Skip to main content

MDE Malware - Investigation and Response

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses - Microsoft Defender For Endpoint Advanced Hunting - Command Line Analysis - Deduplication - Sandbox hash search and detonation - Proactive investigation actions (AV scan, investigation package collection, running automated investigation on an endpoint) - Microsoft Defender For Endpoint alert enrichment - Incident handling (true/false positive)


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Detonate and Analyze File - Generic
  • MDE Malware - Incident Enrichment
  • Search For Hash In Sandbox - Generic
  • MDE - Retrieve File
  • Dedup - Generic v4
  • MDE - Host Advanced Hunting
  • MDE - True Positive Incident Handling
  • MDE - Pro-Active Actions
  • MDE - False Positive Incident Handling
  • Command-Line Analysis


This playbook does not use any integrations.


  • ZipStrings
  • InvestigationDetailedSummaryParse
  • InvestigationSummaryParse


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
TicketingSystemToUseThe ticketing system to use. Possible Options: SNOW or Jira
*SNOW == ServiceNow (Used in case incident classified as True Positive).
RetrieveFileWhether file retrieval from the endpoint is allowed.TrueOptional
DetonateFileWhether file detonation is allowed on the sandbox.TrueOptional
EnableDeduplication"Whether the deduplication playbook will be used."TrueOptional
BenignTagNameThe name of the tag to apply for allowed indicators.BenignTagNameOptional
RunInvestigationActivitiesChoose True to automatically run investigation activities (this relies on the `ActionTask` input).TrueOptional
AdvancedHuntingChoose True to run Advance Hunting queries through your Microsoft Defender For Endpoint instance. Note - it may take some time.TrueOptional
DeduphandleSimilarDefines how to handle similar incidents.
Possible values: "Link", "Close", "Link and Close".
Note: Closing incidents requires defining the "CloseSimilar" input as well.
Also, incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
Link and CloseOptional
DedupCloseSimilarDefines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 [0=low similarity , 1=identical].
EnableClosureStepsWhether to use closure steps or close the incident automatically.TrueOptional
TicketProjectNameIf using Jira, specify the Jira Project Key (can be retrieved from the Jira console).Optional
AutoCollectinvestigationPackegeChoose True to autorun collecting the investigation package from an endpoint.TrueOptional
ActionTaskOption for input (can be comma-separated values):
`Full Scan` - Fully scan the provided endpoints
`Collect Investigation Package` - Collect investigation package from endpoints (only for supported devices)
`Automated Investigation` - Run Automated Investigation on the provided endpoint
If empty, the actions should be checked manually.
AutoAVScanChoose True to autorun a Full AV Scan on your endpoint.TrueOptional
AutoAutomatedInvestigationChoose True to autorun automated investigation on your endpoint.TrueOptional
MaliciousTagNameThe tag to assign for indicators to block.MaliciousTagNameOptional
AutoUnisolationWhether automatic un-isolation is allowed.FalseOptional
DidAlertOriginateFromSIEMWhether an alert originated from a SIEM. If 'Yes', the incident enrichment flow does not run.NoOptional
DedupSimilarTextFieldA comma-separated list of incident text fields to take into account when computing similarity. For example command line or URL.agnetsid,users,agentsid,CMDline,Hostnames,filenames,filepathsOptional
AutoIsolationWhether endpoint auto isolation is allowed.FalseOptional
DedupMinimunIncidentSimilarityRetain incidents with a similarity score greater than the MinimunIncidentSimilarity.
Value should be between 0 to 1 [0=low similarity, 1=identical]
DedupLimitThe maximum number of incidents to query and set to context data.200Optional
QueryBatchDefine the custom queries you would like to run as a part of the 'MDE - Host Advanced Hunting' playbook. This input will be passed to the 'query_batch' argument in the '!microsoft-atp-advanced-hunting' command. For more information and examples, check the command's hints.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE Malware - Investigation and Response