Skip to main content

MDE Malware - Incident Enrichment

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Malware Investigation and Response - Set Alerts Grid
  • Mitre Attack - Extract Technique Information From ID


  • MicrosoftDefenderAdvancedThreatProtection


  • SetAndHandleEmpty
  • isError


  • setIncident
  • microsoft-atp-get-alert-by-id
  • file
  • endpoint

Playbook Inputs#

NameDescriptionDefault ValueRequired
DidAlertOriginateFromSIEMWhether the incident is fetched through a SIEM product.NoOptional
AlertIDThe Microsoft Defender For Endpoint alert ID.${incident.externalsystemid}Optional

Playbook Outputs#

MITREATTACKThe full MITRE data for the attack pattern.string
AttackPatternAn array of attack patterns name and IDs.string
MicrosoftATP.AlertMicrosoft Defender For Endpoint alert information.unknown
EndpointThe endpoint information.unknown

Playbook Image#

MDE Malware - Incident Enrichment