Skip to main content

MDE - Host Advanced Hunting

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature. The hunt is executed based on the provided inputs.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • MDE - Host Advanced Hunting For Network Activity
  • MDE - Host Advanced Hunting For Powershell Executions
  • MDE - Host Advanced Hunting For Persistence




This playbook does not use any scripts.


  • microsoft-atp-advanced-hunting-privilege-escalation
  • setIncident
  • microsoft-atp-advanced-hunting-tampering
  • microsoft-atp-advanced-hunting-lateral-movement-evidence
  • microsoft-atp-get-file-info

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileSha1A comma-separated list of file SHA1 hashes to hunt.Optional
FileSha256A comma-separated list of file Sha256 hashes to hunt.Optional
IPA comma-separated list of IPs to hunt.Optional
DeviceNameA comma-separated list of host names to hunt.Optional
FileNameA comma-separated list of file names to hunt.Optional
DeviceIDA comma-separated list of device ID to hunt.Optional
FileMd5A comma-separated list of file MD5 hashes to hunt.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE - Host Advanced Hunting