Microsoft 365 Defender
Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents.
Connect Microsoft 365 Defender with Devo SOAR
Navigate to Automations > Integrations.
Search for Microsoft 365 Defender.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Tenant ID: Tenant ID of the registered application.
Application ID: Application ID of the registered application.
Secret Key: Secret key of registered application.
After you've entered all the details, click Connect.
Actions for Microsoft 365 Defender
Advanced Hunting
Run advanced queries. Limitations: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide&branch=mtp-apis#limitations
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Query | Jinja Templated query to run. Example: | Required |
``` {text}DeviceProcessEvents | where InitiatingProcessFileName =~ "{{process_column}}" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2
### Output
Multiple JSON rows are returned for each query representing matched events, each row containing the following items:
- has_error: True/False
- error: message/null
- other keys of matched events
``` {json}{
"Timestamp": "2020-08-30T06:38:35.7664356Z",
"FileName": "conhost.exe",
"InitiatingProcessFileName": "powershell.exe"
"has_error": false,
"error": null
}
List Incidents
Lists Incidents in Microsoft 365 Defender (Microsoft Threat Protection) optionally with OData filter.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
OData Query | Jinja-templated OData query filter. Supported OData operators: $filter on: lastUpdateTime, createdTime, status and assignedTo properties. | Optional |
Limit | Limit number of results. Value specified here will override $top operator (if provided) in OData Query (Default is 100 incidents). | Optional |
Output
Multiple JSON rows are returned for each query representing matched incidents, each row containing the following items:
has_error: True/False
error: message/null
other keys of listed incident
``` {json}{ "incidentId": 924521, "redirectIncidentId": null, "incidentName": "'Mimikatz' hacktool was detected on one endpoint", "createdTime": "2020-09-06T12:18:03.6266667Z", "lastUpdateTime": "2020-09-06T12:18:03.81Z", "assignedTo": null, "classification": "Unknown", "determination": "NotAvailable", "status": "Active", "severity": "Low", "tags": [], "alerts": [ { "alertId": "da637349914833441527_393341063", "incidentId": 924521, "serviceSource": "MicrosoftDefenderATP", "creationTime": "2020-09-06T12:18:03.3285366Z", "lastUpdatedTime": "2020-09-06T12:18:04.2566667Z", "resolvedTime": null, "firstActivity": "2020-09-06T12:15:07.7272048Z", "lastActivity": "2020-09-06T12:15:07.7272048Z", "title": "'Mimikatz' hacktool was detected", "description": "Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\n\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\n\nThis detection might indicate that Windows Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool.", "category": "Malware", "status": "New", "severity": "Low", "investigationId": null, "investigationState": "UnsupportedOs", "classification": null, "determination": null, "detectionSource": "WindowsDefenderAv", "assignedTo": null, "actorName": null, "threatFamilyName": "Mimikatz", "mitreTechniques": [], "devices": [ { "mdatpDeviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491", "aadDeviceId": null, "deviceDnsName": "user5cx.middleeast.corp.contoso.com", "osPlatform": "WindowsServer2016", "version": "1607", "osProcessor": "x64", "osBuild": 14393, "healthStatus": "Active", "riskScore": "High", "rbacGroupName": "WDATP-Ring0", "rbacGroupId": 9, "firstSeen": "2020-02-06T14:16:01.9330135Z" } ], "entities": [ { "entityType": "File", "sha1": "5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd", "sha256": null, "fileName": "Detector.UnitTests.dll", "filePath": "C:\Agent\_work\_temp\Deploy_SYSTEM 2020-09-06 12_14_54\Out", "processId": null, "processCommandLine": null, "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, "ipAddress": null, "url": null, "accountName": null, "domainName": null, "userSid": null, "aadUserId": null, "userPrincipalName": null, "mailboxDisplayName": null, "mailboxAddress": null, "clusterBy": null, "sender": null, "recipient": null, "subject": null, "deliveryAction": null, "securityGroupId": null, "securityGroupName": null, "registryHive": null, "registryKey": null, "registryValueType": null, "registryValue": null, "deviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491" } ] } ], "has_error": false, "error": null }
## Update Incidents
Updates properties of existing incidents.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Incident ID | Select column containing a value for incident id for the incident to update. | Required |
| Status | Select column containing a value for status to update the incident. Possible column values should be Active, Resolved, or Redirected. | Optional |
| Assigned To | Select column containing a value for the owner to update the incident with. | Optional |
| Classification | Select column containing a value for the specification of the alert to update the incident with. Possible column values should be one of Unknown, FalsePositive, or TruePositive. | Optional |
| Determination | Select column containing a value for the determination of the alert to update the incident with. Possible column values should be one of NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, or Other. | Optional |
| Tags | [Jinja Templated](doc:jinja-template) comma-separated tags to update the incident with. Example: `{{tag1}}, {{tag2}}, {{tag3}}`. | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other keys of incident updated with new values
``` {json}{
"status": "Resolved",
"assignedTo": "secop2@contoso.com",
"classification": "TruePositive",
"determination": "Malware",
"tags": ["Yossi's playground", "Don't mess with the Zohan"]
"has_error": false,
"error": null
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem