Skip to main content

MDE - Host Advanced Hunting For Powershell Executions

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions.


This playbook uses the following sub-playbooks, integrations, and scripts.


Command-Line Analysis




This playbook does not use any scripts.


  • microsoft-atp-advanced-hunting-process-details
  • microsoft-atp-advanced-hunting-network-connections
  • microsoft-atp-get-file-related-machines
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPA comma-separated list of IPs to hunt.incident.detectedipsOptional
DeviceNameA comma-separated list of host names to hunt.incident.hostnamesOptional
FileNameA comma-separated list of file names to hunt.incident.filenamesOptional
DeviceIDA comma-separated list of device IDs to hunt.incident.agentsidOptional
FileMd5A comma-separated list of file MD5 hashes to hunt.incident.filemd5Optional
FileSha256A comma-separated list of file SHA256 hashes to hunt.incident.filesha256Optional
FileSha1A comma-separated list of file SHA1 hashes to hunt.incident.filesha1Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE - Host Advanced Hunting For Powershell Executions