Skip to main content

MDE Malware - Investigation and Response

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses:

  • Microsoft Defender For Endpoint Advanced Hunting
  • Command Line Analysis
  • Deduplication
  • Sandbox hash search and detonation
  • Proactive investigation actions: AV scan, investigation package collection, running automated investigation on an endpoint
  • Microsoft Defender For Endpoint alert enrichment
  • Incident handling (true/false positive)


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Detonate and Analyze File - Generic
  • MDE - Retrieve File
  • Search For Hash In Sandbox - Generic
  • MDE Malware - Incident Enrichment
  • Command-Line Analysis
  • MDE - True Positive Incident Handling
  • MDE - Host Advanced Hunting
  • Dedup - Generic v4
  • MDE - False Positive Incident Handling
  • MDE - Pro-Active Actions


This playbook does not use any integrations.


  • ZipStrings
  • MalwareFindingsParse


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
TicketingSystemToUsePossible Options: SNOW or Jira
*SNOW == ServiceNow
RetrieveFileWhether file retrieval from the endpoint is allowed.TrueOptional
DetonateFileWhether file detonation is allowed on the sandbox.TrueOptional
EnableDeduplicationWhether the deduplication playbook will be used.TrueOptional
BenignTagNameThe name of the tag to apply for allowed indicators.BenignTagNameOptional
RunInvestigationActivitiesChoose True to automatically run investigation activities (this relies on the ActionTask input ).TrueOptional
AdvancedHuntingChoose True to run Advance Hunting queries through your Microsoft Defender For Endpoint instance. Note - It may take some time.TrueOptional
DeduphandleSimilarDefines how to handle similar incidents.
Possible values: "Link", "Close", "Link and Close".
Note: Closing incidents requires defining the "CloseSimilar" input as well.
Also, incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
Link and CloseOptional
DedupCloseSimilarDefines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 to 1 [0=low similarity , 1=identical]
EnableClosureStepsWhether to use closure steps or close the incident automaticallyTrueOptional
TicketProjectNameIf using Jira, specify the Jira Project Key (can be retrieved from the Jira console).Optional
AutoCollectinvestigationPackegeChoose True to autorun collecting the investigation package from an endpoint.FalseOptional
ActionTaskOption for input (can be comma-separated values):
`Full Scan` - Fully scan the provided endpoints
`Collect Investigation Package` - Collect investigation package from endpoints (only for supported devices)
`Automated Investigation` - Run Automated Investigation on the provided endpoint
If empty, the actions should be checked manually.
AutoAVScanChoose True to autorun a Full AV Scan on your endpoint.FalseOptional
AutoAutomatedInvestigationChoose True to autorun automated investigation on your endpoint.FalseOptional
MaliciousTagNameThe tag to assign indicators to block.MaliciousTagNameOptional
AutoUnisolationIndicates if automatic un-isolation is allowed
DidAlertOriginateFromSIEMIn case the alert originated from SIEM no need to run the Incident enrichment flow.NoOptional
DedupSimilarTextFieldA comma-separated list of incident text fields to take into account when computing similarity. For example command line or URL.Optional
AutoIsolationWhether endpoint auto isolation is allowed.FalseOptional
DedupMinimunIncidentSimilarityRetain incidents with a similarity score greater than the MinimunIncidentSimilarity.
Value should be between 0 to 1 [0=low similarity, 1=identical]0.2Optional
DedupLimitThe maximum number of incidents to query and set to context data.
Default is: 200

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE Malware - Investigation and Response