MDE - Search and Compare Process Executions
Microsoft Defender for Endpoint Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.9.0 and later.
This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
- value: process name
- commands: command-line arguments
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsMicrosoftDefenderAdvancedThreatProtection
#
Scripts- DeleteContext
- StringSimilarity
- Set
#
Commandsmicrosoft-atp-advanced-hunting
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
Processes | Optional | ||
HuntingTimeFrame | Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours. | 7 days | Optional |
StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
StringSimilarity | StringSimilarity results. | unknown |
Findings | Suspicious process executions found. | unknown |