MDE - Search and Compare Process Executions
This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes", input the playbook should receive an array that contains the following keys: - value: *process name* - commands: *command-line arguments*
Microsoft Defender for Endpoint · 10 tasks · 3 inputs · 2 outputs
Inputs
Processes— Process name to search and command-line argument to compare. This input should receive an array that contains the following keys: - value: *process name* - commands: *command-line arguments*HuntingTimeFrame— Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.StringSimilarityThreshold— StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
Outputs
StringSimilarity— StringSimilarity automation resultsFindings— Suspicious process executions found
Commands used
microsoft-atp-advanced-hunting