Skip to main content

MDE Malware - Incident Enrichment

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Malware Investigation and Response - Set Alerts Grid
  • Mitre Attack - Extract Technique Information From ID

Integrations#

  • MicrosoftDefenderAdvancedThreatProtection

Scripts#

  • SetAndHandleEmpty
  • isError

Commands#

  • setIncident
  • microsoft-atp-get-alert-by-id
  • file
  • endpoint

Playbook Inputs#


NameDescriptionDefault ValueRequired
DidAlertOriginateFromSIEMWhether the incident is fetched through a SIEM product.NoOptional
AlertIDThe Microsoft Defender For Endpoint alert ID.${incident.externalsystemid}Optional

Playbook Outputs#


PathDescriptionType
MITREATTACKThe full MITRE data for the attack pattern.string
AttackPatternAn array of attack patterns name and IDs.string
MicrosoftATP.AlertMicrosoft Defender For Endpoint alert information.unknown
EndpointThe endpoint information.unknown

Playbook Image#


MDE Malware - Incident Enrichment