Versions Compared

Old Version 1

changes.mady.by.user Jonas Gonzalez

Saved on

compared with

New Version Current

changes.mady.by.user Jonas Gonzalez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents.

Connect Microsoft 365 Defender with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Microsoft 365 Defender.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Tenant ID: Tenant ID of the registered application.

  9. Application ID: Application ID of the registered application.

  10. Secret Key: Secret key of registered application.

  11. After you've entered all the details, click Connect.

Actions for Microsoft 365 Defender

Advanced Hunting

Run advanced queries. Limitations: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide&branch=mtp-apis#limitations

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

...

Code Block
### Output

Multiple JSON rows are returned for each query representing matched events, each row containing the following items:

- has_error: True/False
- error: message/null
- other keys of matched events


``` {json}{
  "Timestamp": "2020-08-30T06:38:35.7664356Z",
  "FileName": "conhost.exe",
  "InitiatingProcessFileName": "powershell.exe"
  "has_error": false,
  "error": null
}

List Incidents

Lists Incidents in Microsoft 365 Defender (Microsoft Threat Protection) optionally with OData filter.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

OData Query

Jinja-templated OData query filter. Supported OData operators: $filter on: lastUpdateTime, createdTime, status and assignedTo properties.

Optional

Limit

Limit number of results. Value specified here will override $top operator (if provided) in OData Query (Default is 100 incidents).

Optional

Output

Multiple JSON rows are returned for each query representing matched incidents, each row containing the following items:

...

Code Block
## Update Incidents

Updates properties of existing incidents.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name     | Description                                                                                                                                                                                                                          | Required |
| :------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Incident ID    | Select column containing a value for incident id for the incident to update.                                                                                                                                                         | Required |
| Status         | Select column containing a value for status to update the incident. Possible column values should be Active, Resolved, or Redirected.                                                                                                | Optional |
| Assigned To    | Select column containing a value for the owner to update the incident with.                                                                                                                                                          | Optional |
| Classification | Select column containing a value for the specification of the alert to update the incident with. Possible column values should be one of Unknown, FalsePositive, or TruePositive.                                                    | Optional |
| Determination  | Select column containing a value for the determination of the alert to update the incident with. Possible column values should be one of NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, or Other. | Optional |
| Tags           | [Jinja Templated](doc:jinja-template) comma-separated tags to update the incident with. Example: `{{tag1}}, {{tag2}}, {{tag3}}`.                                                                                                     | Optional |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- other keys of incident updated with new values


``` {json}{
  "status": "Resolved",
  "assignedTo": "secop2@contoso.com",
  "classification": "TruePositive",
  "determination": "Malware",
  "tags": ["Yossi's playground", "Don't mess with the Zohan"]
  "has_error": false,
  "error": null
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

...