Microsoft 365 Defender
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Network Security · Microsoft 365 Defender
Configuration parameters
base_url— Endpoint URI (required)creds_client_id—creds_tenant_id—_app_id— Application IDclient_credentials— Use Client Credentials Authorization Flow_tenant_id— Tenant ID (for Client Credentials mode)credentials— Client Secret (for Client Credentials mode)creds_certificate— Certificate Thumbprintcertificate_thumbprint— Certificate Thumbprintprivate_key— Private Keyuse_managed_identities— Use Azure Managed Identitiesmanaged_identities_client_id—first_fetch— First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)fetch_timeout— Fetch incidents timeoutmax_fetch— Number of incidents for each fetch.incidentType— Incident typeisFetch— Fetch incidentsinsecure— Trust any certificate (not secure)proxy— Use system proxy settingsapp_id— Application ID (Deprecated)tenant_id— Tenant ID (for Client Credentials mode) (Deprecated)enc_key— Client Secret (for Client Credentials mode) (Deprecated)incidentFetchInterval— Incidents Fetch Intervalmirror_direction— Incident Mirroring Directionclose_incident— Close Mirrored Cortex XSOAR Incidentscustom_xsoar_to_defender_close_reason— Enable custom XSOAR to Defender Close Reasoncustom_defender_to_xsoar_close_reason— Enable custom Defender to XSOAR Close Reasonclose_out— Close Mirrored Microsoft 365 Defender Incidentscomment_tag— Comment Entry Tag To Microsoft 365 Defendercomment_tag_from_microsoft365defender— Comment Entry Tag From Microsoft 365 Defendercustom_xsoar_to_defender_close_reason_mapping— Custom close-reason mapping (XSOAR -> Defender mirrored incident)custom_defender_to_xsoar_close_reason_mapping— Custom close-reason mapping (Defender -> XSOAR mirrored incident)
Commands (12)
-
get-mapping-fieldsReturns the list of fields to map in outgoing mirroring. This command is only used for debugging purposes.
-
get-modified-remote-dataGet the list of incidents that were modified since the last update time. This method is used for debugging purposes. The get-modified-remote-data command is used as part of the Mirroring feature that was introduced in Cortex XSOAR version 6.1.
-
get-remote-dataGet remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes only.
-
microsoft-365-defender-advanced-huntingAdvanced hunting is a threat-hunting tool that uses specially constructed queries to examine the past 30 days of event data in Microsoft 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.
-
microsoft-365-defender-auth-completeRun this command to complete the authorization process. Should be used after running the microsoft-365-defender-auth-start command. (for device-code mode).
-
microsoft-365-defender-auth-resetRun this command if for some reason you need to rerun the authentication process.
-
microsoft-365-defender-auth-startRun this command to start the authorization process and follow the instructions in the command results. (for device-code mode).
-
microsoft-365-defender-auth-testTests the connectivity to the Microsoft 365 Defender.
-
microsoft-365-defender-incident-getGets the incident with the given ID.
-
microsoft-365-defender-incident-updateUpdate the incident with the given ID.
-
microsoft-365-defender-incidents-listGet the most recent incidents.
-
update-remote-systemUpdates the remote incident with local incident changes. This method is only used for debugging purposes and will not update the current incident.