MDE - Pro-Active Actions
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook supports investigation actions for the analyst, including: - Running a full AV scan for a specific endpoint - Requesting an investigation package (a zip file containing forensic data with a size of ~ 15MB) from an endpoint. - Requesting to run automatic investigation on an endpoint.
Microsoft Defender for Endpoint · 23 tasks · 5 inputs · 0 outputs
Inputs
Task— A comma-separated list of investigation actions. Possible values: `Full Scan` - Fully Scan the provided endpoints `Collect Investigation Package` - Collect investigation packages from endpoints (only for supported devices) `Automated Investigation` - Run automated investigation on the provided endpointsEndpointsID— Provide a list of endpoints for the Scan and Collection of investigation Package to be run on.AutoCollectinvestigationPackege— True/FasleAutoAVScan— True/FasleAutoAutomatedInvestigation— True/Fasle
Commands used
microsoft-atp-run-antivirus-scan
microsoft-atp-start-investigation