowed",
"category": 1,
"createdBy": "1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a",
"createdByDisplayName": "MS Graph ATP",
"createdBySource": "PublicApi",
"creationTimeDateTimeUtc": "2021-08-17T08:56:49.1898574Z",
"description": "description",
"expirationTime": "2021-08-18T08:56:48Z",
"generateAlert": false,
"historicalDetection": false,
"id": "5141",
"indicatorType": "IpAddress",
"indicatorValue": "5.5.5.5",
"lastUpdateTime": "2021-08-17T08:56:49.2017376Z",
"severity": "Low",
"title": "title"
}
]
}
}

Human Readable Output#

Results found in Microsoft Defender ATP SC for value: 5.5.5.5#

idactionindicatorValueindicatorTypeseveritytitledescription
5141Allowed5.5.5.5IpAddressLowtitledescription

microsoft-atp-sc-indicator-update#


Updates the specified indicator.

Permissions#

Ti.ReadWrite

Base Command#

microsoft-atp-sc-indicator-update

Input#

Argument NameDescriptionRequired
indicator_valueThe value of the indicator to update.Required
indicator_typeIndicator Type. Possible values are: FileSha1, FileSha256, IpAddress, DomainName, Url.Required
actionThe action taken if the indicator is discovered in the organization. Possible values are: Alert, AlertAndBlock, Allowed.Required
severityThe severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "Medium", and "High", where High is the most severe and Informational is not severe at all.Optional
expiration_timeDateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days). Default is 14 days.Optional
indicator_descriptionBrief description (100 characters or less) of the threat represented by the indicator.Required
indicator_titleIndicator alert title.Required
indicator_applicationThe application associated with the indicator.Optional
recommended_actionsTI indicator alert recommended actions.Optional
rbac_group_namesComma-separated list of RBAC group names the indicator is applied to.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values: "unknown", "allow", "block", and "alert".
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.expirationTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.severityStringThe severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "Medium", and "High", where High is the most severe and Informational is not severe at all.
MicrosoftATP.Indicators.indicatorValueStringThe value of the indicator.
MicrosoftATP.Indicators.recommendedActionsStringRecommended actions for the indicator.
MicrosoftATP.Indicators.generateAlertBooleanWhether an alert was generated.
MicrosoftATP.Indicators.rbacGroupNamesUnknownA list of RBAC device group names where the indicator is exposed and active. Empty list if it is exposed to all devices.
MicrosoftATP.Indicators.mitreTechniquesUnknownA list of MITRE techniques.
MicrosoftATP.Indicators.indicatorTypeStringIndicator Type. Possible values: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
MicrosoftATP.Indicators.lastUpdateTimeDateThe last time the indicator was updated.
MicrosoftATP.Indicators.createdByDisplayNameStringDisplay name of the created app.
MicrosoftATP.Indicators.applicationStringThe application associated with the indicator.
MicrosoftATP.Indicators.titleStringIndicator title.
MicrosoftATP.Indicators.createdBySourceStringSource of indicator creation. For example, PublicApi.
MicrosoftATP.Indicators.historicalDetectionBooleanWhether a historical detection exists.
MicrosoftATP.Indicators.lastUpdatedByStringIdentity of the user/application that last updated the indicator.
MicrosoftATP.Indicators.creationTimeDateTimeUtcDateThe date and time when the indicator was created.
MicrosoftATP.Indicators.categoryNumberAn number representing the indicator category.
MicrosoftATP.Indicators.createdByStringUnique identity of the user/application that submitted the indicator.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Domain.NameStringThe domain name, for example: "google.com".
IP.AddressStringIP address.
URL.DataStringThe URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!microsoft-atp-sc-indicator-update action=Allowed indicator_description=test indicator_title=title indicator_type=IpAddress indicator_value=2.2.2.2 expiration_time="1 day" severity=Low

Context Example#

{
"DBotScore": {
"Indicator": "2.2.2.2",
"Score": 0,
"Type": "ip",
"Vendor": "Microsoft Defender Advanced Threat Protection test"
},
"IP": {
"Address": "2.2.2.2"
},
"MicrosoftATP": {
"Indicators": {
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity",
"action": "Allowed",
"category": 1,
"createdBy": "1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a",
"createdByDisplayName": "MS Graph ATP",
"createdBySource": "PublicApi",
"creationTimeDateTimeUtc": "2021-08-17T08:58:12.0340768Z",
"description": "test",
"expirationTime": "2021-08-18T08:58:12Z",
"generateAlert": false,
"historicalDetection": false,
"id": "5143",
"indicatorType": "IpAddress",
"indicatorValue": "2.2.2.2",
"lastUpdateTime": "2021-08-17T08:58:13.5312934Z",
"lastUpdatedBy": "1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a",
"mitreTechniques": [],
"rbacGroupIds": [],
"rbacGroupNames": [],
"severity": "Low",
"title": "title"
}
}
}

Human Readable Output#

Indicator 2.2.2.2 was updated successfully.#

idactionindicatorValueindicatorTypeseveritytitledescription
5143Allowed2.2.2.2IpAddressLowtitletest

microsoft-atp-sc-indicator-get-by-id#


Gets an indicator by its ID.

Permissions#

Ti.ReadWrite

Base Command#

microsoft-atp-sc-indicator-get-by-id

Input#

Argument NameDescriptionRequired
indicator_idThe ID of the indicator to get. The ID can be retrieved by running the microsoft-atp-sc-indicator-list command.Required

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values: "unknown", "allow", "block", and "alert".
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.expirationTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.severityStringThe severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "Medium" and "High", where High is the most severe and Informational is not severe at all.
MicrosoftATP.Indicators.indicatorValueStringThe value of the indicator.
MicrosoftATP.Indicators.recommendedActionsStringRecommended actions for the indicator.
MicrosoftATP.Indicators.generateAlertBooleanWhether an alert was generated.
MicrosoftATP.Indicators.rbacGroupNamesUnknownA list of RBAC device group names where the indicator is exposed and active. Empty list if it is exposed to all devices.
MicrosoftATP.Indicators.mitreTechniquesUnknownA list of MITRE techniques.
MicrosoftATP.Indicators.indicatorTypeStringIndicator Type. Possible values: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
MicrosoftATP.Indicators.lastUpdateTimeDateThe last time the indicator was updated.
MicrosoftATP.Indicators.createdByDisplayNameStringDisplay name of the created app.
MicrosoftATP.Indicators.applicationStringThe application associated with the indicator.
MicrosoftATP.Indicators.titleStringIndicator title.
MicrosoftATP.Indicators.createdBySourceStringSource of indicator creation. For example, PublicApi.
MicrosoftATP.Indicators.historicalDetectionBooleanWhether a historical detection exists.
MicrosoftATP.Indicators.lastUpdatedByStringIdentity of the user/application that last updated the indicator.
MicrosoftATP.Indicators.creationTimeDateTimeUtcDateThe date and time when the indicator was created.
MicrosoftATP.Indicators.categoryNumberAn number representing the indicator category.
MicrosoftATP.Indicators.createdByStringUnique identity of the user/application that submitted the indicator.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Domain.NameStringThe domain name, for example: "google.com".
IP.AddressStringIP address.
URL.DataStringThe URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!microsoft-atp-sc-indicator-get-by-id indicator_id=5142

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "Microsoft Defender Advanced Threat Protection test"
},
"IP": {
"Address": "1.1.1.1"
},
"MicrosoftATP": {
"Indicators": {
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity",
"action": "Allowed",
"additionalInfo": null,
"application": null,
"bypassDurationHours": null,
"category": 1,
"certificateInfo": null,
"createdBy": "1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a",
"createdByDisplayName": "MS Graph ATP",
"createdBySource": "PublicApi",
"creationTimeDateTimeUtc": "2021-08-17T08:57:46.1460707Z",
"description": "description",
"educateUrl": null,
"expirationTime": "2021-08-18T08:57:45Z",
"externalId": null,
"generateAlert": false,
"historicalDetection": false,
"id": "5142",
"indicatorType": "IpAddress",
"indicatorValue": "1.1.1.1",
"lastUpdateTime": "2021-08-17T08:57:46.1563409Z",
"lastUpdatedBy": null,
"lookBackPeriod": null,
"mitreTechniques": [],
"notificationBody": null,
"notificationId": null,
"rbacGroupIds": [],
"rbacGroupNames": [],
"recommendedActions": null,
"severity": "Low",
"title": "title",
"version": null
}
}
}

Human Readable Output#

Results found in Microsoft Defender ATP SC for value: 1.1.1.1#

idactionindicatorValueindicatorTypeseveritytitledescription
5142Allowed1.1.1.1IpAddressLowtitledescription

microsoft-atp-sc-indicator-delete#


Deletes the specified indicator.

Permissions#

Ti.ReadWrite

Base Command#

microsoft-atp-sc-indicator-delete

Input#

Argument NameDescriptionRequired
indicator_idThe ID of the indicator to delete. The ID can be retrieved by running the microsoft-atp-sc-indicator-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!microsoft-atp-sc-indicator-delete indicator_id=5142

Human Readable Output#

Indicator ID: 5142 was successfully deleted

microsoft-atp-sc-indicator-create#


Creates a new indicator.

