Microsoft 365 Defender | Cortex XSOAR

Details
Content
Version History

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

With the Microsoft 365 Defender content pack, you can determine how a threat entered your environment and what part of your organization is affected.

What does this pack do?

Get the most recent incidents that is a collection of correlated alerts and associated data.
Enables you to hunt for both known and potential threats.

PUBLISHER

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex XSOAR
Created	May 25, 2021
Last Release	January 12, 2022

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Incident Fields

Name	Description
impacted devices
Microsoft 365 Defender Last activity
Microsoft 365 Defender Status
Microsoft 365 Defender Active
Microsoft 365 Defender A
Microsoft 365 Defender Display Name
Microsoft 365 Defender First activity
Microsoft 365 Defender Devices
impacted entities
Microsoft 365 Defender ID
Microsoft 365 Defender Categories count
Microsoft 365 Defender Classification
Microsoft 365 Defender Users
Microsoft 365 Defender Tags

Incident Types

Name	Description
Microsoft 365 Defender Incident

Classifiers

Name	Description
Microsoft 365 Defender - Incoming Mapper	Classifies Microsoft 365 Defender's events

Integrations

Name	Description
O365 Defender SafeLinks - Single User	Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations.
Microsoft 365 Defender (Beta)	Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
O365 Defender SafeLinks	Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.

Automations

Name	Description
MS365DefenderCountIncidentCategories	count the categories of alerts in given incident
MS365DefenderUserListToTable	comment

Layouts

Name	Description
Microsoft 365 Defender - Layout	Microsoft 365 layout page

3.0.0 - 2244042 (January 12, 2022)

Integrations

New: O365 Defender SafeLinks - Single User

A new SafeLinks integration that uses delegated permissions and does not require an Exchange Administrator account.
Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations. (Available from Cortex XSOAR 6.0.0).

2.0.4 - 2157470 (December 24, 2021)

Integrations

Microsoft 365 Defender (Beta)

Added the Client Secret integration parameter to support credentials fetching object.

2.0.3 - R2146019 (December 21, 2021)

Integrations

Microsoft 365 Defender (Beta)

Fixed an issue where the microsoft-365-defender-incidents-list command failed due to empty incident fields.

2.0.2 - 2007146 (November 25, 2021)

Integrations

Microsoft 365 Defender (Beta)

Updated the Docker image to: demisto/crypto:1.0.0.24380.

2.0.1 - 1929712 (November 10, 2021)

Integrations

O365 Defender SafeLinks

Documentation and metadata improvements.

2.0.0 - 1909699 (November 7, 2021)

Integrations

New: O365 Defender SafeLinks

Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. (Available from Cortex XSOAR 6.0.0).

1.1.4 - 7772209 (September 25, 2021)

Scripts

MS365DefenderCountIncidentCategories

Updated the Docker image to: demisto/python3:3.9.7.24076.

MS365DefenderUserListToTable

Updated the Docker image to: demisto/python3:3.9.7.24076.

1.1.3 - 7681620 (September 19, 2021)

Integrations

Microsoft 365 Defender (Beta)

Updated the Docker image to: demisto/crypto:1.0.0.24037.

1.1.2 - 415742 (August 24, 2021)

Scripts

Maintenance and stability enhancements.

MS365DefenderUserListToTable

Upgraded the Docker image to: demisto/python3:3.9.6.22912.

MS365DefenderCountIncidentCategories

Upgraded the Docker image to: demisto/python3:3.9.6.22912.

1.1.1 - 405394 (August 3, 2021)

Integrations

Microsoft 365 Defender (Beta)

Internal code improvements.

1.1.0 - 401053 (July 22, 2021)

Integrations

Microsoft 365 Defender (Beta)

Added support to authenticate using the Client Credentials flow.
Fixed an issue where the limit argument in the microsoft-365-defender-advanced-hunting commands was not used correctly.

1.0.2 - 388541 (June 22, 2021)

Integrations

Microsoft 365 Defender (Beta)

Updated description and README.md file.

1.0.1 - 380482 (June 8, 2021)

Integrations

Microsoft 365 Defender (Beta)

Update link in the integration's description to point to xsoar.pan.dev document.

1.0.0 - 379915 (May 25, 2021)