Skip to main content

MDE - Pro-Active Actions

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook supports investigation actions for the analyst, including:

  • Running a full AV scan for a specific endpoint.
  • Requesting an investigation package (a zip file containing forensic data with a size of ~ 15MB) from an endpoint.
  • Requesting to run automatic investigation on an endpoint.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

Microsoft Defender For Endpoint - Collect investigation package

Integrations#

MicrosoftDefenderAdvancedThreatProtection

Scripts#

This playbook does not use any scripts.

Commands#

  • microsoft-atp-run-antivirus-scan
  • microsoft-atp-start-investigation

Playbook Inputs#


NameDescriptionDefault ValueRequired
TaskOption for input ( can be entered as comma-separated values):
`Full Scan` - Fully Scan the provided endpoint/s
`Collect Investigation Package` - Collect investigation package from endpoint/s (only for supported devices)
`Automated Investigation` - Run Automated Investigation on the provided endpoint
Optional
EndpointsIDProvide a list of endpoints for the Scan and Collection of investigation Package to be run on.Optional
AutoCollectinvestigationPackegeTrue/FasleTrueOptional
AutoAVScanTrue/FasleTrueOptional
AutoAutomatedInvestigationTrue/FasleTrueOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


MDE - Pro-Active Actions