Permissions#

Ti.ReadWrite

Base Command#

microsoft-atp-sc-indicator-create

Input#

Argument NameDescriptionRequired
indicator_valueThe value of the indicator to update.Required
indicator_typeIndicator Type. Possible values are: FileSha1, FileSha256, IpAddress, DomainName, Url.Required
actionThe action taken if the indicator is discovered in the organization. Possible values are: Alert, AlertAndBlock, Allowed.Required
severityThe severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "Medium", and "High", where High is the most severe and Informational is not severe at all.Optional
expiration_timeDateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days). Default is 14 days.Optional
indicator_descriptionBrief description (100 characters or less) of the threat represented by the indicator.Required
indicator_titleIndicator alert title.Required
indicator_applicationThe application associated with the indicator.Optional
recommended_actionsTI indicator alert recommended actions.Optional
rbac_group_namesComma-separated list of RBAC group names the indicator is applied to.Optional

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.idStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.actionStringThe action to apply if the indicator is matched from within the targetProduct security tool. Possible values: "unknown", "allow", "block", "alert".
MicrosoftATP.Indicators.descriptionStringBrief description (100 characters or less) of the threat represented by the indicator.
MicrosoftATP.Indicators.expirationTimeDateDateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: '2014-01-01T00:00:00Z'
MicrosoftATP.Indicators.severityStringThe severity of the malicious behavior identified by the data within the indicator. Possible values: "Informational", "Low", "Medium", and "High", where High is the most severe and Informational is not severe at all.
MicrosoftATP.Indicators.indicatorValueStringThe value of the indicator.
MicrosoftATP.Indicators.recommendedActionsStringRecommended actions for the indicator.
MicrosoftATP.Indicators.generateAlertBooleanWhether an alert was generated.
MicrosoftATP.Indicators.rbacGroupNamesUnknownA list of RBAC device group names where the indicator is exposed and active. Empty list if it is exposed to all devices.
MicrosoftATP.Indicators.mitreTechniquesUnknownA list of MITRE techniques.
MicrosoftATP.Indicators.indicatorTypeStringType of the indicator. Possible values: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
MicrosoftATP.Indicators.lastUpdateTimeDateThe last time the indicator was updated.
MicrosoftATP.Indicators.createdByDisplayNameStringDisplay name of the created app.
MicrosoftATP.Indicators.applicationStringThe application associated with the indicator.
MicrosoftATP.Indicators.titleStringIndicator title.
MicrosoftATP.Indicators.createdBySourceStringSource of indicator creation. For example, PublicApi.
MicrosoftATP.Indicators.historicalDetectionBooleanWhether a historical detection exists.
MicrosoftATP.Indicators.lastUpdatedByStringIdentity of the user/application that last updated the indicator.
MicrosoftATP.Indicators.creationTimeDateTimeUtcDateThe date and time when the indicator was created.
MicrosoftATP.Indicators.categoryNumberAn number representing the indicator category.
MicrosoftATP.Indicators.createdByStringUnique identity of the user/application that submitted the indicator.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
Domain.NameStringThe domain name, for example: "google.com".
IP.AddressStringIP address.
URL.DataStringThe URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!microsoft-atp-sc-indicator-create action=Allowed indicator_description=test indicator_title=title indicator_type=IpAddress indicator_value=2.2.2.2 expiration_time="1 day" severity=Informational

Context Example#

{
"DBotScore": {
"Indicator": "2.2.2.2",
"Score": 0,
"Type": "ip",
"Vendor": "Microsoft Defender Advanced Threat Protection test"
},
"IP": {
"Address": "2.2.2.2"
},
"MicrosoftATP": {
"Indicators": {
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity",
"action": "Allowed",
"createdBy": "1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a",
"createdByDisplayName": "MS Graph ATP",
"createdBySource": "PublicApi",
"creationTimeDateTimeUtc": "2021-08-17T08:58:12.0340768Z",
"description": "test",
"expirationTime": "2021-08-18T08:58:11Z",
"generateAlert": false,
"historicalDetection": false,
"id": "5143",
"indicatorType": "IpAddress",
"indicatorValue": "2.2.2.2",
"lastUpdateTime": "2021-08-17T08:58:12.0438875Z",
"mitreTechniques": [],
"rbacGroupIds": [],
"rbacGroupNames": [],
"severity": "Informational",
"title": "title"
}
}
}

Human Readable Output#

Indicator 2.2.2.2 was updated successfully.#

idactionindicatorValueindicatorTypeseveritytitledescription
5143Allowed2.2.2.2IpAddressInformationaltitletest

microsoft-atp-list-machines-by-vulnerability#


Retrieves a list of machines affected by a vulnerability.

Required Permissions#

Vulnerability.Read.All

Base Command#

microsoft-atp-list-machines-by-vulnerability

Input#

Argument NameDescriptionRequired
cve_idA comma-separated list of CVE IDs used for getting the machines.Required

Context Output#

PathTypeDescription
MicrosoftATP.CveMachine.IDStringThe machine ID.
MicrosoftATP.CveMachine.ComputerDNSNameStringThe machine hostname.
MicrosoftATP.CveMachine.OSPlatformStringThe operating system platform.
MicrosoftATP.CveMachine.RBACGroupNameStringThe machine RBAC group name.
MicrosoftATP.CveMachine.CVEUnknownThe given CVE IDs related to this machine.

Command example#

!microsoft-atp-list-machines-by-vulnerability cve_id=CVE-2021-32810,CVE-2020-12321

Context Example#

{
"MicrosoftATP": {
"CveMachine": [
{
"ComputerDNSName": "ec2amaz",
"ID": "f3bba49a",
"OSPlatform": "WindowsServer2016",
"RBACGroupID": 0,
"CVE": ["CVE-2021-32810", "CVE-2020-12321"]
},
{
"ComputerDNSName": "msde-agent-host-centos7",
"ID": "48a62a74",
"OSPlatform": "Linux",
"RBACGroupID": 0,
"CVE": ["CVE-2020-12321"]
}
]
}
}

Human Readable Output#

Microsoft Defender ATP machines by vulnerabilities: ['CVE-2021-32810', 'CVE-2020-12321']#

IDComputerDNSNameOSPlatformRBACGroupIDCVE
f3bba49aec2amazWindowsServer20160CVE-2021-32810,CVE-2020-12321
48a62a74msde-agent-host-centos7Linux0CVE-2020-12321

microsoft-atp-get-file-info#


Retrieves file information by a file hash (SHA1 or SHA256).

Required Permissions#

File.Read.All

Base Command#

microsoft-atp-get-file-info

Input#

Argument NameDescriptionRequired
hashA comma-separated list of file hashes (SHA1 or SHA256) used for getting the file information.Required

Context Output#

PathTypeDescription
MicrosoftATP.File.Sha1StringThe SHA1 hash of the file.
MicrosoftATP.File.Md5StringThe MD5 hash of the file.
MicrosoftATP.File.Sha256StringThe SHA256 hash of the file.
MicrosoftATP.File.GlobalPrevalenceNumberThe file prevalence across the organization.
MicrosoftATP.File.GlobalFirstObservedDateThe first time the file was observed.
MicrosoftATP.File.GlobalLastObservedDateThe last time the file was observed.
MicrosoftATP.File.SizeNumberThe size of the file.
MicrosoftATP.File.FileTypeStringThe type of the file.
MicrosoftATP.File.IsPeFileBooleanTrue if the file is portable executable, False otherwise.
MicrosoftATP.File.FilePublisherStringThe file's publisher.
MicrosoftATP.File.FileProductNameStringThe file product name.
MicrosoftATP.File.SignerStringThe file signer.
MicrosoftATP.File.IssuerStringThe file issuer.
MicrosoftATP.File.SignerHashStringThe hash of the signing certificate.
MicrosoftATP.File.IsValidCertificateBooleanWas signing certificate successfully verified by Microsoft Defender ATP agent.
MicrosoftATP.File.DeterminationValueStringThe file determination value.
MicrosoftATP.File.DeterminationTypeStringThe file determination type.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.TypeStringThe file type.
File.SizeNumberThe file size.

Command example#

!microsoft-atp-get-file-info hash="3395856ce81,db79e9e669c"

Context Example#

{
"File": [
{
"Sha1": "3395856ce81",
"Sha256": "275a021bbfb648",
"Size": 68
},
{
"Sha1": "db79e9e669c",
"Sha256": "ef67e4b2bb4ee5",
"Size": 36768
}
],
"MicrosoftATP": {
"File": [
{
"DeterminationType": "Unknown",
"DeterminationValue": "Virus:DOS/EICAR_Test_File",
"GlobalFirstObserved": "2013-03-03T14:00:34.8213548Z",
"GlobalLastObserved": "2022-01-26T17:31:27.4706316Z",
"GlobalPrevalence": 37933,
"IsPeFile": false,
"Md5": "44d88612fea8a8",
"Sha1": "3395856ce81",
"Sha256": "275a021bbfb648",
"Size": 68,
"SizeInBytes": 68
},
{
"DeterminationType": "Unknown",
"GlobalFirstObserved": "2022-01-14T18:04:15.9389909Z",
"GlobalLastObserved": "2022-01-26T17:36:07.8400883Z",
"GlobalPrevalence": 8418,
"IsPeFile": false,
"Md5": "b0c6a0cfdac",
"Sha1": "db79e9e669c",
"Sha256": "ef67e4b2bb4ee5",
"Size": 36768,
"SizeInBytes": 36768
}
]
}
}

Human Readable Output#

Microsoft Defender ATP file info by hashes: ['3395856ce81', 'db79e9e669c']#

Sha1Sha256Size
3395856ce81275a021bbfb64868
db79e9e669cef67e4b2bb4ee536768

endpoint#


Gets machines that have communicated with Microsoft Defender for Endpoint cloud. At least one of the following arguments is required ip, hostanme ot id. Otherwise, an error appears.

