Skip to main content

MDE - True Positive Incident Handling

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Threat Hunting - Generic
  • Microsoft Defender For Endpoint - Isolate Endpoint


  • MicrosoftDefenderAdvancedThreatProtection


  • SearchIncidentsV2
  • AddEvidence
  • IsIntegrationAvailable
  • ServiceNowCreateIncident


  • microsoft-atp-stop-and-quarantine-file
  • jira-create-issue
  • setIncident
  • closeInvestigation
  • setIndicators
  • microsoft-atp-update-alert
  • microsoft-atp-sc-indicator-create
  • microsoft-atp-get-file-related-machines

Playbook Inputs#

NameDescriptionDefault ValueRequired
DupAlertIDsToBeClosedThe Cortex XSOAR investigation IDs to be closed.Optional
CommentAdd a comment to close an incident on the Microsoft Defender For Endpoint side.XSOAR Incident #${}Optional
ReasonProvide a reason for closing the incident. Choose one of the following:
ClassificationChoose From - "Unknown" / "TruePositive" / "FalsePositive"Optional
TicketDescriptionSpecify the ticket description for this section.Optional
BlockTagSpecify the banning tag name for the found indicators.BlockTagOptional
TicketProjectNameIf you are using Jira, specify the Jira Project Key here (can be retrieved from the Jira console).Optional
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNow.Optional
AutoIsolationWhether host isolation is allowed.FalseOptional
CloseDuplicateWhether duplicate incidents should be closed as well in the Microsoft Defender for Endpoint integration instance.
The playbook looks for the world "Close" in this input.
HostIDThe ID of the host for running an isolation process.${incident.deviceid}Optional
FileSha256Enter the File SHA256 you want to block.${incident.filesha256}Optional
FileSha1Enter the File SHA1 you want to remove from your protected endpoints.${incident.filesha1}Optional
ManuallyChooseIOCForHuntingThis input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook.
If false, it will hunt for all IOCs detected in the incident.
Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
IPIP value to be hunt onIPOptional
MD5MD5 file value to be hunt upon.File.MD5Optional
URL_or_DomainURL or domain to be hunt upon.Domain.NameOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE - True Positive Incident Handling