Skip to main content

MDE Malware - Incident Enrichment

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Mitre Attack - Extract Technique Information From ID
  • Account Enrichment - Generic v2.1


  • Microsoft365DefenderEventCollector
  • MicrosoftDefenderAdvancedThreatProtection


  • SetGridField
  • isError
  • SetAndHandleEmpty


  • microsoft-atp-get-alert-by-id
  • setIncident
  • endpoint
  • extractIndicators
  • file

Playbook Inputs#

NameDescriptionDefault ValueRequired
DidAlertOriginateFromSIEMWhether the incident is fetched through a SIEM product.NoOptional
AlertIDThe Microsoft Defender For Endpoint alert ID.${incident.externalsystemid}Optional

Playbook Outputs#

MITREATTACKThe full MITRE data for the attack pattern.string
AttackPatternAn array of attack patterns name and IDs.string
MicrosoftATP.AlertMicrosoft Defender For Endpoint alert information.unknown
EndpointThe endpoint information.unknown

Playbook Image#

MDE Malware - Incident Enrichment