Skip to main content

MDE Malware - Incident Enrichment

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Mitre Attack - Extract Technique Information From ID
  • Account Enrichment - Generic v2.1

Integrations#

  • Microsoft365DefenderEventCollector
  • MicrosoftDefenderAdvancedThreatProtection

Scripts#

  • SetGridField
  • isError
  • SetAndHandleEmpty

Commands#

  • microsoft-atp-get-alert-by-id
  • setIncident
  • endpoint
  • extractIndicators
  • file

Playbook Inputs#


NameDescriptionDefault ValueRequired
DidAlertOriginateFromSIEMWhether the incident is fetched through a SIEM product.NoOptional
AlertIDThe Microsoft Defender For Endpoint alert ID.${incident.externalsystemid}Optional

Playbook Outputs#


PathDescriptionType
MITREATTACKThe full MITRE data for the attack pattern.string
AttackPatternAn array of attack patterns name and IDs.string
MicrosoftATP.AlertMicrosoft Defender For Endpoint alert information.unknown
EndpointThe endpoint information.unknown

Playbook Image#


MDE Malware - Incident Enrichment