Skip to main content

MDE - True Positive Incident Handling

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

Microsoft Defender For Endpoint - Isolate Endpoint

Integrations#

MicrosoftDefenderAdvancedThreatProtection

Scripts#

  • SearchIncidentsV2
  • IsIntegrationAvailable
  • ServiceNowCreateIncident

Commands#

  • jira-create-issue
  • microsoft-atp-get-file-related-machines
  • microsoft-atp-update-alert
  • microsoft-atp-stop-and-quarantine-file
  • setIndicators
  • closeInvestigation
  • microsoft-atp-sc-indicator-create

Playbook Inputs#


NameDescriptionDefault ValueRequired
DupAlertIDsToBeClosedThe Cortex XSOAR investigation IDs to be closed.Optional
CommentAdd a comment to close an incident on the Microsoft Defender For Endpoint side.XSOAR Incident #${incident.id}Optional
ReasonProvide a reason for closing the incident. Choose one of the following:
"NotAvailable"/"Apt,Malware"/"SecurityPersonnel"/"SecurityTesting"/"UnwantedSoftware"/"Other"
Optional
ClassificationChoose From - "Unknown" / "TruePositive" / "FalsePositive"Optional
TicketDescriptionSpecify the ticket description for this section.Optional
BlockTagSpecify the banning tag name for the found indicators.BlockTagOptional
TicketProjectNameIf you are using Jira, specify the Jira Project Key here (can be retrieved from the Jira console).Optional
TicketingSystemToUseThe name of the ticketing system to use, for example, Jira or ServiceNow.Optional
AutoIsolationWhether host isolation is allowed.FalseOptional
CloseDuplicateWhether duplicate incidents should be closed as well in the Microsoft Defender for Endpoint integration instance.
The playbook looks for the word "Close" in this input.
Optional
HostIDThe ID of the host for running an isolation process.${incident.deviceid}Optional
FileSha256Enter the File SHA256 you want to block.${incident.filesha256}Optional
FileSha1Enter the File SHA1 you want to remove from your protected endpoints.${incident.filesha1}Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


MDE - True Positive Incident Handling