Microsoft 365 Defender

Integrations

O365 Defender SafeLinks

• Added two new commands - o365-defender-safelinks-detailed-report-get and o365-defender-safelinks-aggregate-report-get.

O365 Defender SafeLinks - Single User

• Command o365-defender-safelinks-detail-report-get is deprecated. Use o365-defender-safelinks-detailed-report-get instead.
• Added two new commands - o365-defender-safelinks-detailed-report-get and o365-defender-safelinks-aggregate-report-get.

Integrations

Microsoft 365 Defender

• Fixed an issue in which the microsoft-365-defender-incident-update command failed to update the assigned_to argument to have the value unassigned.

Integrations

Microsoft 365 Defender

• Added support for microsoft-365-defender-incident-update to add comments in incident (new optional comment parameter).
• Updated the Docker image to: demisto/crypto:1.0.0.31715.

Integrations

Microsoft 365 Defender

• Removed excessive error traceback printing.
• Updated the Docker image to: demisto/crypto:1.0.0.30286.

Integrations

New: Microsoft 365 Defender Event Collector

Microsoft 365 Defender event collector integration for Cortex XSIAM.

Modeling Rules

New: Microsoft 365 Defender Event Collector

Added the modeling rules.

Integrations

Microsoft 365 Defender

• Fixed an issue where new authentications would fail with an error.

Integrations

Microsoft 365 Defender

• Added the microsoft-365-defender-incident-get command.
• Updated the Docker image to: demisto/crypto:1.0.0.28507.

Integrations

Microsoft 365 Defender

• Documentation and metadata improvements - updated param names.

WARNING: This version is invalid. Please install a different version.

Playbooks

New: Microsoft 365 Defender - Emails Indicators Hunt

• This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs.
  SHA256 - Emails with attachments matching the "SHA256" input are retrieved.<br /> URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved.<br /> IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved. (Available from Cortex XSOAR v6.2.0).

Integrations

Microsoft 365 Defender

• Added type validations and other internal code improvements.

Integrations

Microsoft 365 Defender

• Added the following parameters for Certificate Authentication support for self-deployed mode.
  • Certificate Thumbprint - Used for certificate authentication. As appears in the "Certificates & secrets" page of the app.
  • Private Key - The private key of the registered certificate.
• Updated the Docker image to: demisto/crypto:1.0.0.27590.

Integrations

Microsoft 365 Defender

• This integration is no longer a beta integration.

Incident Fields

• Microsoft 365 Defender Users
  Maintenance and stability enhancements.

Integrations

New: O365 Defender SafeLinks - Single User

• A new SafeLinks integration that uses delegated permissions and does not require an Exchange Administrator account.
• Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations. (Available from Cortex XSOAR 6.0.0).

Integrations

Microsoft 365 Defender (Beta)

• Added the Client Secret integration parameter to support credentials fetching object.

Integrations

Microsoft 365 Defender (Beta)

• Fixed an issue where the microsoft-365-defender-incidents-list command failed due to empty incident fields.

Integrations

Microsoft 365 Defender (Beta)

• Updated the Docker image to: demisto/crypto:1.0.0.24380.

Integrations

O365 Defender SafeLinks

• Documentation and metadata improvements.

Integrations

New: O365 Defender SafeLinks

Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. (Available from Cortex XSOAR 6.0.0).

Scripts

MS365DefenderCountIncidentCategories

• Updated the Docker image to: demisto/python3:3.9.7.24076.

MS365DefenderUserListToTable

• Updated the Docker image to: demisto/python3:3.9.7.24076.

Integrations

Microsoft 365 Defender (Beta)

• Updated the Docker image to: demisto/crypto:1.0.0.24037.

Scripts

• Maintenance and stability enhancements.

MS365DefenderUserListToTable

• Upgraded the Docker image to: demisto/python3:3.9.6.22912.

MS365DefenderCountIncidentCategories

• Upgraded the Docker image to: demisto/python3:3.9.6.22912.

Integrations

Microsoft 365 Defender (Beta)

• Internal code improvements.

Integrations

Microsoft 365 Defender (Beta)

• Added support to authenticate using the Client Credentials flow.
• Fixed an issue where the limit argument in the microsoft-365-defender-advanced-hunting commands was not used correctly.

Integrations

Microsoft 365 Defender (Beta)

• Updated description and README.md file.

Integrations

Microsoft 365 Defender (Beta)

• Update link in the integration's description to point to xsoar.pan.dev document.

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.