Required Permissions#

Machine.Read.All Machine.ReadWrite.All

Base Command#

endpoint

Input#

Argument NameDescriptionRequired
idThe endpoint ID.Optional
ipThe endpoint IP address.Optional
hostnameThe endpoint hostname.Optional

Context Output#

PathTypeDescription
Endpoint.IDStringThe endpoint's identifier.
Endpoint.HostnameStringThe hostname of the endpoint.
Endpoint.OSStringThe endpoint's operating system.
Endpoint.OSVersionStringThe endpoint's operating system's version.
Endpoint.IPAddressStringThe endpoint's IP address.
Endpoint.StatusStringThe health status of the endpoint.
Endpoint.MACAddressStringThe endpoint's MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.
MicrosoftATP.Machine.IDStringThe machine ID.
MicrosoftATP.Machine.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.Machine.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last machine IP to access the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe machine health status.
MicrosoftATP.Machine.RBACGroupIDNumberThe machine RBAC group ID.
MicrosoftATP.Machine.RBACGroupNameStringThe machine RBAC group name.
MicrosoftATP.Machine.RiskScoreStringThe machine risk score.
MicrosoftATP.Machine.ExposureLevelStringThe machine exposure score.
MicrosoftATP.Machine.IsAADJoinedBooleanTrue if machine is AAD joined, False otherwise.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD Device ID.
MicrosoftATP.Machine.MachineTagsStringSet of machine tags.
MicrosoftATP.Machine.IPAddresses.ipAddressStringThe machine IP address.
MicrosoftATP.Machine.IPAddresses.MACAddressStringThe machine MAC address.
MicrosoftATP.Machine.IPAddresses.operationalStatusStringThe machine operational status.
MicrosoftATP.Machine.IPAddresses.typeStringThe machine macine IP address type.
MicrosoftATP.Machine.AgentVersionStringThe machine Agent version.

Command example#

!endpoint id="f3bba49a,48a62a74"ip=1.2.3.4 hostname="ec2amaz-ua9hieu"

Context Example#

{
"Endpoint": [
{
"Hostname": "msde-agent-host-centos7.c.dmst-integrations.internal",
"ID": "48a62a74",
"IPAddress": "10.0.0.1",
"MACAddress": "123456789123",
"OS": "CentOS",
"OSVersion": "7.9 x64 bit",
"Status": "Online",
"Vendor": "Microsoft Defender ATP"
},
{
"Hostname": "ec2amaz-ua9hieu",
"ID": "f3bba49a",
"IPAddress": "1.2.3.4",
"MACAddress": "123456789123",
"OS": "WindowsServer2016",
"OSVersion": "1607 x64 bit",
"Status": "Online",
"Vendor": "Microsoft Defender ATP"
}
],
"MicrosoftATP": {
"Machine": [
{
"AgentVersion": "30.121112.15302.0",
"ComputerDNSName": "msde-agent-host-centos7.c.dmst-integrations.internal",
"ExposureLevel": "Medium",
"FirstSeen": "2022-01-23T09:13:42.982Z",
"HealthStatus": "Active",
"ID": "48a62a74",
"IPAddresses": [
{
"ipAddress": "10.0.0.1",
"macAddress": "123456789123",
"operationalStatus": "Up",
"type": "Other"
},
{
"ipAddress": "fe80::178b:6498:fc7f:2856",
"macAddress": "123456789123",
"operationalStatus": "Up",
"type": "Other"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "000000000000",
"operationalStatus": "Up",
"type": "Other"
},
{
"ipAddress": "::1",
"macAddress": "000000000000",
"operationalStatus": "Up",
"type": "Other"
}
],
"IsAADJoined": false,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "10.0.0.1",
"LastSeen": "2022-01-27T09:13:53.1394181Z",
"MACAddress": "123456789123",
"OSPlatform": "CentOS",
"OSProcessor": "x64",
"OSVersion": "7.9",
"RBACGroupID": 0,
"RiskScore": "Medium"
},
{
"AgentVersion": "10.3720.16299.2015",
"ComputerDNSName": "ec2amaz-ua9hieu",
"ExposureLevel": "High",
"FirstSeen": "2022-01-23T15:36:02.286Z",
"HealthStatus": "Active",
"ID": "f3bba49a",
"IPAddresses": [
{
"ipAddress": "1.2.3.4",
"macAddress": "123456789123",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "fe80::a998:1c4a:7e1c:4865",
"macAddress": "123456789123",
"operationalStatus": "Up",
"type": "Ethernet"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "::1",
"macAddress": "",
"operationalStatus": "Up",
"type": "SoftwareLoopback"
},
{
"ipAddress": "fe80::5efe:1.2.3.4",
"macAddress": "00000000000000E0",
"operationalStatus": "Down",
"type": "Tunnel"
},
{
"ipAddress": "127.0.0.1",
"macAddress": "00000000000000E0",
"operationalStatus": "Up",
"type": "Tunnel"
},
{
"ipAddress": "fe80::2412:1420:53e0:f88b",
"macAddress": "00000000000000E0",
"operationalStatus": "Up",
"type": "Tunnel"
}
],
"IsAADJoined": false,
"LastExternalIPAddress": "127.0.0.1",
"LastIPAddress": "1.2.3.4",
"LastSeen": "2022-01-26T22:21:19.2024139Z",
"MACAddress": "123456789123",
"OSBuild": 14393,
"OSPlatform": "WindowsServer2016",
"OSProcessor": "x64",
"OSVersion": "1607",
"RBACGroupID": 0,
"RiskScore": "None"
}
]
}
}

Human Readable Output#

Microsoft Defender ATP Machine:#

IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
f3bba49aec2amaz-ua9hieuWindowsServer20161.2.3.4127.0.0.1ActiveNoneHigh

microsoft-atp-indicator-batch-update#


Updates batch of indicator. If an indicator does not exist, a new indicator will be created.

Required Permissions#

Ti.ReadWrite Ti.ReadWrite.All

Limitations#
  1. Rate limitations for this API are 30 calls per minute.
  2. There is a limit of 15,000 active indicators per tenant.
  3. Maximum batch size for one API call is 500.
Note#

Please read here about the Microsoft Defender for Endpoint indicator resource type. We suggest using the TransformIndicatorToMSDefenderIOC automation to load the XSOAR IOCs to MSDE indicator format.

Base Command#

microsoft-atp-indicator-batch-update

Input#

Argument NameDescriptionRequired
indicator_batchA JSON object with a list of MS defender ATP indicators to update. The indicator_batch query should be a list of dictionaries. For example: [{"indicatorValue": "value1"}, {"indicatorValue": "value2"}].Required

Context Output#

PathTypeDescription
MicrosoftATP.Indicators.IDStringCreated by the system when the indicator is ingested. Generated GUID/unique identifier.
MicrosoftATP.Indicators.ValueStringThe value of the indicator.
MicrosoftATP.Indicators.FailureReasonStringThe reason for update failure.
MicrosoftATP.Indicators.IsFailedBooleanWhether the update failed.

Command example#

``!microsoft-atp-indicator-batch-update indicator_batch=[{"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f","indicatorType": "FileSha1","title": "demo","application": "demo-test", "action": "Alert","severity": "Informational","description": "demo2","recommendedActions": "nothing","rbacGroupNames": ["group1", "group2"]},{"indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222","indicatorType": "FileSha256","title": "demo2","application": "demo-test2","action": "Alert","severity": "Medium","description": "demo2","recommendedActions": "nothing","rbacGroupNames": []}]````

Context Example#

{
"MicrosoftATP": {
"Indicators": [
{
"FailureReason": null,
"ID": "5217",
"IsFailed": false,
"Value": "220e7d15b011d7fac48f2bd61114db1022197f7f"
},
{
"FailureReason": null,
"ID": "5218",
"IsFailed": false,
"Value": "2233223322332233223322332233223322332233223322332233223322332222"
}
]
}
}

Human Readable Output#

Indicators updated successfully.#

IDValueIsFailed
5217220e7d15b011d7fac48f2bd61114db1022197f7ffalse
52182233223322332233223322332233223322332233223322332233223322332222false

microsoft-atp-get-alert-by-id#


Retrieves specific alert by the given alert ID.

Required Permissions#

Alert.ReadWrite.All

Base Command#

microsoft-atp-get-alert-by-id

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alert IDs.Required

Context Output#

PathTypeDescription
MicrosoftATP.Alert.IDStringThe alert ID.
MicrosoftATP.Alert.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the Investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe alert Classification.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family.
MicrosoftATP.Alert.TitleStringThe alert title.
MicrosoftATP.Alert.DescriptionStringThe alert description.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe UTC time of the last update.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time when the status of the alert was changed to 'Resolved'.
MicrosoftATP.Alert.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe alert comment string.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert comment created by string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe alert comment created time date.
MicrosoftATP.Alert.EvidenceUnknownEvidence related to the alert.
MicrosoftATP.Alert.DetectorIDStringThe ID of the detector that triggered the alert.
MicrosoftATP.Alert.ThreatNameStringThe threat name.
MicrosoftATP.Alert.RelatedUserStringDetails of the user related to a specific alert.
MicrosoftATP.Alert.MitreTechniquesStringMITRE Enterprise technique ID.
MicrosoftATP.Alert.RBACGroupNameStringThe device RBAC group name.

