Skip to main content

MDE SIEM ingestion - Get Incident Data

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles incident ingestion from a SIEM. The user provides the incident fields containing the alert ID. This playbook also enables changing the severity according to a user-defined scale to override the default assigned severity.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.




This playbook does not use any scripts.


  • setIncident
  • microsoft-atp-get-alert-by-id

Playbook Inputs#

NameDescriptionDefault ValueRequired
SIEMincidentFieldForIDThe name of the incident field that contains the detection ID or incident ID.${incident.externalsystemid}Optional
ScaleToSetSeverityThe severity scale as represented in the EDR.
For example, in Microsoft Defender for Endpoint the severity scale is Informational, Low, Medium, High.
SeverityValuesMappingThe mapping to Cortex XSOAR severity from the severity scale in the EDR (the ScaleToSetSeverity inputs).
For example
0.5, 1, 2, 3, 4
Possible values to use are 0, 0.5, 1, 2, 3, 4
Which represent Unknown, Informational, Low, Medium, High, Critical
0.5, 1, 2, 3Optional
OverrideSIEMSeverityWhether to set the severity according to the ScaleToSetSeverity and SeverityValuesMapping settings (True) or keep the original severity as mapped by the SIEM (False).FalseOptional

Playbook Outputs#

CrowdStrike.Detection.Behavior.FileNameThe file name of the behavior.string
CrowdStrike.Detection.Behavior.ScenarioThe scenario name of the behavior.string
CrowdStrike.Detection.Behavior.MD5The MD5 hash of the IOC of the behavior.string
CrowdStrike.Detection.Behavior.SHA256The SHA256 hash of the IOC of the behavior.string
CrowdStrike.Detection.Behavior.IOCTypeThe type of the IOC.string
CrowdStrike.Detection.Behavior.IOCValueThe value of the IOC.string
CrowdStrike.Detection.Behavior.CommandLineThe command line executed in the behavior.string
CrowdStrike.Detection.Behavior.UserNameThe user name related to the behavior.string
CrowdStrike.Detection.Behavior.SensorIDThe sensor ID related to the behavior.string
CrowdStrike.Detection.Behavior.ParentProcessIDThe ID of the parent process.string
CrowdStrike.Detection.Behavior.ProcessIDThe process ID of the behavior.string
CrowdStrike.Detection.Behavior.IDThe ID of the behavior.string
CrowdStrike.Detection.SystemThe system name of the detection.string
CrowdStrike.Detection.CustomerIDThe ID of the customer (CID).string
CrowdStrike.Detection.MachineDomainThe name of the domain of the detection machine.string
CrowdStrike.Detection.IDThe detection ID.string
CrowdStrike.Detection.ProcessStartTimeThe start time of the process that generated the detection.string
EndpointThe details of the endpoint.string

Playbook Image#

MDE SIEM ingestion - Get Incident Data