Microsoft 365 Defender

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents.

Integration with LogicHub

Connecting with Microsoft 365 Defender

To connect with Microsoft 365 Defender following details are required:

  • Tenant ID: Tenant ID of the registered application.
  • Application ID: Application ID of the registered application.
  • Secret Key: Secret key of registered application.

Actions with Microsoft 365 Defender

Advanced Hunting

Run advanced queries. Limitations: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide&branch=mtp-apis#limitations

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Query: Jinja Templated query to run. Example:
DeviceProcessEvents | where InitiatingProcessFileName =~ "{{process_column}}" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2

Output of Action
Multiple JSON rows for each query representing matched events containing following items:

  • has_error: True/False
  • error: message/null
  • other keys of matched events
{
  "Timestamp": "2020-08-30T06:38:35.7664356Z",
  "FileName": "conhost.exe",
  "InitiatingProcessFileName": "powershell.exe"
  "has_error": false,
  "error": null
}

List Incidents

Lists Incidents in Microsoft 365 Defender (Microsoft Threat Protection) optionally with OData filter.

Inputs to this action

  • Connection: Choose a connection that you have created.
  • OData Query (Optional): Jinja Templated OData query filter. Supported OData operators: $filter on: lastUpdateTime, createdTime, status and assignedTo properties.
  • Limit (Optional): Limit number of results. Value specified here will override $top operator (if provided) in OData Query (Default is 100 incidents).

Output of Action
Multiple JSON rows for each query representing matched incidents containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys of listed incident
{
  "incidentId": 924521,
  "redirectIncidentId": null,
  "incidentName": "'Mimikatz' hacktool was detected on one endpoint",
  "createdTime": "2020-09-06T12:18:03.6266667Z",
  "lastUpdateTime": "2020-09-06T12:18:03.81Z",
  "assignedTo": null,
  "classification": "Unknown",
  "determination": "NotAvailable",
  "status": "Active",
  "severity": "Low",
  "tags": [],
  "alerts": [
    {
      "alertId": "da637349914833441527_393341063",
      "incidentId": 924521,
      "serviceSource": "MicrosoftDefenderATP",
      "creationTime": "2020-09-06T12:18:03.3285366Z",
      "lastUpdatedTime": "2020-09-06T12:18:04.2566667Z",
      "resolvedTime": null,
      "firstActivity": "2020-09-06T12:15:07.7272048Z",
      "lastActivity": "2020-09-06T12:15:07.7272048Z",
      "title": "'Mimikatz' hacktool was detected",
      "description": "Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\n\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\n\nThis detection might indicate that Windows Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool.",
      "category": "Malware",
      "status": "New",
      "severity": "Low",
      "investigationId": null,
      "investigationState": "UnsupportedOs",
      "classification": null,
      "determination": null,
      "detectionSource": "WindowsDefenderAv",
      "assignedTo": null,
      "actorName": null,
      "threatFamilyName": "Mimikatz",
      "mitreTechniques": [],
      "devices": [
        {
          "mdatpDeviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491",
          "aadDeviceId": null,
          "deviceDnsName": "user5cx.middleeast.corp.contoso.com",
          "osPlatform": "WindowsServer2016",
          "version": "1607",
          "osProcessor": "x64",
          "osBuild": 14393,
          "healthStatus": "Active",
          "riskScore": "High",
          "rbacGroupName": "WDATP-Ring0",
          "rbacGroupId": 9,
          "firstSeen": "2020-02-06T14:16:01.9330135Z"
        }
      ],
      "entities": [
        {
          "entityType": "File",
          "sha1": "5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd",
          "sha256": null,
          "fileName": "Detector.UnitTests.dll",
          "filePath": "C:\\Agent\\_work\\_temp\\Deploy_SYSTEM 2020-09-06 12_14_54\\Out",
          "processId": null,
          "processCommandLine": null,
          "processCreationTime": null,
          "parentProcessId": null,
          "parentProcessCreationTime": null,
          "ipAddress": null,
          "url": null,
          "accountName": null,
          "domainName": null,
          "userSid": null,
          "aadUserId": null,
          "userPrincipalName": null,
          "mailboxDisplayName": null,
          "mailboxAddress": null,
          "clusterBy": null,
          "sender": null,
          "recipient": null,
          "subject": null,
          "deliveryAction": null,
          "securityGroupId": null,
          "securityGroupName": null,
          "registryHive": null,
          "registryKey": null,
          "registryValueType": null,
          "registryValue": null,
          "deviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491"
        }
      ]
    }
  ],
  "has_error": false,
  "error": null
}

Update Incidents

Updates properties of existing incidents.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Incident ID: Select column containing a value for incident id for the incident to update.
  • Status (Optional): Select column containing a value for status to update the incident. Possible column values should be Active, Resolved, or Redirected.
  • Assigned To (Optional): Select column containing a value for the owner to update the incident with.
  • Classification (Optional): Select column containing a value for the specification of the alert to update the incident with. Possible column values should be one of Unknown, FalsePositive, or TruePositive.
  • Determination (Optional): Select column containing a value for the determination of the alert to update the incident with. Possible column values should be one of NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, or Other.
  • Tags (Optional): Jinja Templated comma-separated tags to update the incident with. Example: {{tag1}}, {{tag2}}, {{tag3}}.

Output of Action
JSON row containing following items:

  • has_error: True/False
  • error: message/null
  • other keys of incident updated with new values
{
  "status": "Resolved",
  "assignedTo": "[email protected]",
  "classification": "TruePositive",
  "determination": "Malware",
  "tags": ["Yossi's playground", "Don't mess with the Zohan"]
  "has_error": false,
  "error": null
}

Did this page help you?