Command example#

!microsoft-atp-get-alert-by-id alert_ids=da637797972607470400_795854214,da637750706361180181_-1167994114

Context Example#

{
"MicrosoftATP": {
"Alert": [
{
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2022-02-07T02:21:00.7470678Z",
"AssignedTo": "Automation",
"Category": "SuspiciousActivity",
"Classification": null,
"Comments": [
{
"Comment": null,
"CreatedBy": null,
"CreatedTime": null
}
],
"ComputerDNSName": "msde-agent-host-win2016-dc.msde.lab.demisto",
"Description": "MS Graph ATP (Application Id: 1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a) initiated an Automated investigation on msde-agent-host-win2016-dc.msde.lab.demisto.\r\nThe investigation automatically identifies and reviews threat artifacts for possible remediation.\r\n\r\nDetails: testing",
"DetectionSource": "AutomatedInvestigation",
"DetectorID": "5c6b7d86-c91f-4f8c-8aec-9d2086f46527",
"Determination": null,
"Evidence": [],
"FirstEventTime": "2022-02-07T02:21:00.6440488Z",
"ID": "da637797972607470400_795854214",
"IncidentID": 645,
"InvestigationID": 656,
"InvestigationState": "Benign",
"LastEventTime": "2022-02-07T02:21:00.6440488Z",
"LastUpdateTime": "2022-02-07T02:53:34.76Z",
"MachineID": "96444b946be252d1f4550354edef5fdc23aca2c5",
"MitreTechniques": [],
"RBACGroupName": null,
"RelatedUser": null,
"ResolvedTime": "2022-02-07T02:53:34.7299762Z",
"Severity": "Informational",
"Status": "Resolved",
"ThreatFamilyName": null,
"ThreatName": null,
"Title": "Automated investigation started manually"
},
{
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2021-12-14T09:23:56.0980302Z",
"AssignedTo": "Automation",
"Category": "SuspiciousActivity",
"Classification": "TruePositive",
"Comments": [
{
"Comment": null,
"CreatedBy": null,
"CreatedTime": null
}
],
"ComputerDNSName": "desktop-s2455r8",
"Description": "MS Graph ATP (Application Id: 1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a) initiated an Automated investigation on desktop-s2455r8.\r\nThe investigation automatically identifies and reviews threat artifacts for possible remediation.\r\n\r\nDetails: testing",
"DetectionSource": "AutomatedInvestigation",
"DetectorID": "5c6b7d86-c91f-4f8c-8aec-9d2086f46527",
"Determination": null,
"Evidence": [],
"FirstEventTime": "2021-12-14T09:23:55.875227Z",
"ID": "da637750706361180181_-1167994114",
"IncidentID": 510,
"InvestigationID": 441,
"InvestigationState": "Benign",
"LastEventTime": "2021-12-14T09:23:55.875227Z",
"LastUpdateTime": "2021-12-15T01:52:41.3Z",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"MitreTechniques": [],
"RBACGroupName": null,
"RelatedUser": null,
"ResolvedTime": "2021-12-14T09:52:16.8080395Z",
"Severity": "Informational",
"Status": "Resolved",
"ThreatFamilyName": null,
"ThreatName": null,
"Title": "Automated investigation started manually"
}
]
}
}

Human Readable Output#

Microsoft Defender ATP Alerts Info for IDs ['da637797972607470400795854214', 'da637750706361180181-1167994114']:#

IDTitleDescriptionIncidentIDSeverityStatusClassificationCategoryMachineID
da637797972607470400_795854214Automated investigation started manuallyMS Graph ATP (Application Id: 1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a) initiated an Automated investigation on msde-agent-host-win2016-dc.msde.lab.demisto.
The investigation automatically identifies and reviews threat artifacts for possible remediation.

Details: testing
645InformationalResolvedSuspiciousActivity96444b946be252d1f4550354edef5fdc23aca2c5
da637750706361180181_-1167994114Automated investigation started manuallyMS Graph ATP (Application Id: 1281a70f-8ffb-4b3c-bc82-eef2a44dbb2a) initiated an Automated investigation on desktop-s2455r8.
The investigation automatically identifies and reviews threat artifacts for possible remediation.

Details: testing
510InformationalResolvedTruePositiveSuspiciousActivity4899036531e374137f63289c3267bad772c13fef

microsoft-atp-live-response-put-file#


Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.

Base Command#

microsoft-atp-live-response-put-file

Input#

Argument NameDescriptionRequired
machine_idMachine ID to add file to.Required
commentA comment to associate with the action.Required
file_nameFile name to take from library to device.Required
machine_action_idAction ID to retrieve status and data for.Optional

Context Output#

PathTypeDescription
MicrosoftATP.LiveResponseAction.idStringThe machine action ID.
MicrosoftATP.LiveResponseAction.typeStringThe machine action type.
MicrosoftATP.LiveResponseAction.titleStringThe machine action title.
MicrosoftATP.LiveResponseAction.requestorStringThe machine action requestor.
MicrosoftATP.LiveResponseAction.requestorCommentStringThe machine action requestorComment.
MicrosoftATP.LiveResponseAction.statusStringThe machine action status.
MicrosoftATP.LiveResponseAction.machineIdStringThe machine ID.
MicrosoftATP.LiveResponseAction.computerDnsNameStringThe computerDnsName.
MicrosoftATP.LiveResponseAction.creationDateTimeUtcDateThe action creationDateTimeUtc.
MicrosoftATP.LiveResponseAction.lastUpdateDateTimeUtcDateThe machine action lastUpdateDateTimeUtc.
MicrosoftATP.LiveResponseAction.cancellationRequestorStringThe machine action cancellationRequestor.
MicrosoftATP.LiveResponseAction.cancellationCommentStringThe machine action cancellationComment.
MicrosoftATP.LiveResponseAction.cancellationDateTimeUtcStringThe cancellationDateTimeUtc.
MicrosoftATP.LiveResponseAction.errorHResultStringThe errorHResult if exists.
MicrosoftATP.LiveResponseAction.scopeStringThe action scope.
MicrosoftATP.LiveResponseAction.externalIdStringThe machine action externalId.
MicrosoftATP.LiveResponseAction.requestSourceStringThe machine action requestSource.
MicrosoftATP.LiveResponseAction.relatedFileInfoStringThe machine action relatedFileInfo.
MicrosoftATP.LiveResponseAction.commands.indexStringThe machine action command index.
MicrosoftATP.LiveResponseAction.commands.startTimeStringThe machine action command startTime.
MicrosoftATP.LiveResponseAction.commands.endTimeStringThe machine action command endTime.
MicrosoftATP.LiveResponseAction.commands.commandStatusStringThe machine action command Status.
MicrosoftATP.LiveResponseAction.commands.errorsStringThe machine action command errors if found.
MicrosoftATP.LiveResponseAction.commands.command.typeStringThe machine action command type.
MicrosoftATP.LiveResponseAction.commands.command.params.keyStringThe machine action command params key.
MicrosoftATP.LiveResponseAction.commands.command.params.valueStringThe machine action command params value.
MicrosoftATP.LiveResponseAction.troubleshootInfoStringThe machine action troubleshootInfo.

Command example#

!microsoft-atp-live-response-put-file machine_id="4899036531e374137f63289c3267bad772c13fef" comment="testing" file_name="C:\Users\demisto\Desktop\test.txt"

Context Example#

{
"MicrosoftATP": {
"LiveResponseAction": {
"@odata.context": "https://api-us.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
"cancellationComment": null,
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"commands": [
{
"command": {
"params": [
{
"key": "FileName",
"value": "C:\Users\demisto\Desktop\test.txt"
}
],
"type": "PutFile"
},
"commandStatus": "Created",
"endTime": null,
"errors": [],
"index": 0,
"startTime": null
}
],
"computerDnsName": "desktop-s2455r8",
"creationDateTimeUtc": "2022-02-07T10:32:14.1704612Z",
"errorHResult": 0,
"externalId": null,
"id": "20d1de3f-acef-4715-8bed-a92223c5553c",
"lastUpdateDateTimeUtc": "2022-02-07T10:32:14.1704612Z",
"machineId": "4899036531e374137f63289c3267bad772c13fef",
"relatedFileInfo": null,
"requestSource": "PublicApi",
"requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"requestorComment": "testing",
"scope": null,
"status": "Pending",
"title": null,
"troubleshootInfo": null,
"type": "LiveResponse"
}
}
}

Human Readable Output#

Machine Action:#

CommandsCreation timeHostnameMachine Action IdMachineIdStatus
{'index': 0, 'startTime': None, 'endTime': None, 'commandStatus': 'Created', 'errors': [], 'command': {'type': 'PutFile', 'params': [{'key': 'FileName', 'value': 'C:\Users\demisto\Desktop\test.txt'}]}}2022-02-07T10:32:14.1704612Zdesktop-s2455r820d1de3f-acef-4715-8bed-a92223c5553c4899036531e374137f63289c3267bad772c13fefFailed

microsoft-atp-live-response-run-script#


Runs a script from the library on a device. The Args parameter is passed to your script. Timeouts after 10 minutes.

Base Command#

microsoft-atp-live-response-run-script

Input#

Argument NameDescriptionRequired
machine_idMachine ID to add file to.Required
commentA comment to associate with the action.Required
scriptNameScript name to run on device.Required
argumentsArguments to run the script with.Optional
machine_action_idAction ID to retrieve status and data for.Optional

Context Output#

PathTypeDescription
MicrosoftATP.LiveResponseAction.script_nameStringThe script name.
MicrosoftATP.LiveResponseAction.exit_codeStringThe script exit code.
MicrosoftATP.LiveResponseAction.script_outputStringThe script outputs.
MicrosoftATP.LiveResponseAction.script_errorsStringThe script errors if found.

microsoft-atp-live-response-get-file#


Collect file from a device. NOTE: Backslashes in path must be escaped.

