MDE - True Positive Incident Handling

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint · 42 tasks · 17 inputs · 0 outputs

Inputs

  • DupAlertIDsToBeClosed — The Cortex XSOAR investigation IDs to be closed.
  • Comment — Add a comment to close an incident on the Microsoft Defender For Endpoint side.
  • Reason — Provide a reason for closing the incident. Choose one of the following: "NotAvailable"/"Apt,Malware"/"SecurityPersonnel"/"SecurityTesting"/"UnwantedSoftware"/"Other"
  • Classification — Choose From - "Unknown" / "TruePositive" / "FalsePositive"
  • TicketDescription — Specify the ticket description for this section.
  • BlockTag — Specify the banning tag name for the found indicators.
  • TicketProjectName — If you are using Jira, specify the Jira Project Key here (can be retrieved from the Jira console).
  • TicketingSystemToUse — The name of the ticketing system to use, for example Jira or ServiceNow.
  • AutoIsolation — Whether host isolation is allowed.
  • CloseDuplicate — Whether duplicate incidents should be closed as well in the Microsoft Defender for Endpoint integration instance. The playbook looks for the world "Close" in this input.
  • HostID — The ID of the host for running an isolation process.
  • FileSha256 — Enter the File SHA256 you want to block.
  • FileSha1 — Enter the File SHA1 you want to remove from your protected endpoints.
  • ManuallyChooseIOCForHunting — This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook. If false, it will hunt for all IOCs detected in the incident. Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
  • IP — IP value to be hunt on.
  • MD5 — MD5 file value to be hunt upon.
  • URL_or_Domain — URL or domain to be hunt upon.

Commands used

closeInvestigation jira-create-issue microsoft-atp-get-file-related-machines microsoft-atp-sc-indicator-create microsoft-atp-stop-and-quarantine-file microsoft-atp-update-alert setIncident setIndicators

Flowchart

true true Yes yes JIRA SNOW yes yes yes yes No Hunting yes yes Start Start Confirm Indicators to block Confirm Indicators to block Tag Indicators - setIndicators Tag Indicators setIndicators Create IOC on Microsoft Defender For Endpoint - microsoft-atp-sc-indicator-create Create IOC on Microsoft D... microsoft-atp-sc-indicator-cr... Was there any hash selected? Was there any hash selected? Retrieve MDE alert ID based on Cortex XSOAR investigation - SearchIncidentsV2 Retrieve MDE alert ID bas... SearchIncidentsV2 Resolve MDE Alert - microsoft-atp-update-alert Resolve MDE Alert microsoft-atp-update-alert Done Done Close Cortex XSOAR incident - closeInvestigation Close Cortex XSOAR incident closeInvestigation Approve isolation Approve isolation Auto Isolate the endpoint Auto Isolate the endpoint IT Remediation IT Remediation Is a ticketing system defined? Is a ticketing system def... Done auditing step Done auditing step Block Indicators Block Indicators Done block indicators Done block indicators Done Remediation and Containment Done Remediation and Cont... Isolate Isolate Microsoft Defender For Endpoint - Isolate Endpoint - Microsoft Defender For Endpoint - Isolate Endpoint Microsoft Defender For En... Microsoft Defender For Endpoi... Done with isolating the infected device Done with isolating the i... Final Closure Final Closure Open ServiceNow ticket Open ServiceNow ticket Is ServiceNow Available? - IsIntegrationAvailable Is ServiceNow Available? IsIntegrationAvailable Is Jira Available? - IsIntegrationAvailable Is Jira Available? IsIntegrationAvailable Additional Duplicate IDs were provided? Additional Duplicate IDs ... Quarantine this file on an affected machine - microsoft-atp-stop-and-quarantine-file Quarantine this file on a... microsoft-atp-stop-and-quaran... Get a list of devices associated with the malicious/suspicious SHA1 hashes - microsoft-atp-get-file-related-machines Get a list of devices ass... microsoft-atp-get-file-relate... Done with isolating the infected device Done with isolating the i... Remove File Remove File Open Jira Issue - jira-create-issue Open Jira Issue jira-create-issue Confirm which SHA1 should be deleted Confirm which SHA1 should... Was there any hash selected? Was there any hash selected? Threat Hunting Threat Hunting Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Should the analyst choose the indicators to hunt? Should the analyst choose... Specify IOCs to hunt upon Specify IOCs to hunt upon Containment Containment Remediation Remediation Tag the threat hunting results as Evidence - AddEvidence Tag the threat hunting re... AddEvidence Add 'Found additional assets' tag to the incident - setIncident Add 'Found additional ass... setIncident Are there any results? Are there any results? Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic