MDE - True Positive Incident Handling

Supported Cortex XSOAR versions: 6.5.0 and later.

This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Microsoft Defender For Endpoint - Isolate Endpoint

MicrosoftDefenderAdvancedThreatProtection

Name	Description	Default Value	Required
DupAlertIDsToBeClosed	The Cortex XSOAR investigation IDs to be closed.		Optional
Comment	Add a comment to close an incident on the Microsoft Defender For Endpoint side.	XSOAR Incident #${incident.id}	Optional
Reason	Provide a reason for closing the incident. Choose one of the following: "NotAvailable"/"Apt,Malware"/"SecurityPersonnel"/"SecurityTesting"/"UnwantedSoftware"/"Other"		Optional
Classification	Choose From - "Unknown" / "TruePositive" / "FalsePositive"		Optional
TicketDescription	Specify the ticket description for this section.		Optional
BlockTag	Specify the banning tag name for the found indicators.	BlockTag	Optional
TicketProjectName	If you are using Jira, specify the Jira Project Key here (can be retrieved from the Jira console).		Optional
TicketingSystemToUse	The name of the ticketing system to use, for example, Jira or ServiceNow.		Optional
AutoIsolation	Whether host isolation is allowed.	False	Optional
CloseDuplicate	Whether duplicate incidents should be closed as well in the Microsoft Defender for Endpoint integration instance. The playbook looks for the word "Close" in this input.		Optional
HostID	The ID of the host for running an isolation process.	${incident.deviceid}	Optional
FileSha256	Enter the File SHA256 you want to block.	${incident.filesha256}	Optional
FileSha1	Enter the File SHA1 you want to remove from your protected endpoints.	${incident.filesha1}	Optional

There are no outputs for this playbook.

MDE - True Positive Incident Handling