Base Command#

microsoft-atp-live-response-get-file

Input#

Argument NameDescriptionRequired
machine_idMachine ID to add file to.Required
commentA comment to associate with the action.Required
pathFile path to get from device.Required
machine_action_idAction ID to retrieve status and data for.Optional

Context Output#

PathTypeDescription
MicrosoftATP.LiveResponseAction.idStringThe machine action ID.
MicrosoftATP.LiveResponseAction.typeStringThe machine action type.
MicrosoftATP.LiveResponseAction.titleStringThe machine action title.
MicrosoftATP.LiveResponseAction.requestorStringThe machine action requestor.
MicrosoftATP.LiveResponseAction.requestorCommentStringThe machine action requestorComment.
MicrosoftATP.LiveResponseAction.statusStringThe machine action status.
MicrosoftATP.LiveResponseAction.machineIdStringThe machine ID.
MicrosoftATP.LiveResponseAction.computerDnsNameStringThe computerDnsName.
MicrosoftATP.LiveResponseAction.creationDateTimeUtcDateThe action creationDateTimeUtc.
MicrosoftATP.LiveResponseAction.lastUpdateDateTimeUtcDateThe machine action lastUpdateDateTimeUtc.
MicrosoftATP.LiveResponseAction.cancellationRequestorStringThe machine action cancellationRequestor.
MicrosoftATP.LiveResponseAction.cancellationCommentStringThe machine action cancellationComment.
MicrosoftATP.LiveResponseAction.cancellationDateTimeUtcStringThe cancellationDateTimeUtc.
MicrosoftATP.LiveResponseAction.errorHResultStringThe errorHResult if exists.
MicrosoftATP.LiveResponseAction.scopeStringThe action scope.
MicrosoftATP.LiveResponseAction.externalIdStringThe machine action externalId.
MicrosoftATP.LiveResponseAction.requestSourceStringThe machine action requestSource.
MicrosoftATP.LiveResponseAction.relatedFileInfoStringThe machine action relatedFileInfo.
MicrosoftATP.LiveResponseAction.commands.indexStringThe machine action command index.
MicrosoftATP.LiveResponseAction.commands.startTimeStringThe machine action command startTime.
MicrosoftATP.LiveResponseAction.commands.endTimeStringThe machine action command endTime.
MicrosoftATP.LiveResponseAction.commands.commandStatusStringThe machine action command Status.
MicrosoftATP.LiveResponseAction.commands.errorsStringThe machine action command errors if found.
MicrosoftATP.LiveResponseAction.commands.command.typeStringThe machine action command type.
MicrosoftATP.LiveResponseAction.commands.command.params.keyStringThe machine action command params key.
MicrosoftATP.LiveResponseAction.commands.command.params.valueStringThe machine action command params value.
MicrosoftATP.LiveResponseAction.troubleshootInfoStringThe machine action troubleshootInfo.

microsoft-atp-live-response-result#


Gets a result file for a specified action.

Base Command#

microsoft-atp-live-response-result

Input#

Argument NameDescriptionRequired
machine_action_idAction ID to retrieve status and data for.Required
command_indexA command index to retrieve file for.Required

Context Output#

PathTypeDescription
MicrosoftATP.LiveResponseActionStringThe machine action ID.

Command example#

!microsoft-atp-live-response-result machine_action_id=11a86b87-12b8-423b-9e8d-9775ab2da78f command_index=0

Context Example#

{
"File": {
"EntryID": "230@c1c0b1a7-2a6b-40be-8479-7399ee467a6b",
"Info": "application/json",
"MD5": "1f2bc070ced88de8c80323acfcdbd33c",
"Name": "Response Result",
"SHA1": "eb7568c1342d7fac8c570e53e2ce8103025b605b",
"SHA256": "9df3ced59fd1f346aad035016beb5ebf89838b2f02b1610ee7e0cbfd396cbf02",
"SHA512": "a62de5d64827f60a9885e95658d203f4a7eb7d070873a0379c5ac52d8b013fc12c0e9187c3f83103dcb1bf937d88bf0b48f32f77e72ead30231e5eefca681de9",
"SSDeep": "6:YWGc00ZR/+MqifdvuxAbimLPsYRa7+R98A7V/NJviD5BW+yWrbmD3he6an:YWGb0ZRmKQODYqa7+X7XSB9y+bmhan",
"Size": 293,
"Type": "JSON data"
},
"MicrosoftATP": {
"LiveResponseResult": {
"exit_code": 0,
"script_errors": "",
"script_name": "test_script.ps1",
"script_output": "Transcript started, output file is C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{1954B499-1836-4928-90A2-86DE508BD1B0}.txt\n\u0000"
}
}
}

Human Readable Output#

file_link: https://automatedirstrprdeus.blob.core.windows.net/investigation-actions-data/b7df6ab7-5c73-4e13-8cd3-82e1f3d849ed/CustomPlaybookCommandOutput/7ef257a5069c45fe790be86d479d1518?se=2022-02-07T14%3A33%3A07Z&sp=rt&sv=2020-06-12&sr=b&rscd=attachment%3B%20filename%3Doutput_11a86b87-12b8-423b-9e8d-9775ab2da78f_0.json&skoid=34334208-452d-4d6d-afc6-0c319d62a726&sktid=124edf19-b350-4797-aefc-3206115ffdb3&skt=2022-02-07T13%3A48%3A07Z&ske=2022-02-07T14%3A33%3A07Z&sks=b&skv=2020-06-12&sig=IRxMKavzQqHplTsAL350holkkm%2B3NI2mhUUWxaHbOAM%3D

microsoft-atp-advanced-hunting-lateral-movement-evidence#


Detects evidence of attempted lateral movement. When you select a “query_purpose” argument, a designated query template is used.

Base Command#

microsoft-atp-advanced-hunting-lateral-movement-evidence

Input#

Argument NameDescriptionRequired
query_purposeWhen you select a “query_purpose” argument, a designated query template is used. "network_connections" - The network connections initiated by the host/file to other internal hosts. "smb_connections" - SMB connections. "credential_dumping" - Was there a use of credential dumping? If so can we detect the use of the dumped users on other hosts on the network. "management_connection" - Management connection attempts to other hosts.Required
device_nameDevice name to look for.Optional
remote_ip_countThreshold for network enumeration in smb_connection.Optional
file_nameFile name to look for.Optional
sha1SHA1 hash to look for.Optional
sha256SHA256 hash to look for.Optional
md5MD5 hash to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitThe maximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntLateralMovementEvidence.Result.network_connectionsStringThe query results for network_connections query_purpose.
MicrosoftATP.HuntLateralMovementEvidence.Result.smb_connectionsStringThe query results for smb_connections query_purpose.
MicrosoftATP.HuntLateralMovementEvidence.Result.credential_dumpingStringThe query results for credential_dumping query_purpose.
MicrosoftATP.HuntLateralMovementEvidence.Result.management_connectionStringThe query results for management_connection query_purpose.

Command example#

!microsoft-atp-advanced-hunting-lateral-movement-evidence query_purpose=network_connections device_name=devicename_2,devicename_1 limit=6

Context Example#

{
"MicrosoftATP": {
"HuntLateralMovementEvidence": {
"Result": {
"network_connections": [
{
"DeviceName": "devicename_2",
"InitiatingProcessFileName": "",
"RemoteIP": "ip1",
"RemotePort": 54296,
"TotalConnections": 21
}
]
}
}
}
}

Human Readable Output#

Lateral Movement Evidence Hunt (network_connections) Results#

DeviceNameRemoteIPRemotePortTotalConnections
devicename_2ip15429621

Command example#

!microsoft-atp-advanced-hunting-lateral-movement-evidence query_purpose=smb_connections device_name=devicename_1

Context Example#

{
"MicrosoftATP": {
"HuntLateralMovementEvidence": {
"Result": {
"smb_connections": [
{
"DeviceName": "devicename_1",
"InitiatingProcessCreationTime": "2022-03-03T19:43:46.4373311Z",
"InitiatingProcessFileName": "powershell.exe",
"InitiatingProcessId": 5748,
"RemoteIPCount": 5
},
{
"DeviceName": "devicename_1",
"InitiatingProcessCreationTime": "2022-03-03T19:51:43.2411889Z",
"InitiatingProcessFileName": "powershell_ise.exe",
"InitiatingProcessId": 10084,
"RemoteIPCount": 17
}
]
}
}
}
}

Human Readable Output#

Lateral Movement Evidence Hunt (smb_connections) Results#

DeviceNameInitiatingProcessCreationTimeInitiatingProcessFileNameInitiatingProcessIdRemoteIPCount
devicename_12022-03-03T19:43:46.4373311Zpowershell.exe57485
devicename_12022-03-03T19:51:43.2411889Zpowershell_ise.exe1008417

Command example#

!microsoft-atp-advanced-hunting-lateral-movement-evidence query_purpose="management_connection" device_id="4cceb3c642212014e0e9553aa8b59e999ea515ff" query_operation="or" limit="50" timeout="10"

Context Example#

{
"MicrosoftATP": {
"HuntLateralMovementEvidence": {
"Result": {
"management_connection": [
{
"DeviceName": "device_name",
"LocalIP": "ip3",
"RemoteIP": "ip4",
"RemotePort": 135,
"TotalCount": 41
},
{
"DeviceName": "device_name",
"LocalIP": "ip3",
"RemoteIP": "ip3",
"RemotePort": 139,
"TotalCount": 1
}
]
}
}
}
}

Human Readable Output#

Lateral Movement Evidence Hunt (management_connection) Results#

DeviceNameLocalIPRemoteIPRemotePortTotalCount
device_nameip3ip413541
device_nameip3ip31391

microsoft-atp-advanced-hunting-persistence-evidence#


Detects evidence of persistence. When you select a “query_purpose” argument, a designated query template is used.

