MDE Malware - Investigation and Response
Microsoft Defender for Endpoint Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses - Microsoft Defender For Endpoint Advanced Hunting - Command Line Analysis - Deduplication - Sandbox hash search and detonation - Proactive investigation actions (AV scan, investigation package collection, running automated investigation on an endpoint) - Microsoft Defender For Endpoint alert enrichment - Incident handling (true/false positive)
This playbook uses the following sub-playbooks, integrations, and scripts.
- Detonate and Analyze File - Generic
- MDE Malware - Incident Enrichment
- Search For Hash In Sandbox - Generic
- MDE - Retrieve File
- Dedup - Generic v4
- MDE - Host Advanced Hunting
- MDE - True Positive Incident Handling
- MDE - Pro-Active Actions
- MDE - False Positive Incident Handling
- Command-Line Analysis
This playbook does not use any integrations.
|TicketingSystemToUse||The ticketing system to use. Possible Options: SNOW or Jira |
*SNOW == ServiceNow (Used in case incident classified as True Positive).
|RetrieveFile||Whether file retrieval from the endpoint is allowed.||True||Optional|
|DetonateFile||Whether file detonation is allowed on the sandbox.||True||Optional|
|EnableDeduplication||"Whether the deduplication playbook will be used."||True||Optional|
|BenignTagName||The name of the tag to apply for allowed indicators.||BenignTagName||Optional|
|RunInvestigationActivities||Choose True to automatically run investigation activities (this relies on the `ActionTask` input).||True||Optional|
|AdvancedHunting||Choose True to run Advance Hunting queries through your Microsoft Defender For Endpoint instance. Note - it may take some time.||True||Optional|
|DeduphandleSimilar||Defines how to handle similar incidents. |
Possible values: "Link", "Close", "Link and Close".
Note: Closing incidents requires defining the "CloseSimilar" input as well.
Also, incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
|Link and Close||Optional|
|DedupCloseSimilar||Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.|
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 [0=low similarity , 1=identical].
|EnableClosureSteps||Whether to use closure steps or close the incident automatically.||True||Optional|
|TicketProjectName||If using Jira, specify the Jira Project Key (can be retrieved from the Jira console).||Optional|
|AutoCollectinvestigationPackege||Choose True to autorun collecting the investigation package from an endpoint.||True||Optional|
|ActionTask||Option for input (can be comma-separated values):|
`Full Scan` - Fully scan the provided endpoints
`Collect Investigation Package` - Collect investigation package from endpoints (only for supported devices)
`Automated Investigation` - Run Automated Investigation on the provided endpoint
If empty, the actions should be checked manually.
|AutoAVScan||Choose True to autorun a Full AV Scan on your endpoint.||True||Optional|
|AutoAutomatedInvestigation||Choose True to autorun automated investigation on your endpoint.||True||Optional|
|MaliciousTagName||The tag to assign for indicators to block.||MaliciousTagName||Optional|
|AutoUnisolation||Whether automatic un-isolation is allowed.||False||Optional|
|DidAlertOriginateFromSIEM||Whether an alert originated from a SIEM. If 'Yes', the incident enrichment flow does not run.||No||Optional|
|DedupSimilarTextField||A comma-separated list of incident text fields to take into account when computing similarity. For example command line or URL.||agnetsid,users,agentsid,CMDline,Hostnames,filenames,filepaths||Optional|
|AutoIsolation||Whether endpoint auto isolation is allowed.||False||Optional|
|DedupMinimunIncidentSimilarity||Retain incidents with a similarity score greater than the MinimunIncidentSimilarity.|
Value should be between 0 to 1 [0=low similarity, 1=identical]
|DedupLimit||The maximum number of incidents to query and set to context data.||200||Optional|
|QueryBatch||Define the custom queries you would like to run as a part of the 'MDE - Host Advanced Hunting' playbook. This input will be passed to the 'query_batch' argument in the '!microsoft-atp-advanced-hunting' command. For more information and examples, check the command's hints.||Optional|
There are no outputs for this playbook.