Skip to main content

MDE - Host Advanced Hunting For Network Activity

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host network activity.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.






  • microsoft-atp-advanced-hunting-network-connections
  • setIncident
  • microsoft-atp-live-response-get-file
  • microsoft-atp-advanced-hunting-lateral-movement-evidence
  • microsoft-atp-advanced-hunting-persistence-evidence
  • ip
  • domain

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPA comma-separated list of IPs to hunt.incident.detectedipsOptional
DeviceNameA comma-separated list of host names to hunt.incident.hostnamesOptional
FileNameA comma-separated list of file names to hunt.incident.filenamesOptional
DeviceIDA comma-separated list of device IDs to hunt.incident.agentsidOptional
FileMd5A comma-separated list of file MD5 hashes to hunt.incident.filemd5Optional
FileSha256A comma-separated list of file SHA256 hashes to hunt.incident.filesha256Optional
FileSha1A comma-separated list of file SHA1 hashes to hunt.incident.filesha1Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE - Host Advanced Hunting For Network Activity