Base Command#

microsoft-atp-advanced-hunting-persistence-evidence

Input#

Argument NameDescriptionRequired
query_purposeWhen you select a “query_purpose” argument, a designated query template is used. "scheduled_job" - Did the process create any scheduled jobs? "registry_entry" - Did it write to the registry? Requires also argument process_cmd to be provided. "startup_folder_changes" - Was anything added to the startup folder? "new_service_created" - Was a new service created? "service_updated" - Was an existing service edited? "file_replaced" - Was a file replaced in program files? "new_user" - Was a new user created? (On the local machine). "new_group" - Was a new group created? "group_user_change" - Was a user added to a group? (On the local machine) "local_firewall_change" - Was there a change to the local FW rules? "host_file_change" - Was there a change to the hosts file?. Possible values are: scheduled_job, registry_entry, startup_folder_changes, new_service_created, service_updated, file_replaced, new_user, new_group, group_user_change, local_firewall_change, host_file_change.Required
device_nameDevice name to look for.Optional
file_nameFile name to look for.Optional
sha1SHA1 hash to look for.Optional
sha256SHA256 hash to look for.Optional
md5MD5 hash to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
process_cmdProccess command line that initiated the registry entry. Can only be used with "registry_entry" query_purpose.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntPersistenceEvidence.Result.scheduled_jobStringThe query results for scheduled_job query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.registry_entryStringThe query results for registry_entry query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.startup_folder_changesStringThe query results for startup_folder_changes query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.new_service_createdStringThe query results for new_service_created query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.service_updatedStringThe query results for service_updated query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.file_replacedStringThe query results for file_replaced query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.new_userStringThe query results for new_user query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.new_groupStringThe query results for new_group query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.group_user_changeStringThe query results for group_user_change query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.local_firewall_changeStringThe query results for local_firewall_change query_purpose.
MicrosoftATP.HuntPersistenceEvidence.Result.host_file_changeStringThe query results for host_file_change query_purpose.

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=scheduled_job device_name=devicename_2 device_id=4cceb3c642212014e0e9553aa8b59e999ea515ff,96444b946be252d1f4550354edef5fdc23aca2c5 query_operation=or

Human Readable Output#

Persistence EvidenceHunt Hunt (scheduled_job) Results#

No entries.

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=new_service_created file_name=installer,services

Context Example#

{
"MicrosoftATP": {
"HuntPersistenceEvidence": {
"Result": {
"new_service_created": [
{
"DeviceName": "devicename_2",
"InitiatingProcessCommandLine": "services.exe",
"InitiatingProcessFileName": "services.exe",
"InitiatingProcessVersionInfoOriginalFileName": "services.exe",
"InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
"RegistryKey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\MpKsl49022091",
"RegistryValueData": "",
"RegistryValueName": "",
"RegistryValueType": "None",
"Timestamp": "2022-03-12T00:45:51.2745622Z"
},
{
"DeviceName": "devicename_2",
"InitiatingProcessCommandLine": "services.exe",
"InitiatingProcessFileName": "services.exe",
"InitiatingProcessVersionInfoOriginalFileName": "services.exe",
"InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
"RegistryKey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\MpKsl897892ef",
"RegistryValueData": "",
"RegistryValueName": "",
"RegistryValueType": "None",
"Timestamp": "2022-03-13T00:45:49.9561415Z"
}
]
}
}
}
}

Human Readable Output#

Persistence EvidenceHunt Hunt (new_service_created) Results#

DeviceNameInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessVersionInfoOriginalFileNameInitiatingProcessVersionInfoProductNameRegistryKeyRegistryValueTypeTimestamp
devicename_2services.exeservices.exeservices.exeMicrosoft® Windows® Operating SystemHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKsl49022091None2022-03-12T00:45:51.2745622Z
devicename_2services.exeservices.exeservices.exeMicrosoft® Windows® Operating SystemHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKsl897892efNone2022-03-13T00:45:49.9561415Z

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=new_user device_name=desktop

Context Example#

{
"MicrosoftATP": {
"HuntPersistenceEvidence": {
"Result": {
"new_user": [
{
"AccountDomain": "devicename_1",
"AccountName": "delete_me",
"AccountSid": "accound-sid",
"DeviceName": "devicename_1",
"InitiatingProcessAccountName": "demisto",
"InitiatingProcessLogonId": 74706995,
"Timestamp": "2022-03-03T21:25:52.4538765Z"
}
]
}
}
}
}

Human Readable Output#

Persistence EvidenceHunt Hunt (new_user) Results#

AccountDomainAccountNameAccountSidDeviceNameInitiatingProcessAccountNameInitiatingProcessLogonIdTimestamp
devicename_1delete_meaccound-siddevicename_1demisto747069952022-03-03T21:25:52.4538765Z

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=new_group device_id=deviceid device_name=desktop query_operation=and

Context Example#

{
"MicrosoftATP": {
"HuntPersistenceEvidence": {
"Result": {
"new_group": [
{
"AccountDomain": "",
"AccountName": "",
"AccountSid": "",
"AdditionalFields": "{\"GroupName\":\"Test_group_delete\",\"GroupDomainName\":\"devicename_1\",\"GroupSid\":\"S-1-5-21-4197691174-1403503641-4006700887-1006\"}",
"DeviceName": "devicename_1",
"InitiatingProcessAccountName": "demisto",
"InitiatingProcessLogonId": 74706995,
"Timestamp": "2022-03-03T21:26:30.8791017Z"
}
]
}
}
}
}

Human Readable Output#

Persistence EvidenceHunt Hunt (new_group) Results#

AdditionalFieldsDeviceNameInitiatingProcessAccountNameInitiatingProcessLogonIdTimestamp
{"GroupName":"Test_group_delete","GroupDomainName":"devicename_1","GroupSid":"S-1-5-21-4197691174-1403503641-4006700887-1006"}devicename_1demisto747069952022-03-03T21:26:30.8791017Z

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=group_user_change device_name=desktop

Context Example#

{
"MicrosoftATP": {
"HuntPersistenceEvidence": {
"Result": {
"group_user_change": [
{
"AccountSid": "accound-sid"
}
]
}
}
}
}

Human Readable Output#

Persistence EvidenceHunt Hunt (group_user_change) Results#

AccountSid
accound-sid

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=local_firewall_change device_name=desktop

Human Readable Output#

Persistence EvidenceHunt Hunt (local_firewall_change) Results#

No entries.

Command example#

!microsoft-atp-advanced-hunting-persistence-evidence query_purpose=host_file_change device_name=desktop

Human Readable Output#

Persistence EvidenceHunt Hunt (host_file_change) Results#

No entries.

microsoft-atp-advanced-hunting-process-details#


Detects process details. When you select a “query_purpose” argument, a designated query template is used.

Base Command#

microsoft-atp-advanced-hunting-process-details

Input#

Argument NameDescriptionRequired
query_purposeWhen you select a “query_purpose” argument, a designated query template is used. "parent_process" - Parent process. "grandparent_process" - Grandparent process. "process_details" - Process hash, path, signature details. "beaconing_evidence" - Does the process appear to be beaconing? "powershell_execution_unsigned_files" - Has the file executed PowerShell? Query without specifying processes. No additional arguments are required. "process_excecution_powershell" - Has the file executed PowerShell?. Possible values are: parent_process, grandparent_process, process_details, beaconing_evidence, powershell_execution_unsigned_files, process_excecution_powershell.Required
device_nameDevice name to look for.Optional
file_nameFile name to look for.Optional
sha1SHA1 hash to look for.Optional
sha256SHA256 hash to look for.Optional
md5MD5 hash to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntProcessDetails.Result.parent_processStringThe query results for parent_process query_purpose.
MicrosoftATP.HuntProcessDetails.Result.grandparent_processStringThe query results for grandparent_process query_purpose.
MicrosoftATP.HuntProcessDetails.Result.process_detailsStringThe query results for process_details query_purpose.
MicrosoftATP.HuntProcessDetails.Result.beaconing_evidenceStringThe query results for beaconing_evidence query_purpose.
MicrosoftATP.HuntProcessDetails.Result.powershell_execution_unsigned_filesStringThe query results for powershell_execution_unsigned_files query_purpose.
MicrosoftATP.HuntProcessDetails.Result.process_excecution_powershellStringThe query results for process_excecution_powershell query_purpose.

