Microsoft 365 Defender

Details
Content
Dependencies
Version History

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

With the Microsoft 365 Defender content pack, you can determine how a threat entered your environment and what part of your organization is affected.

What does this pack do?

Get the most recent incidents that is a collection of correlated alerts and associated data.
Enables you to hunt for both known and potential threats.

License information

Available for Office 365 E5, Microsoft 365 E5, and standalone licenses.

With the Microsoft 365 Defender content pack, you can determine how a threat entered your environment and what part of your organization is affected.

What does this pack do?

Get the most recent incidents that is a collection of correlated alerts and associated data.
Enables you to hunt for both known and potential threats.

License information

Available for Office 365 E5, Microsoft 365 E5, and standalone licenses.

Automations

Name	Description
MS365DefenderCountIncidentCategories	count the categories of alerts in given incident
MS365DefenderUserListToTable	comment

Classifiers

Name	Description
Microsoft 365 Defender - Incoming Mapper	Classifies Microsoft 365 Defender's events

Incident Fields

Name	Description
Microsoft 365 Defender Tags
Microsoft 365 Defender ID
Microsoft 365 Defender Users
Microsoft 365 Defender A
Microsoft 365 Defender Devices
Microsoft 365 Defender Active
Microsoft 365 Defender First activity
Microsoft 365 Defender Status
impacted entities
Microsoft 365 Defender Last activity
Microsoft 365 Defender Classification
impacted devices
Microsoft 365 Defender Categories count
Microsoft 365 Defender Display Name

Incident Types

Name	Description
Microsoft 365 Defender Incident

Integrations

Name	Description
O365 Defender SafeLinks	Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.
Microsoft 365 Defender	Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
O365 Defender SafeLinks - Single User	Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations.

Layouts

Name	Description
Microsoft 365 Defender - Layout	Microsoft 365 layout page

Playbooks

Name	Description
Microsoft 365 Defender - Threat Hunting Generic	This playbook retrieves email data based on the `URLDomain`, `SHA256`, `IPAddress`. and `MessageID` inputs. The output is a unified object with all of the retrieved emails based on the following sub-playbooks outputs: Microsoft 365 Defender - Get Email URL clicks: Retrieves data based on URL click events. Microsoft 365 Defender - Emails Indicators Hunt: Retrieves data based on several different email events. Read the playbook's descriptions in order to get the full details.
Microsoft 365 Defender - Emails Indicators Hunt	This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs. SHA256 - Emails with attachments matching the "SHA256" input are retrieved. URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved. IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved.
Microsoft 365 Defender - Get Email URL Clicks	This playbook retrieves email data based on the `URLDomain` and `MessageID` inputs. It uses the Microsoft 365 Defender's Advanced Hunting to search only for URL click events based on the playbook inputs and enriches it with the full email data. URLDomain - If the “URLDomain” value is found as a substring of the URL(s) in the body of the email, the email is retrieved. MessageID - The message ID of the email from which the URL was clicked. Note that this can be either of the following 2 values: The value of the header "Message-ID". The internal ID of the message within Microsoft's products (e.g., NetworkMessageId). Can be a single MessageID or an array of MessageIDs to search.

Automations

Name	Description
MS365DefenderCountIncidentCategories	count the categories of alerts in given incident
MS365DefenderUserListToTable	comment

Classifiers

Name	Description
Microsoft 365 Defender - Incoming Mapper	Classifies Microsoft 365 Defender's events

Incident Fields

Name	Description
Microsoft 365 Defender Display Name
Microsoft 365 Defender Tags
Microsoft 365 Defender Last activity
Microsoft 365 Defender A
Microsoft 365 Defender Status
impacted entities
Microsoft 365 Defender Categories count
Microsoft 365 Defender First activity
impacted devices
Microsoft 365 Defender Classification
Microsoft 365 Defender Active
Microsoft 365 Defender ID
Microsoft 365 Defender Devices

Incident Types

Name	Description
Microsoft 365 Defender Incident

Integrations

Name	Description
O365 Defender SafeLinks	Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.
Microsoft 365 Defender	Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
O365 Defender SafeLinks - Single User	Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations.

Playbooks

Name	Description
Microsoft 365 Defender - Threat Hunting Generic	This playbook retrieves email data based on the `URLDomain`, `SHA256`, `IPAddress`. and `MessageID` inputs. The output is a unified object with all of the retrieved emails based on the following sub-playbooks outputs: Microsoft 365 Defender - Get Email URL clicks: Retrieves data based on URL click events. Microsoft 365 Defender - Emails Indicators Hunt: Retrieves data based on several different email events. Read the playbook's descriptions in order to get the full details.
Microsoft 365 Defender - Get Email URL Clicks	This playbook retrieves email data based on the `URLDomain` and `MessageID` inputs. It uses the Microsoft 365 Defender's Advanced Hunting to search only for URL click events based on the playbook inputs and enriches it with the full email data. URLDomain - If the “URLDomain” value is found as a substring of the URL(s) in the body of the email, the email is retrieved. MessageID - The message ID of the email from which the URL was clicked. Note that this can be either of the following 2 values: The value of the header "Message-ID". The internal ID of the message within Microsoft's products (e.g., NetworkMessageId). Can be a single MessageID or an array of MessageIDs to search.
Microsoft 365 Defender - Emails Indicators Hunt	This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs. SHA256 - Emails with attachments matching the "SHA256" input are retrieved. URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved. IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

4.5.22 - 938811 (April 7, 2024)

Integrations

O365 Defender SafeLinks - Single User

Updated the Docker image to: demisto/powershell-ubuntu:7.4.1.86201.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

4.5.21 - 919924 (March 28, 2024)

Integrations

Microsoft 365 Defender

Added a timeout value to the retry on rate limit mechanism.

