Microsoft Defender for Endpoint

Playbooks

New: Microsoft Defender For Endpoint - Isolate Endpoint

This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration. (Available from Cortex XSOAR 6.2.0).

New: Microsoft Defender For Endpoint - Unisolate Endpoint

This playbook accepts an endpoint ID, IP, or host name and unisolates it using the Microsoft Defender For Endpoint integration. (Available from Cortex XSOAR 6.2.0).

Integrations

Microsoft Defender for Endpoint

• Added 2 commands:
  • microsoft-atp-get-machine-users
  • microsoft-atp-get-machine-alerts

Scripts

TransformIndicatorToMSDefenderIOC

• Updated the Docker image to: demisto/python3:3.10.4.29342.

Integrations

Microsoft Defender for Endpoint

• Updated the Docker image to: demisto/crypto:1.0.0.28507.

Integrations

Microsoft Defender for Endpoint

Expanded the output options to reflect query_purpose for the following commands:

• microsoft-atp-advanced-hunting-lateral-movement-evidence
• microsoft-atp-advanced-hunting-persistence-evidence
• microsoft-atp-advanced-hunting-process-details
• microsoft-atp-advanced-hunting-network-connections
• microsoft-atp-advanced-hunting-cover-up

Integrations

Microsoft Defender for Endpoint

Added the page argument and show_query argument to the following commands:

• microsoft-atp-advanced-hunting-lateral-movement-evidence
• microsoft-atp-advanced-hunting-persistence-evidence
• microsoft-atp-advanced-hunting-file-origin
• microsoft-atp-advanced-hunting-process-details
• microsoft-atp-advanced-hunting-network-connections
• microsoft-atp-advanced-hunting-privilege-escalation
• microsoft-atp-advanced-hunting-tampering
• microsoft-atp-advanced-hunting-cover-up

Integrations

Microsoft Defender for Endpoint

• Added type validations and other internal code improvements.

Integrations

Microsoft Defender for Endpoint

• Added the time_range argument to the microsoft-atp-advanced-hunting command.
• Added the new commands:
  • microsoft-atp-advanced-hunting-lateral-movement-evidence
  • microsoft-atp-advanced-hunting-persistence-evidence
  • microsoft-atp-advanced-hunting-file-origin
  • microsoft-atp-advanced-hunting-process-details
  • microsoft-atp-advanced-hunting-network-connections
  • microsoft-atp-advanced-hunting-privilege-escalation
  • microsoft-atp-advanced-hunting-tampering
  • microsoft-atp-advanced-hunting-cover-up

Integrations

Microsoft Defender for Endpoint

• Added the following parameters for Certificate Authentication support for self-deployed mode.
  • Certificate Thumbprint - Used for certificate authentication. As appears in the "Certificates & secrets" page of the app.
  • Private Key - The private key of the registered certificate.
• Updated the Docker image to: demisto/crypto:1.0.0.27590.

Integrations

Microsoft Defender for Endpoint

• Updated the Docker image to: demisto/crypto:1.0.0.27590.

Integrations

Microsoft Defender for Endpoint

• Added support for new values of action arguments in microsoft-atp-sc-indicator-update and microsoft-atp-sc-indicator-create due to Microsoft Defender API change. For more information, check https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/ti-indicator?view=o365-worldwide#indicator-types.
• Internal code improvements.

Incident Fields

• Microsoft Defender for Endpoint Evidence Creation Time
• Microsoft Defender for Endpoint Evidence Type

Integrations

Microsoft Defender for Endpoint

• Added option to expand evidence when using fetch-incident.

Mappers

Microsoft Defender For Endpoint Mapper

• Added the evidence data to the mapper.

Integrations

Microsoft Defender for Endpoint

• Added support for Live Response Actions with new commands:
  • microsoft-atp-live-response-put-file.
  • microsoft-atp-live-response-get-file.
  • microsoft-atp-live-response-run-script.
  • microsoft-atp-live-response-cancel-action.
  • microsoft-atp-live-response-result.

Integrations

Microsoft Defender for Endpoint

• Fixed an issue where the microsoft-atp-sc-indicator-list command did not support FileMd5.

Integrations

Microsoft Defender for Endpoint

• Added new commands:
  • microsoft-atp-list-machines-by-vulnerability.
  • endpoint.
  • microsoft-atp-get-file-info.
  • microsoft-atp-indicator-batch-update.
  • microsoft-atp-get-alert-by-id.
• Updated the following commands to support a comma separated list as an argument:
  • In the microsoft-atp-isolate-machine command the machine_id argument can now be a comma separated list.
  • In the microsoft-atp-unisolate-machine command the machine_id argument can now be a comma separated list.
  • In the microsoft-atp-list-machine-actions-details command the machine_id argument can now be a comma separated list.
  • In the microsoft-atp-list-machine-actions-details command a new limit argument was added.
  • In the microsoft-atp-get-file-related-machines command the file_hash argument can now be a comma separated list.
  • In the microsoft-atp-run-antivirus-scan command the machine_id argument can now be a comma separated list.
  • In the microsoft-atp-get-machine-details command the machine_id argument can now be a comma separated list.
  • In the microsoft-atp-get-alert-by-id command both the limit and the creation_time arguments were added.