Command example#

!microsoft-atp-advanced-hunting-process-details query_purpose=beaconing_evidence file_name=powershell device_name=desktop query_operation=and

Context Example#

{
"MicrosoftATP": {
"HuntProcessDetails": {
"Result": {
"beaconing_evidence": [
{
"ActionType": "ConnectionSuccess",
"DeviceId": "deviceid_2",
"DeviceName": "devicename_2",
"InitiatingProcessFileName": "powershell.exe",
"InitiatingProcessMD5": "md5",
"InitiatingProcessSHA1": "sha1",
"InitiatingProcessSHA256": "sha256",
"LocalIP": "ip1",
"LocalIPType": "Private",
"LocalPort": 49169,
"Protocol": "Tcp",
"RemoteIP": "ip3",
"RemoteIPType": "Public",
"RemotePort": 443,
"RemoteUrl": "winatp-gw-eus.microsoft.com",
"Timestamp": "2022-03-15T20:38:30.5393171Z"
},
{
"ActionType": "ConnectionSuccess",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"InitiatingProcessFileName": "powershell.exe",
"InitiatingProcessMD5": "md5",
"InitiatingProcessSHA1": "sha1",
"InitiatingProcessSHA256": "sha256",
"LocalIP": "ip2",
"LocalIPType": "Private",
"LocalPort": 52110,
"Protocol": "Tcp",
"RemoteIP": "ip3",
"RemoteIPType": "Public",
"RemotePort": 443,
"RemoteUrl": "winatp-gw-eus.microsoft.com",
"Timestamp": "2022-03-15T15:33:29.0892401Z"
}
]
}
}
}
}

Human Readable Output#

Process Details Hunt (beaconing_evidence) Results#

ActionTypeDeviceIdDeviceNameInitiatingProcessFileNameInitiatingProcessMD5InitiatingProcessSHA1InitiatingProcessSHA256LocalIPLocalIPTypeLocalPortProtocolRemoteIPRemoteIPTypeRemotePortRemoteUrlTimestamp
ConnectionSuccessdeviceid_2devicename_2powershell.exemd5sha1sha256ip1Private49169Tcpip3Public443winatp-gw-eus.microsoft.com2022-03-15T20:38:30.5393171Z
ConnectionSuccessdeviceiddevicename_1powershell.exemd5sha1sha256ip2Private52110Tcpip3Public443winatp-gw-eus.microsoft.com2022-03-15T15:33:29.0892401Z

microsoft-atp-advanced-hunting-network-connections#


Detects network connections. When you select a “query_purpose” argument, a designated query template is used.

Base Command#

microsoft-atp-advanced-hunting-network-connections

Input#

Argument NameDescriptionRequired
query_purposeWhen you select a “query_purpose” argument, a designated query template is used. "external_addresses" - Network connections to external addresses. "dns_query" - DNS query. Query by providing hash or filename or specific processes. At least one of file arguments (file_name, sha1, sha256, md5) is required and one of device arguments (device_name, device_id). "encoded_commands" - Are there commands with base 64 encoding? Only device arguments are required (device_name, device_id), at least one. Possible values are: external_addresses, dns_query, encoded_commands.Required
device_nameDevice name to look for.Optional
file_nameFile name to look for.Optional
sha1SHA1 hash to look for.Optional
sha256SHA256 hash to look for.Optional
md5MD5 hash to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntNetworkConnections.Result.external_addressesStringThe query results for external_addresses query_purpose.
MicrosoftATP.HuntNetworkConnections.Result.dns_queryStringThe query results for dns_query query_purpose.
MicrosoftATP.HuntNetworkConnections.Result.encoded_commandsStringThe query results for encoded_commands query_purpose.

Command example#

!microsoft-atp-advanced-hunting-network-connections query_purpose=dns_query device_name=devicename_1,devicename_2

Context Example#

{
"MicrosoftATP": {
"HuntNetworkConnections": {
"Result": {
"dns_query": [
{
"ActionType": "NetworkSignatureInspected",
"DeviceName": "devicename_2",
"Packetinfo": "{\"SignatureName\":\"DNS_Request\",\"SignatureMatchedContent\":\"h%D4%01%00%00%01%00%00%00%00%00%00%05ctldl%0Dwindowsupdate%03com\",\"SamplePacketContent\":\"[\\\"h%D4%01%00%00%01%00%00%00%00%00%00%05ctldl%0Dwindowsupdate%03com%00%00%01%00%01\\\"]\"}",
"RemoteIP": "8.8.8.8",
"Timestamp": "2022-03-15T20:01:20.3307099Z"
},
{
"ActionType": "NetworkSignatureInspected",
"DeviceName": "devicename_2",
"Packetinfo": "{\"SignatureName\":\"DNS_Request\",\"SignatureMatchedContent\":\"%B0%C5%01%00%00%01%00%00%00%00%00%00%06us-v20%06events%04data%09microsoft%03com\",\"SamplePacketContent\":\"[\\\"%B0%C5%01%00%00%01%00%00%00%00%00%00%06us-v20%06events%04data%09microsoft%03com%00%00%01%00%01\\\"]\"}",
"RemoteIP": "8.8.8.8",
"Timestamp": "2022-03-15T20:01:20.3327319Z"
}
]
}
}
}
}

Human Readable Output#

Network Connections Hunt (dns_query) Results#

ActionTypeDeviceNamePacketinfoRemoteIPTimestamp
NetworkSignatureInspecteddevicename_2{"SignatureName":"DNS_Request","SignatureMatchedContent":"h%D4%01%00%00%01%00%00%00%00%00%00%05ctldl%0Dwindowsupdate%03com","SamplePacketContent":"[\"h%D4%01%00%00%01%00%00%00%00%00%00%05ctldl%0Dwindowsupdate%03com%00%00%01%00%01\"]"}8.8.8.82022-03-15T20:01:20.3307099Z
NetworkSignatureInspecteddevicename_2{"SignatureName":"DNS_Request","SignatureMatchedContent":"%B0%C5%01%00%00%01%00%00%00%00%00%00%06us-v20%06events%04data%09microsoft%03com","SamplePacketContent":"[\"%B0%C5%01%00%00%01%00%00%00%00%00%00%06us-v20%06events%04data%09microsoft%03com%00%00%01%00%01\"]"}8.8.8.82022-03-15T20:01:20.3327319Z

microsoft-atp-advanced-hunting-cover-up#


Detects cover up actions. When you select a “query_purpose” argument, a designated query template is used.

Base Command#

microsoft-atp-advanced-hunting-cover-up

Input#

Argument NameDescriptionRequired
query_purposeWhen you select a “query_purpose” argument, a designated query template is used. "file_deleted" - Did the file delete itself? "event_log_cleared" - Was the event log cleared? Requires at least one of device arguments (device_name/device_id). "compromised_information" - Information on a compromised user and Its activities Requires only username argument. "connected_devices" - All connected devices by compromised user Requires only username argument. "action_types" - All action types created by a user on each machine Requires only username argument. "common_files" - Most common files associated with a user Requires only username argument. Possible values are: file_deleted, event_log_cleared, compromised_information, connected_devices, action_types, common_files.Required
device_nameDevice name to look for.Optional
file_nameFile name to look for.Optional
sha1SHA1 hash to look for.Optional
sha256SHA256 hash to look for.Optional
md5MD5 hash to look for.Optional
device_idDevice ID to look for.Optional
usernameUsername to look for in relevant query types.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntCoverUp.Result.file_deletedStringThe query results for file_deleted query_purpose.
MicrosoftATP.HuntCoverUp.Result.event_log_clearedStringThe query results for event_log_cleared query_purpose.
MicrosoftATP.HuntCoverUp.Result.compromised_informationStringThe query results for compromised_information query_purpose.
MicrosoftATP.HuntCoverUp.Result.connected_devicesStringThe query results for connected_devices query_purpose.
MicrosoftATP.HuntCoverUp.Result.action_typesStringThe query results for action_types query_purpose.
MicrosoftATP.HuntCoverUp.Result.common_filesStringThe query results for common_files query_purpose.

Command example#

!microsoft-atp-advanced-hunting-cover-up query_purpose=file_deleted file_name=chrome device_name=desktop query_operation=and

Context Example#

{
"MicrosoftATP": {
"HuntCoverUp": {
"Result": {
"file_deleted": [
{
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "old_chrome_proxy.exe",
"FolderPath": "C:\\Program Files\\Google\\Chrome\\Temp\\scoped_dir9640_1501542081",
"InitiatingProcessCommandLine": "\"setup.exe\" --rename-chrome-exe --system-level --verbose-logging --channel=stable",
"InitiatingProcessFileName": "setup.exe",
"InitiatingProcessVersionInfoProductName": "Google Chrome Installer",
"Timestamp": "2022-03-10T09:41:21.9388696Z"
},
{
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "old_chrome_proxy.exe",
"FolderPath": "C:\\Program Files\\Google\\Chrome\\Temp\\scoped_dir9640_1501542081",
"InitiatingProcessCommandLine": "\"setup.exe\" --rename-chrome-exe --system-level --verbose-logging --channel=stable",
"InitiatingProcessFileName": "setup.exe",
"InitiatingProcessVersionInfoProductName": "Google Chrome Installer",
"Timestamp": "2022-03-10T09:41:21.9390745Z"
},
{
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "chrome_pwa_launcher.exe",
"FolderPath": "C:\\Program Files\\Google\\Chrome\\Application\\98.0.4758.102",
"InitiatingProcessCommandLine": "\"setup.exe\" --channel=stable --delete-old-versions --system-level --verbose-logging",
"InitiatingProcessFileName": "setup.exe",
"InitiatingProcessVersionInfoProductName": "Google Chrome Installer",
"Timestamp": "2022-03-10T09:41:37.3955125Z"
},
{
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "chrome_pwa_launcher.exe",
"FolderPath": "C:\\Program Files\\Google\\Chrome\\Application\\98.0.4758.102",
"InitiatingProcessCommandLine": "\"setup.exe\" --channel=stable --delete-old-versions --system-level --verbose-logging",
"InitiatingProcessFileName": "setup.exe",
"InitiatingProcessVersionInfoProductName": "Google Chrome Installer",
"Timestamp": "2022-03-10T09:41:37.3957224Z"
},
{
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "99.0.4844.51_98.0.4758.102_chrome_updater.exe",
"FolderPath": "C:\\Program Files (x86)\\Google\\Update\\Install\\{CD86F442-5CCD-4E90-B0AC-36D19A65A0C5}",
"InitiatingProcessCommandLine": "\"GoogleUpdate.exe\" /svc",
"InitiatingProcessFileName": "GoogleUpdate.exe",
"InitiatingProcessVersionInfoProductName": "Google Update",
"Timestamp": "2022-03-08T13:29:06.7875767Z"
},
{
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "99.0.4844.51_98.0.4758.102_chrome_updater.exe",
"FolderPath": "C:\\Program Files (x86)\\Google\\Update\\Install\\{CD86F442-5CCD-4E90-B0AC-36D19A65A0C5}",
"InitiatingProcessCommandLine": "\"GoogleUpdate.exe\" /svc",
"InitiatingProcessFileName": "GoogleUpdate.exe",
"InitiatingProcessVersionInfoProductName": "Google Update",
"Timestamp": "2022-03-08T13:29:06.7877821Z"
}
]
}
}
}
}

