Skip to main content

MDE - Search and Compare Process Executions

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.

Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:

  • value: process name
  • commands: command-line arguments


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.




  • DeleteContext
  • StringSimilarity
  • Set



Playbook Inputs#

NameDescriptionDefault ValueRequired
HuntingTimeFrameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.7 daysOptional
StringSimilarityThresholdStringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.0.5Optional

Playbook Outputs#

StringSimilarityStringSimilarity results.unknown
FindingsSuspicious process executions found.unknown

Playbook Image#

MDE - Search and Compare Process Executions