Related pull requests:
- 33566

Download

4.5.20 - 860237 (February 29, 2024)

Integrations

Microsoft 365 Defender

Updated the MicrosoftApiModule to better handle the Authorization Code flow in the supported integrations.

Related pull requests:
- 31942

Download

4.5.19 - 839519 (February 20, 2024)

Integrations

O365 Defender SafeLinks

Updated the Docker image to: demisto/pwsh-exchangev3:1.0.0.80547.

Related pull requests:
- 32654

Download

4.5.18 - 836299 (February 18, 2024)

Integrations

Microsoft 365 Defender

Fixed an issue where the microsoft-365-defender-advanced-hunting command failed when the query contained consecutive pipe characters (||).
Updated the Docker image to: demisto/crypto:1.0.0.87358.

Scripts

MS365DefenderUserListToTable

Updated the Docker image to: demisto/python3:3.10.13.86272.

MS365DefenderCountIncidentCategories

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32976

Download

4.5.16 - R828628 (February 14, 2024)

Integrations

Microsoft 365 Defender

Updated the Docker image to: demisto/crypto:1.0.0.72229.
Maintenance and stability enhancements.

Related pull requests:
- 28622

Download

4.5.15 - 6226805 (September 3, 2023)

Integrations

Microsoft 365 Defender

Added a moderate retry mechanism for the authorization HTTP request through oproxy.

Related pull requests:
- 29015

Download

4.5.14 - 6170593 (August 28, 2023)

Integrations

Microsoft 365 Defender

Added an infrastructure support for Microsoft Graph Application Endpoints.

Related pull requests:
- 28801

Download

4.5.13 - 6133197 (August 23, 2023)

Integrations

Microsoft 365 Defender

Fixed an issue where instances using version 4.5.12 of the pack could have authentication issues.

Related pull requests:
- 29173

Download

4.5.12 - 6106826 (August 21, 2023)

Integrations

Microsoft 365 Defender

Fixed an issue where changes made to the Authorization code parameter were not being reflected in the integration code, resulting in the continued use of the first parameter.

Related pull requests:
- 29035
- 29173

Download

4.5.11 - 6010750 (August 10, 2023)

Integrations

Microsoft 365 Defender

Added support for Microsoft Defender for Application Endpoints in the Microsoft API Module.

Related pull requests:
- 27705

Download

4.5.10 - 5910354 (July 30, 2023)

Integrations

Microsoft 365 Defender

Updated the Docker image to: demisto/crypto:1.0.0.66562.
Maintenance and stability enhancements.

Related pull requests:
- 26482

Download

4.5.9 - R5866730 (July 25, 2023)

Scripts

MS365DefenderCountIncidentCategories

Updated the Docker image to: demisto/python3:3.10.12.63474.

MS365DefenderUserListToTable

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28221

Download

4.5.8 - 5760561 (July 13, 2023)

Integrations

O365 Defender SafeLinks

Fixed an issue where relative paths were used instead of absolute URLs in the integration description file.

Related pull requests:
- 28057

Download

4.5.7 - 5723074 (July 9, 2023)

Integrations

O365 Defender SafeLinks

Updated the documentation to provide guidance regarding memory management and docker hardening.
The integration now uses Exchange Online V3 which utilizes REST endpoints as opposed to RPS.
Updated the Docker image to: demisto/pwsh-exchangev3:1.0.0.49863.

Related pull requests:
- 27783

Download

4.5.6 - R5692327 (July 5, 2023)

Scripts

MS365DefenderCountIncidentCategories

Added the skipprepare attribute to prevent scripts and tasks containing the word incident from being replaced with the word alert.
Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26365

Download

4.5.5 - R5170573 (May 2, 2023)

Integrations

Microsoft 365 Defender

Added the following integration parameters to support credentials fetching object:
- Application ID or Client ID
- Token or Tenant ID

Related pull requests:
- 25942
- 25841

Download

4.5.4 - 4954430 (April 2, 2023)

Integrations

Microsoft 365 Defender

Added support for old docker images which do not have the defusedxml package.

Related pull requests:
- 25670

Download

4.5.3 - 4797511 (March 12, 2023)

Integrations

Microsoft 365 Defender

Updated the Docker image to: demisto/crypto:1.0.0.49599.
Changed Password parameter name to Client Secret.
Hide Private Key parameter due to duplication.

Related pull requests:
- 25179

Download

4.5.2 - R4718798 (March 1, 2023)

Integrations

Microsoft 365 Defender

Improved implementation of the authorization process with the Oproxy server.
Fixed an issue where linter failed due to pylint errors.
Updated the MicrosoftApiModule to better handle the Auth code authorization flow in the supported integrations.

O365 Defender SafeLinks

Added the following commands:
- atp-policy-get
- atp-policy-set

Related pull requests:
- 24261

Download

4.4.13 - 4560457 (February 7, 2023)

Integrations

Microsoft 365 Defender

Added support for authentication using Azure Managed Identities.
Updated the Docker image to: demisto/crypto:1.0.0.47103.

Related pull requests:
- 23951

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	May 25, 2021
Last Release	April 7, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.