Microsoft 365 Defender

Version: 2.0.0

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents.

Connect Microsoft 365 Defender with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Microsoft 365 Defender.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Tenant ID: Tenant ID of the registered application.
    • Application ID: Application ID of the registered application.
    • Secret Key: Secret key of registered application.
  4. After you've entered all the details, click Connect.

Actions for Microsoft 365 Defender

Advanced Hunting

Run advanced queries. Limitations: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide&branch=mtp-apis#limitations

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
QueryJinja Templated query to run. Example:Required
DeviceProcessEvents | where InitiatingProcessFileName =~ "{{process_column}}" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2

Output

Multiple JSON rows are returned for each query representing matched events, each row containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys of matched events
{
  "Timestamp": "2020-08-30T06:38:35.7664356Z",
  "FileName": "conhost.exe",
  "InitiatingProcessFileName": "powershell.exe"
  "has_error": false,
  "error": null
}

List Incidents

Lists Incidents in Microsoft 365 Defender (Microsoft Threat Protection) optionally with OData filter.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
OData QueryJinja-templated OData query filter. Supported OData operators: $filter on: lastUpdateTime, createdTime, status and assignedTo properties.Optional
LimitLimit number of results. Value specified here will override $top operator (if provided) in OData Query (Default is 100 incidents).Optional

Output

Multiple JSON rows are returned for each query representing matched incidents, each row containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys of listed incident
{
  "incidentId": 924521,
  "redirectIncidentId": null,
  "incidentName": "'Mimikatz' hacktool was detected on one endpoint",
  "createdTime": "2020-09-06T12:18:03.6266667Z",
  "lastUpdateTime": "2020-09-06T12:18:03.81Z",
  "assignedTo": null,
  "classification": "Unknown",
  "determination": "NotAvailable",
  "status": "Active",
  "severity": "Low",
  "tags": [],
  "alerts": [
    {
      "alertId": "da637349914833441527_393341063",
      "incidentId": 924521,
      "serviceSource": "MicrosoftDefenderATP",
      "creationTime": "2020-09-06T12:18:03.3285366Z",
      "lastUpdatedTime": "2020-09-06T12:18:04.2566667Z",
      "resolvedTime": null,
      "firstActivity": "2020-09-06T12:15:07.7272048Z",
      "lastActivity": "2020-09-06T12:15:07.7272048Z",
      "title": "'Mimikatz' hacktool was detected",
      "description": "Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\n\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\n\nThis detection might indicate that Windows Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool.",
      "category": "Malware",
      "status": "New",
      "severity": "Low",
      "investigationId": null,
      "investigationState": "UnsupportedOs",
      "classification": null,
      "determination": null,
      "detectionSource": "WindowsDefenderAv",
      "assignedTo": null,
      "actorName": null,
      "threatFamilyName": "Mimikatz",
      "mitreTechniques": [],
      "devices": [
        {
          "mdatpDeviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491",
          "aadDeviceId": null,
          "deviceDnsName": "user5cx.middleeast.corp.contoso.com",
          "osPlatform": "WindowsServer2016",
          "version": "1607",
          "osProcessor": "x64",
          "osBuild": 14393,
          "healthStatus": "Active",
          "riskScore": "High",
          "rbacGroupName": "WDATP-Ring0",
          "rbacGroupId": 9,
          "firstSeen": "2020-02-06T14:16:01.9330135Z"
        }
      ],
      "entities": [
        {
          "entityType": "File",
          "sha1": "5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd",
          "sha256": null,
          "fileName": "Detector.UnitTests.dll",
          "filePath": "C:\\Agent\\_work\\_temp\\Deploy_SYSTEM 2020-09-06 12_14_54\\Out",
          "processId": null,
          "processCommandLine": null,
          "processCreationTime": null,
          "parentProcessId": null,
          "parentProcessCreationTime": null,
          "ipAddress": null,
          "url": null,
          "accountName": null,
          "domainName": null,
          "userSid": null,
          "aadUserId": null,
          "userPrincipalName": null,
          "mailboxDisplayName": null,
          "mailboxAddress": null,
          "clusterBy": null,
          "sender": null,
          "recipient": null,
          "subject": null,
          "deliveryAction": null,
          "securityGroupId": null,
          "securityGroupName": null,
          "registryHive": null,
          "registryKey": null,
          "registryValueType": null,
          "registryValue": null,
          "deviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491"
        }
      ]
    }
  ],
  "has_error": false,
  "error": null
}

Update Incidents

Updates properties of existing incidents.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Incident IDSelect column containing a value for incident id for the incident to update.Required
StatusSelect column containing a value for status to update the incident. Possible column values should be Active, Resolved, or Redirected.Optional
Assigned ToSelect column containing a value for the owner to update the incident with.Optional
ClassificationSelect column containing a value for the specification of the alert to update the incident with. Possible column values should be one of Unknown, FalsePositive, or TruePositive.Optional
DeterminationSelect column containing a value for the determination of the alert to update the incident with. Possible column values should be one of NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, or Other.Optional
TagsJinja Templated comma-separated tags to update the incident with. Example: {{tag1}}, {{tag2}}, {{tag3}}.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys of incident updated with new values
{
  "status": "Resolved",
  "assignedTo": "[email protected]",
  "classification": "TruePositive",
  "determination": "Malware",
  "tags": ["Yossi's playground", "Don't mess with the Zohan"]
  "has_error": false,
  "error": null
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

© 2017-2021 LogicHub®. All Rights Reserved.