MDE - True Positive Incident Handling
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint · 42 tasks · 17 inputs · 0 outputs
Inputs
DupAlertIDsToBeClosed— The Cortex XSOAR investigation IDs to be closed.Comment— Add a comment to close an incident on the Microsoft Defender For Endpoint side.Reason— Provide a reason for closing the incident. Choose one of the following: "NotAvailable"/"Apt,Malware"/"SecurityPersonnel"/"SecurityTesting"/"UnwantedSoftware"/"Other"Classification— Choose From - "Unknown" / "TruePositive" / "FalsePositive"TicketDescription— Specify the ticket description for this section.BlockTag— Specify the banning tag name for the found indicators.TicketProjectName— If you are using Jira, specify the Jira Project Key here (can be retrieved from the Jira console).TicketingSystemToUse— The name of the ticketing system to use, for example Jira or ServiceNow.AutoIsolation— Whether host isolation is allowed.CloseDuplicate— Whether duplicate incidents should be closed as well in the Microsoft Defender for Endpoint integration instance. The playbook looks for the world "Close" in this input.HostID— The ID of the host for running an isolation process.FileSha256— Enter the File SHA256 you want to block.FileSha1— Enter the File SHA1 you want to remove from your protected endpoints.ManuallyChooseIOCForHunting— This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook. If false, it will hunt for all IOCs detected in the incident. Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.IP— IP value to be hunt on.MD5— MD5 file value to be hunt upon.URL_or_Domain— URL or domain to be hunt upon.
Commands used
closeInvestigation
jira-create-issue
microsoft-atp-get-file-related-machines
microsoft-atp-sc-indicator-create
microsoft-atp-stop-and-quarantine-file
microsoft-atp-update-alert
setIncident
setIndicators