Scripts

TransformIndicatorToMSDefenderIOC

• Added new script TransformIndicatorToMSDefenderIOC to transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC.

Integrations

Microsoft Defender for Endpoint

• Added the Key integration parameter to support credentials fetching object.

Incident Types

Microsoft Defender For Endpoint

Mappers

New: Microsoft Defender For Endpoint Mapper

Microsoft Defender For Endpoint Mapper.

Integrations

Microsoft Defender for Endpoint

• Updated the Docker image to: demisto/crypto:1.0.0.24380.

Integrations

Microsoft Defender for Endpoint

• IP Address list with MAC Address info for interfaces on the machine are now part of the "get-machine-details" command output. This is useful for playbooks requiring MAC Address to IP mapping.

Integrations

Microsoft Defender for Endpoint

• Updated the Docker image to: demisto/crypto:1.0.0.24037.

Integrations

Microsoft Defender for Endpoint

• Added new commands that uses the new and stable security center API for indicators:

  • microsoft-atp-sc-indicator-list
  • microsoft-atp-sc-indicator-get-by-id
  • microsoft-atp-sc-indicator-create
  • microsoft-atp-sc-indicator-update
  • microsoft-atp-sc-indicator-delete

  In order to use those new commands:

  • When using oproxy - need to re-authenticate.
  • When using self deployed - add the relevant permissions and re-authenticate.
  • Set the following permission:
    Ti.ReadWrite (Read and write IOCs belonging to the app) - Application

• Deprecated the following commands as they used a beta endpoint.

  • microsoft-atp-indicator-delete command, use microsoft-atp-sc-indicator-delete instead.

  • microsoft-atp-indicator-update command, use microsoft-atp-sc-indicator-update instead.

  • microsoft-atp-indicator-create-network command, use microsoft-atp-sc-indicator-create instead.

    API limitation - CIDR notation for IPs is not supported as part of the new commands.

  • microsoft-atp-indicator-create-file command, use microsoft-atp-sc-indicator-create instead.

  • microsoft-atp-indicator-list command, use microsoft-atp-sc-indicator-list instead.

  • microsoft-atp-indicator-get-by-id command, use microsoft-atp-sc-indicator-get-by-id instead.

• Updated the Docker image to: demisto/crypto:1.0.0.19032.

Integrations

Microsoft Defender for Endpoint

• Internal code improvements.

Integrations

Microsoft Defender for Endpoint

• Fixed an issue where the pagination did not work properly in the microsoft-atp-indicator-list command.
• Updated the Docker image to: demisto/crypto:1.0.0.19032.

Integrations

Microsoft Defender for Endpoint

• Added the timeout argument to the microsoft-atp-start-investigation command.
• Fixed an issue where the microsoft-atp-start-investigation command would fail to run.
• Updated the Docker image to: demisto/crypto:1.0.0.16776.

Integrations

Microsoft Defender for Endpoint

• Fixed an issue where the ok_codes argument was passed twice to the HTTP requuest.

Integrations

Microsoft Defender for Endpoint

• Updated MicrosoftApiModule to handle a 404 - Page Not Found response.

Integrations

Microsoft Defender for Endpoint

• Fixed an issue where the severity argument was ignored in the microsoft-atp-indicator-update and the microsoft-atp-indicator-create-file commands.

Integrations

Microsoft Defender for Endpoint

• Added support for auto cache update on token expiration.

Integrations

Microsoft Defender for Endpoint

• Added the optional integration authentication methods to the detailed description.

Integrations

Microsoft Defender for Endpoint

• Renamed the integration Microsoft Defender Advanced Threat Protection to Microsoft Defender for Endpoint.

Integrations

Microsoft Defender Advanced Threat Protection

• Added the timeout argument to the microsoft-atp-advanced-hunting command.
• Upgraded the Docker image to demisto/crypto:1.0.0.14297.

Integrations

Microsoft Defender Advanced Threat Protection

Maintenance and stability enhancements.

Integrations

Microsoft Defender Advanced Threat Protection

Maintenance and stability enhancements.

Integrations

Microsoft Defender Advanced Threat Protection

• Improved error handling in the test module.
• Upgraded the Docker image to demisto/crypto:1.0.0.12410.

Integrations

Microsoft Defender Advanced Threat Protection

• Maintenance and stability enhancements.
• Upgraded the Docker image to demisto/crypto:1.0.0.11650.

Integrations

Microsoft Defender Advanced Threat Protection

• Maintenance and stability enhancements.

Integrations

Microsoft Defender Advanced Threat Protection

• Added the following indicator commands.
  • microsoft-atp-list-indicators
  • microsoft-atp-get-indicator-by-id
  • microsoft-atp-file-indicator-create
  • microsoft-atp-network-indicator-create
  • microsoft-atp-indicator-update
  • microsoft-atp-indicator-delete

To use these commands, you need to reauthorize the app in the Microsoft Defender Advanced Threat Protection integration's configuration window.

• Updated docker version.

Integrations

• Microsoft Defender Advanced Threat Protection
  Updated the permission scope for self-deployed applications to be Microsoft Defender Advanced Threat Protection default.