Skip to main content

Microsoft 365 Defender - Threat Hunting Generic

This Playbook is part of the Microsoft 365 Defender Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook retrieves email data based on the URLDomain, SHA256, IPAddress, and MessageID inputs. The output is a unified object with all of the retrieved emails based on the following sub-playbooks outputs:

  • Microsoft 365 Defender - Get Email URL clicks: Retrieves data based on URL click events.
  • Microsoft 365 Defender - Emails Indicators Hunt: Retrieves data based on several different email events.

Read the playbooks' descriptions in order to get the full details.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Microsoft 365 Defender - Get Email URL Clicks
  • Microsoft 365 Defender - Emails Indicators Hunt


This playbook does not use any integrations.


  • SetAndHandleEmpty


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
URLDomainDomain or URL to search within emails. Can be a single domain or URL, or an array of domains or URLs to search.Optional
SHA256The SHA256 hash file or an array of hashes to search within emails.Optional
IPAddressThe source or destination IP address to search. Can be a single address or an array of IP addresses.Optional
MessageIDMessage ID of the email from which the URL was clicked. Note that this can be either of the following 2 values:
- The value of the header "Message-ID".
- The internal ID of the message within Microsoft's products (e.g NetworkMessageId).

Can be a single MessageID or an array of NMessageIDs to search.
TimeoutThe time limit in seconds for the HTTP request to run.180Optional
SearchTimeframeNumber of days past to search.7Optional
ResultsLimitNumber of retrieved entries. Enter -1 for unlimited query.50Optional
ListenerMailboxThe mailbox of the listening integration. In case it is provided, the emails found in it will be ignored.Optional

Playbook Outputs#

Microsoft365Defender.RetrievedEmailsEmail objects containing relevant fields related to URL click events.string
Microsoft365Defender.RetrievedEmails.InternetMessageIdPublic-facing identifier for the email that is set by the sending email system. This will be the value of the "Message-ID" header.string
Microsoft365Defender.RetrievedEmails.SenderFromDomainSender domain in the FROM header, which is visible to email recipients on their email clients.string
Microsoft365Defender.RetrievedEmails.EmailDirectionDirection of the email relative to your network: Inbound, Outbound, Intra-org.string
Microsoft365Defender.RetrievedEmails.DeliveryLocationLocation where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items.string
Microsoft365Defender.RetrievedEmails.AuthenticationDetailsList of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth).string
Microsoft365Defender.RetrievedEmails.DeliveryActionDelivery action of the email: Delivered, Junked, Blocked, or Replaced.string
Microsoft365Defender.RetrievedEmails.SubjectSubject of the email.string
Microsoft365Defender.RetrievedEmails.AttachmentCountNumber of attachments in the email.number
Microsoft365Defender.RetrievedEmails.ThreatNamesDetection name for malware or other threats found.string
Microsoft365Defender.RetrievedEmails.RecipientEmailAddressEmail address of the recipient, or email address of the recipient after distribution list expansion.string
Microsoft365Defender.RetrievedEmails.EmailActionFinal action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, Send to quarantine, No action taken, Bcc message.string
Microsoft365Defender.RetrievedEmails.EmailLanguageEmail language.string
Microsoft365Defender.RetrievedEmails.SenderFromAddressSender email address in the FROM header, which is visible to email recipients on their email clients.string
Microsoft365Defender.RetrievedEmails.TimestampDate and time when the record was generated.string
Microsoft365Defender.RetrievedEmails.SenderDisplayNameSender display name.string
Microsoft365Defender.RetrievedEmails.SenderIPv4IPv4 address of the last detected mail server that relayed the message.string
Microsoft365Defender.RetrievedEmails.ConfidenceLevelList of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low".string
Microsoft365Defender.RetrievedEmails.ThreatTypesVerdict from the email filtering stack on whether the email contains malware, phishing, or other threats.unknown
Microsoft365Defender.RetrievedEmails.SHA256SHA256 of the attachments (if exists in the email).string
Microsoft365Defender.RetrievedEmails.UrlURL that was clicked.string
Microsoft365Defender.RetrievedEmails.UrlCountNumber of embedded URLs in the email.number
Microsoft365Defender.RetrievedEmails.SenderIPv6IPv6 address of the last detected mail server that relayed the message.string
Microsoft365Defender.RetrievedEmails.AccountUpnUser principal name (UPN) of the account.string
Microsoft365Defender.RetrievedEmails.IsClickedThroughIndicates whether the user was able to click through to the original URL or not.number
Microsoft365Defender.RetrievedEmails.BulkComplaintLevelThreshold assigned to email from bulk mailers. A high bulk complain level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam.string
Microsoft365Defender.RetrievedEmails.IPAddressIP address assigned to the device during communication.string
Microsoft365Defender.RetrievedEmails.DetectionMethodsMethods used to detect whether the URL contains or leads to malware, phishing, or other threats.string
Microsoft365Defender.RetrievedEmails.ActionTypeType of activity that triggered the event.string
Microsoft365Defender.RetrievedEmails.UrlChainList of URLs in the redirection chain.string
Microsoft365Defender.RetrievedEmails.NetworkMessageIdUnique identifier for the email, generated by Office 365.string
Microsoft365Defender.RetrievedEmails.DisplayNameName of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname.string
Microsoft365Defender.RetrievedEmails.SenderMailFromDomainSender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address.string
Microsoft365Defender.RetrievedEmails.SenderMailFromAddressSender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address.string
Microsoft365Defender.RetrievedEmails.ClickTimestampDate and time when the record was generated (url click).unknown

Playbook Image#

Microsoft Defender XDR - Threat Hunting Generic