MDE Malware - Investigation and Response

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses - Microsoft Defender For Endpoint Advanced Hunting - Command Line Analysis - Deduplication - Sandbox hash search and detonation - Proactive investigation actions (AV scan, investigation package collection, running automated investigation on an endpoint) - Microsoft Defender For Endpoint alert enrichment - Incident handling (true/false positive)

Microsoft Defender for Endpoint · 42 tasks · 23 inputs · 0 outputs

Inputs

  • TicketingSystemToUse — The ticketing system to use. Possible Options: SNOW or Jira *SNOW == ServiceNow. (Used in case incident classified as True Positive).
  • RetrieveFile — Whether file retrieval from the endpoint is allowed.
  • DetonateFile — Whether file detonation is allowed on the sandbox.
  • EnableDeduplication — "Whether the deduplication playbook will be used."
  • BenignTagName — The name of the tag to apply for allowed indicators.
  • RunInvestigationActivities — Choose True to automatically run investigation activities (this relies on the `ActionTask` input).
  • AdvancedHunting — Choose True to run Advance Hunting queries through your Microsoft Defender For Endpoint instance. Note - it may take some time.
  • DeduphandleSimilar — Defines how to handle similar incidents. Possible values: "Link", "Close", "Link and Close". Note: Closing incidents requires defining the "CloseSimilar" input as well. Also, incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
  • DedupCloseSimilar — Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed. For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed. The value should be between 0 and 1 [0=low similarity , 1=identical].
  • EnableClosureSteps — Whether to use closure steps or close the incident automatically.
  • TicketProjectName — If using Jira, specify the Jira Project Key (can be retrieved from the Jira console).
  • AutoCollectinvestigationPackege — Choose True to autorun collecting the investigation package from an endpoint.
  • ActionTask — Option for input (can be comma-separated values): `Full Scan` - Fully scan the provided endpoints `Collect Investigation Package` - Collect investigation package from endpoints (only for supported devices) `Automated Investigation` - Run Automated Investigation on the provided endpoint If empty, the actions should be checked manually.
  • AutoAVScan — Choose True to autorun a Full AV Scan on your endpoint.
  • AutoAutomatedInvestigation — Choose True to autorun automated investigation on your endpoint.
  • MaliciousTagName — The tag to assign for indicators to block.
  • AutoUnisolation — Whether automatic un-isolation is allowed.
  • DidAlertOriginateFromSIEM — Whether an alert originated from a SIEM. If 'Yes', the incident enrichment flow does not run.
  • DedupSimilarTextField — A comma-separated list of incident text fields to take into account when computing similarity. For example command line or URL.
  • AutoIsolation — Whether endpoint auto isolation is allowed.
  • DedupMinimunIncidentSimilarity — Retain incidents with a similarity score greater than the MinimunIncidentSimilarity. Value should be between 0 to 1 [0=low similarity, 1=identical]
  • DedupLimit — The maximum number of incidents to query and set to context data.
  • QueryBatch — Define the custom queries you would like to run as a part of the 'MDE - Host Advanced Hunting' playbook. This input will be passed to the 'query_batch' argument in the '!microsoft-atp-advanced-hunting' command. For more information and examples, check the command's hints.

Commands used

setIncident

Flowchart

true true true true true true true true true true False Positive True Positive Start Start Parse Findings From Sandbox - InvestigationSummaryParse Parse Findings From Sandbox InvestigationSummaryParse Is file retrieval allowed? Is file retrieval allowed? Are there hashes with no results? Are there hashes with no ... Sandbox Sandbox Sandbox done Sandbox done Done Investigation Done Investigation Confirm if true or false positive Confirm if true or false ... Advanced Hunting Advanced Hunting Deduplication Deduplication Use deduplication? Use deduplication? Done Deduplication Done Deduplication Known File Known File Unknown File Unknown File MDE - Host Advanced Hunting - MDE - Host Advanced Hunting MDE - Host Advanced Hunting MDE - Host Advanced Hunting Proceeding with investigation Proceeding with investiga... MDE - Pro-Active Actions - MDE - Pro-Active Actions MDE - Pro-Active Actions MDE - Pro-Active Actions Run Pro-Active Activities? Run Pro-Active Activities? Join File Paths and File Names - ZipStrings Join File Paths and File ... ZipStrings MDE - Retrieve File - MDE - Retrieve File MDE - Retrieve File MDE - Retrieve File Detonate and Analyze File - Generic - Detonate and Analyze File - Generic Detonate and Analyze File... Detonate and Analyze File - G... Search For Hash In Sandbox - Generic - Search For Hash In Sandbox - Generic Search For Hash In Sandbo... Search For Hash In Sandbox - ... Is Detonate Allowed? Is Detonate Allowed? MDE - True Positive Incident Handling - MDE - True Positive Incident Handling MDE - True Positive Incid... MDE - True Positive Incident ... Done Done Command Line Analysis Command Line Analysis Command-Line Analysis - Command-Line Analysis Command-Line Analysis Command-Line Analysis Found any suspicious components? Found any suspicious comp... Set Tag `Suspicious Command-line` - setIncident Set Tag `Suspicious Comma... setIncident Is there a CMD line parameter? Is there a CMD line param... Proceed To Closure Steps? Proceed To Closure Steps? MDE Malware - Incident Enrichment - MDE Malware - Incident Enrichment MDE Malware - Incident En... MDE Malware - Incident Enrich... Dedup - Generic v4 - Dedup - Generic v4 Dedup - Generic v4 Dedup - Generic v4 AutoRun Advanced Hunting AutoRun Advanced Hunting Done with Advanced Hunting Done with Advanced Hunting Done Command Line Analysis Done Command Line Analysis Proceed to closure steps Proceed to closure steps MDE - False Positive Incident Handling - MDE - False Positive Incident Handling MDE - False Positive Inci... MDE - False Positive Incident... False/True/Manual False/True/Manual Manual Action Required - Resolve Incident Manual Action Required - ... Parse results for detailed summary - InvestigationDetailedSummaryParse Parse results for detaile... InvestigationDetailedSummaryP... Stop Triage SLA Timer Stop Triage SLA Timer