Microsoft 365 Defender

Details
Content
Dependencies
Version History
Download With Dependencies

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

With the Microsoft 365 Defender content pack, you can determine how a threat entered your environment and what part of your organization is affected.

What does this pack do?

Get the most recent incidents that is a collection of correlated alerts and associated data.
Enables you to hunt for both known and potential threats.

PUBLISHER

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex XSOAR
Created	May 25, 2021
Last Release	June 19, 2022

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Classifiers

Name	Description
Microsoft 365 Defender - Incoming Mapper	Classifies Microsoft 365 Defender's events

Playbooks

Name	Description
Microsoft 365 Defender - Emails Indicators Hunt	This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs. SHA256 - Emails with attachments matching the "SHA256" input are retrieved. URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved. IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved.

Name

Description

Microsoft 365 Defender - Emails Indicators Hunt

This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs.
SHA256 - Emails with attachments matching the "SHA256" input are retrieved.
URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved.
IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved.

Automations

Name	Description
MS365DefenderCountIncidentCategories	count the categories of alerts in given incident
MS365DefenderUserListToTable	comment

Layouts

Name	Description
Microsoft 365 Defender - Layout	Microsoft 365 layout page

Incident Types

Name	Description
Microsoft 365 Defender Incident

Incident Fields

Name	Description
Microsoft 365 Defender Devices
Microsoft 365 Defender Users
Microsoft 365 Defender Classification
Microsoft 365 Defender Tags
Microsoft 365 Defender ID
Microsoft 365 Defender Categories count
Microsoft 365 Defender Last activity
Microsoft 365 Defender First activity
impacted entities
Microsoft 365 Defender Active
Microsoft 365 Defender Display Name
impacted devices
Microsoft 365 Defender Status
Microsoft 365 Defender A

Integrations

Name	Description
O365 Defender SafeLinks - Single User	Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations.
O365 Defender SafeLinks	Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.
Microsoft 365 Defender	Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Required Content Packs (4)

Pack Name	Pack By
CommonScripts	By: Cortex XSOAR
CommonTypes	By: Cortex XSOAR
Base	By: Cortex XSOAR
DemistoRESTAPI	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
EWS	By: Cortex XSOAR

4.0.1 - 3118515 (June 19, 2022)

Integrations

Removed excessive error traceback printing.
Updated the Docker image to: demisto/crypto:1.0.0.30286.

Related pull requests:
- 19570

Download

4.0.0 - R3096681 (June 15, 2022)

Integrations

New: Microsoft 365 Defender Event Collector

Microsoft 365 Defender event collector integration for Cortex XSIAM.

Modeling Rules

New: Microsoft 365 Defender Event Collector

Added the modeling rules.

Related pull requests:
- 19006
- 19331

Download

3.0.8 - 2963854 (May 22, 2022)

Integrations

Microsoft 365 Defender

Fixed an issue where new authentications would fail with an error.

Microsoft 365 Defender

What does this pack do?

PUBLISHER

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Integrations

Microsoft 365 Defender

Integrations

New: Microsoft 365 Defender Event Collector

Modeling Rules

New: Microsoft 365 Defender Event Collector

Integrations

Microsoft 365 Defender

Integrations

Microsoft 365 Defender

Integrations

Microsoft 365 Defender

Playbooks

New: Microsoft 365 Defender - Emails Indicators Hunt

Integrations

Microsoft 365 Defender

Integrations

Microsoft 365 Defender

Integrations

Microsoft 365 Defender

Incident Fields

Integrations

New: O365 Defender SafeLinks - Single User

Integrations

Microsoft 365 Defender (Beta)

Integrations

Microsoft 365 Defender (Beta)

Integrations

Microsoft 365 Defender (Beta)

Integrations

O365 Defender SafeLinks

Integrations

New: O365 Defender SafeLinks

Scripts

MS365DefenderCountIncidentCategories

MS365DefenderUserListToTable

Integrations

Microsoft 365 Defender (Beta)

Scripts

MS365DefenderUserListToTable

MS365DefenderCountIncidentCategories

Integrations

Microsoft 365 Defender (Beta)

Integrations

Microsoft 365 Defender (Beta)

Integrations

Microsoft 365 Defender (Beta)

Integrations

Microsoft 365 Defender (Beta)