Human Readable Output#

Cover Up Hunt (file_deleted) Results#

DeviceIdDeviceNameFileNameFolderPathInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessVersionInfoProductNameTimestamp
deviceiddevicename_1old_chrome_proxy.exeC:\Program Files\Google\Chrome\Temp\scoped_dir9640_1501542081"setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stablesetup.exeGoogle Chrome Installer2022-03-10T09:41:21.9388696Z
deviceiddevicename_1old_chrome_proxy.exeC:\Program Files\Google\Chrome\Temp\scoped_dir9640_1501542081"setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stablesetup.exeGoogle Chrome Installer2022-03-10T09:41:21.9390745Z
deviceiddevicename_1chrome_pwa_launcher.exeC:\Program Files\Google\Chrome\Application\98.0.4758.102"setup.exe" --channel=stable --delete-old-versions --system-level --verbose-loggingsetup.exeGoogle Chrome Installer2022-03-10T09:41:37.3955125Z
deviceiddevicename_1chrome_pwa_launcher.exeC:\Program Files\Google\Chrome\Application\98.0.4758.102"setup.exe" --channel=stable --delete-old-versions --system-level --verbose-loggingsetup.exeGoogle Chrome Installer2022-03-10T09:41:37.3957224Z
deviceiddevicename_199.0.4844.51_98.0.4758.102_chrome_updater.exeC:\Program Files (x86)\Google\Update\Install{CD86F442-5CCD-4E90-B0AC-36D19A65A0C5}"GoogleUpdate.exe" /svcGoogleUpdate.exeGoogle Update2022-03-08T13:29:06.7875767Z
deviceiddevicename_199.0.4844.51_98.0.4758.102_chrome_updater.exeC:\Program Files (x86)\Google\Update\Install{CD86F442-5CCD-4E90-B0AC-36D19A65A0C5}"GoogleUpdate.exe" /svcGoogleUpdate.exeGoogle Update2022-03-08T13:29:06.7877821Z

Command example#

!microsoft-atp-advanced-hunting-cover-up query_purpose=event_log_cleared device_name=devicename_1

Context Example#

{
"MicrosoftATP": {
"HuntCoverUp": {
"Result": {
"event_log_cleared": [
{
"ClearedLogList": [
"\"wevtutil.exe\" clear-log System",
"\"wevtutil.exe\" cl System"
],
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "wevtutil.exe",
"InitiatingProcessFileName": "powershell.exe",
"LogClearCount": 2,
"Timestamp": "2022-03-09T07:15:00Z"
}
]
}
}
}
}

Human Readable Output#

Cover Up Hunt (event_log_cleared) Results#

ClearedLogListDeviceIdDeviceNameFileNameInitiatingProcessFileNameLogClearCountTimestamp
"wevtutil.exe" clear-log System,
"wevtutil.exe" cl System
deviceiddevicename_1wevtutil.exepowershell.exe22022-03-09T07:15:00Z

Command example#

!microsoft-atp-advanced-hunting-cover-up query_purpose=compromised_information username=demisto

Context Example#

{
"MicrosoftATP": {
"HuntCoverUp": {
"Result": {
"compromised_information": [
{
"ActionType": "LogonSuccess",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "",
"FolderPath": "",
"InitiatingProcessFileName": "lsass.exe",
"MD5": "",
"SHA1": "",
"SHA256": "",
"Timestamp": "2022-03-16T08:05:44.8315718Z"
},
{
"ActionType": "LogonSuccess",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "",
"FolderPath": "",
"InitiatingProcessFileName": "lsass.exe",
"MD5": "",
"SHA1": "",
"SHA256": "",
"Timestamp": "2022-02-28T12:34:02.8853766Z"
},
{
"ActionType": "LogonSuccess",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "",
"FolderPath": "",
"InitiatingProcessFileName": "",
"MD5": "",
"SHA1": "",
"SHA256": "",
"Timestamp": "2022-02-28T12:34:02.8855892Z"
},
{
"ActionType": "LogonSuccess",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "",
"FolderPath": "",
"InitiatingProcessFileName": "lsass.exe",
"MD5": "",
"SHA1": "",
"SHA256": "",
"Timestamp": "2022-02-28T12:34:05.6575357Z"
},
{
"ActionType": "LogonAttempted",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "",
"FolderPath": "",
"InitiatingProcessFileName": "svchost.exe",
"MD5": "",
"SHA1": "",
"SHA256": "",
"Timestamp": "2022-02-28T12:34:05.7005903Z"
},
{
"ActionType": "LogonFailed",
"DeviceId": "deviceid",
"DeviceName": "devicename_1",
"FileName": "",
"FolderPath": "",
"InitiatingProcessFileName": "",
"MD5": "",
"SHA1": "",
"SHA256": "",
"Timestamp": "2022-03-16T08:05:36.0887779Z"
}
]
}
}
}
}

Human Readable Output#

Cover Up Hunt (compromised_information) Results#

ActionTypeDeviceIdDeviceNameInitiatingProcessFileNameTimestamp
LogonSuccessdeviceiddevicename_1lsass.exe2022-03-16T08:05:44.8315718Z
LogonSuccessdeviceiddevicename_1lsass.exe2022-02-28T12:34:02.8853766Z
LogonSuccessdeviceiddevicename_12022-02-28T12:34:02.8855892Z
LogonSuccessdeviceiddevicename_1lsass.exe2022-02-28T12:34:05.6575357Z
LogonAttempteddeviceiddevicename_1svchost.exe2022-02-28T12:34:05.7005903Z
LogonFaileddeviceiddevicename_12022-03-16T08:05:36.0887779Z

microsoft-atp-advanced-hunting-file-origin#


How did the file get on the machine. Possible details are "dropped_file" - Was the file dropped? From where? "created_file" - Created by another File (script, compiled binary). "network_shared" - Shared via network. "execution_chain" - What is the process execution chain.

Base Command#

microsoft-atp-advanced-hunting-file-origin

Input#

Argument NameDescriptionRequired
device_nameDevice name to look for.Optional
file_nameFile name to look for.Optional
sha1SHA1 hash to look for.Optional
sha256SHA256 hash to look for.Optional
md5MD5 hash to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntFileOrigin.ResultStringThe query results.

microsoft-atp-advanced-hunting-privilege-escalation#


Is there evidence for privilege escalation.

Base Command#

microsoft-atp-advanced-hunting-privilege-escalation

Input#

Argument NameDescriptionRequired
device_nameDevice name to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntPrivilegeEscalation.ResultStringThe query results.

microsoft-atp-advanced-hunting-tampering#


Detect if there was any evidence of MSDE agent/sensor manipulation.

Base Command#

microsoft-atp-advanced-hunting-tampering

Input#

Argument NameDescriptionRequired
device_nameDevice name to look for.Optional
device_idDevice ID to look for.Optional
query_operationQuery operator to use with provided arguments. Possible values are: or, and. Default is or.Optional
limitMaximum number of results to retrieve. Default is 50.Optional
time_rangeTime range to look back. Expected syntax is a human readable time range, e.g. 60 minutes, 6 hours, 1 day, etc.Optional
timeoutThe amount of time (in seconds) that a request waits for the query response before a timeout occurs. Default is 10.Optional
pageThe page number from which to start a search. Default is 1.Optional
show_queryShow the query as part of the entry result.Optional

Context Output#

PathTypeDescription
MicrosoftATP.HuntTampering.ResultStringThe query results.

microsoft-atp-live-response-cancel-action#


Cancels an action with an unfinished status.

Base Command#

microsoft-atp-live-response-cancel-action

Input#

Argument NameDescriptionRequired
machine_action_idAction ID to retrieve status and data for.Required
commentA comment to associate with the action.Required

Context Output#

There is no context output for this command.

microsoft-atp-get-machine-users#


Retrieves a collection of logged on users on a specific device.

Required Permissions#

User.Read.All

Base Command#

microsoft-atp-get-machine-users

Input#

Argument NameDescriptionRequired
machine_idA machine ID used for getting logged on users.Required

Context Output#

PathTypeDescription
MicrosoftATP.MachineUser.IDStringThe user ID.
MicrosoftATP.MachineUser.AccountNameStringThe user account name.
MicrosoftATP.MachineUser.AccountDomainStringThe domain of the user account.
MicrosoftATP.MachineUser.FirstSeenDateThe first date and time the user has logged on the machine.
MicrosoftATP.MachineUser.LastSeenDateThe last date and time the user has logged on the machine.
MicrosoftATP.MachineUser.LogonTypesStringThe logon types of the user on the machine.
MicrosoftATP.MachineUser.DomainAdminBooleanTrue if user is Domain Admin, False otherwise.
MicrosoftATP.MachineUser.NetworkUserBooleanTrue if user is network user, False otherwise.
MicrosoftATP.MachineUser.MachineIDStringThe machine ID.

Command example#

!microsoft-atp-get-machine-users machine_id=0a3250e0693a109f1affc9217be9459028aa8424

Context Example#

{
"MicrosoftATP": {
"MachineUser": [
{
"id": "contoso\\user1",