MDE - Host Advanced Hunting For Network Activity
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host network activity.
Microsoft Defender for Endpoint · 38 tasks · 3 inputs · 21 outputs
Inputs
DeviceName— A comma-separated list of host names to hunt.DeviceID— A comma-separated list of device IDs to hunt.FileSha256— A comma-separated list of file SHA256 hashes to hunt.
Outputs
MicrosoftATP.HuntNetworkConnections.Result— The query results for Hunt Network Connections.MicrosoftATP.HuntNetworkConnections.Result.external_addresses— The query results for external_addresses query_purpose.MicrosoftATP.HuntNetworkConnections.Result.dns_query— The query results for dns_query query_purpose.MicrosoftATP.HuntNetworkConnections.Result.encoded_commands— The query results for encoded_commands query_purpose.MicrosoftATP.HuntLateralMovementEvidence.Result— The query results for Hunt Lateral Movement Evidence.MicrosoftATP.HuntLateralMovementEvidence.Result.network_connections— The query results for network_connections query_purpose.MicrosoftATP.HuntLateralMovementEvidence.Result.smb_connections— The query results for smb_connections query_purpose.MicrosoftATP.HuntLateralMovementEvidence.Result.credential_dumping— The query results for credential_dumping query_purpose.MicrosoftATP.HuntLateralMovementEvidence.Result.management_connection— The query results for management_connection query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result— The query results for Hunt Persistence Evidence.MicrosoftATP.HuntPersistenceEvidence.Result.scheduled_job— The query results for scheduled_job query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.registry_entry— The query results for registry_entry query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.startup_folder_changes— The query results for startup_folder_changes query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.new_service_created— The query results for new_service_created query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.service_updated— The query results for service_updated query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.file_replaced— The query results for file_replaced query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.new_user— The query results for new_user query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.new_group— The query results for new_group query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.group_user_change— The query results for group_user_change query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.local_firewall_change— The query results for local_firewall_change query_purpose.MicrosoftATP.HuntPersistenceEvidence.Result.host_file_change— The query results for host_file_change query_purpose.
Commands used
domain
ip
microsoft-atp-advanced-hunting-lateral-movement-evidence
microsoft-atp-advanced-hunting-network-connections
microsoft-atp-advanced-hunting-persistence-evidence
microsoft-atp-live-response-get-file
setIncident