Microsoft 365 Defender

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Network Security · Microsoft 365 Defender

Configuration parameters

  • base_url — Endpoint URI (required)
  • creds_client_id
  • creds_tenant_id
  • _app_id — Application ID
  • client_credentials — Use Client Credentials Authorization Flow
  • _tenant_id — Tenant ID (for Client Credentials mode)
  • credentials — Client Secret (for Client Credentials mode)
  • creds_certificate — Certificate Thumbprint
  • certificate_thumbprint — Certificate Thumbprint
  • private_key — Private Key
  • use_managed_identities — Use Azure Managed Identities
  • managed_identities_client_id
  • first_fetch — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  • fetch_timeout — Fetch incidents timeout
  • max_fetch — Number of incidents for each fetch.
  • incidentType — Incident type
  • isFetch — Fetch incidents
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • app_id — Application ID (Deprecated)
  • tenant_id — Tenant ID (for Client Credentials mode) (Deprecated)
  • enc_key — Client Secret (for Client Credentials mode) (Deprecated)
  • incidentFetchInterval — Incidents Fetch Interval
  • mirror_direction — Incident Mirroring Direction
  • close_incident — Close Mirrored Cortex XSOAR Incidents
  • custom_xsoar_to_defender_close_reason — Enable custom XSOAR to Defender Close Reason
  • custom_defender_to_xsoar_close_reason — Enable custom Defender to XSOAR Close Reason
  • close_out — Close Mirrored Microsoft 365 Defender Incidents
  • comment_tag — Comment Entry Tag To Microsoft 365 Defender
  • comment_tag_from_microsoft365defender — Comment Entry Tag From Microsoft 365 Defender
  • custom_xsoar_to_defender_close_reason_mapping — Custom close-reason mapping (XSOAR -> Defender mirrored incident)
  • custom_defender_to_xsoar_close_reason_mapping — Custom close-reason mapping (Defender -> XSOAR mirrored incident)

Commands (12)

  • get-mapping-fields

    Returns the list of fields to map in outgoing mirroring. This command is only used for debugging purposes.

  • get-modified-remote-data

    Get the list of incidents that were modified since the last update time. This method is used for debugging purposes. The get-modified-remote-data command is used as part of the Mirroring feature that was introduced in Cortex XSOAR version 6.1.

  • get-remote-data

    Get remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes only.

  • microsoft-365-defender-advanced-hunting

    Advanced hunting is a threat-hunting tool that uses specially constructed queries to examine the past 30 days of event data in Microsoft 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.

  • microsoft-365-defender-auth-complete

    Run this command to complete the authorization process. Should be used after running the microsoft-365-defender-auth-start command. (for device-code mode).

  • microsoft-365-defender-auth-reset

    Run this command if for some reason you need to rerun the authentication process.

  • microsoft-365-defender-auth-start

    Run this command to start the authorization process and follow the instructions in the command results. (for device-code mode).

  • microsoft-365-defender-auth-test

    Tests the connectivity to the Microsoft 365 Defender.

  • microsoft-365-defender-incident-get

    Gets the incident with the given ID.

  • microsoft-365-defender-incident-update

    Update the incident with the given ID.

  • microsoft-365-defender-incidents-list

    Get the most recent incidents.

  • update-remote-system

    Updates the remote incident with local incident changes. This method is only used for debugging purposes and will not update the current incident.