Microsoft Defender for Endpoint

Details
Content
Dependencies
Version History

Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.

Use Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) to deliver industry-leading endpoint security for Windows, macOS, Linux, Android, iOS, and network devices. It helps to rapidly stop attacks, scale your security resources, and evolve your defenses. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Integration capabilities:

Microsoft Defender for Endpoint allows you to perform preventative protection, post-breach detection, automated investigation, and response.
Microsoft Defender for Endpoint delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.

What does this pack do?

Receives alerts from Microsoft Defender for Endpoint as XSOAR incidents
Enriches IOCs from XSOAR to Microsoft Defender for Endpoint and vice versa
Allows remediation actions for connected endpoints
Provides investigation capabilities on connected assets
Allows asset visibility, status, and health (vulnerability assessment)

Content Pack components

The Microsoft Defender for Endpoint integration imports events as XSOAR incidents.
The Microsoft Defender Advanced Threat Protection Get Machine Action Status playbook uses generic polling to get machine action information (relevant for Cortex XSOAR v6.2 and earlier).
The Microsoft Defender for Endpoint - Isolate Endpoint playbook accepts an endpoint ID, IP address, or hostname and isolates it using the Microsoft Defender for Endpoint integration (relevant for Cortex XSOAR v6.2 and earlier).
The Microsoft Defender for Endpoint - Unisolate Endpoint playbook accepts an endpoint ID, IP address, or hostname and unisolates it using the Microsoft Defender for Endpoint integration (relevant for Cortex XSOAR v6.2 and earlier).

Authentication

For more details about the authentication used for components in this content pack, see Microsoft Integrations - Authentication.

Endpoint URL

Environment Type	Endpoint URL
Worldwide	https://api.securitycenter.microsoft.com
Us Geo Proximity	https://api.securitycenter.microsoft.com
Eu Geo Proximity	https://api-eu.securitycenter.microsoft.com
UK Geo Proximity	https://api-uk.securitycenter.microsoft.com
Us GCC	https://api-gcc.securitycenter.microsoft.us
Us GCC-High	https://api-gcc.securitycenter.microsoft.us
DoD	https://api-gov.securitycenter.microsoft.us

To find the appropriate Endpoint URI, use the following resources:

For Worldwide or Geo Proximity URLs, see Supported Microsoft 365 Defender APIs
For Us Government & DoD URLs, see Microsoft Defender for Endpoint for US Government customers

Log ingestion

Note: In order to parse the timestamp correctly, make sure that the timestamp field is in UTC time zone (timestamp ends with "Z").
The supported time format are yyyy-MM-ddThh:mm:%E3S (2021-12-08 10:00:00.123Z) or yyyy-MM-ddThh:mm:ss (2021-07-01T10:00:00Z). The relevant field is "lastEventTime".

Licence information

Available for E3, E5, and standalone licenses.

Integration capabilities:

What does this pack do?

Receives alerts from Microsoft Defender for Endpoint as XSOAR incidents
Enriches IOCs from XSOAR to Microsoft Defender for Endpoint and vice versa
Allows remediation actions for connected endpoints
Provides investigation capabilities on connected assets
Allows asset visibility, status, and health (vulnerability assessment)

Content Pack components

The Microsoft Defender for Endpoint integration imports events as XSOAR incidents.
The Microsoft Defender Advanced Threat Protection Get Machine Action Status playbook uses generic polling to get machine action information (relevant for Cortex XSIAM v6.2 and earlier).
The Microsoft Defender for Endpoint - Isolate Endpoint playbook accepts an endpoint ID, IP address, or hostname and isolates it using the Microsoft Defender for Endpoint integration (relevant for Cortex XSIAM v6.2 and earlier).
The Microsoft Defender for Endpoint - Unisolate Endpoint playbook accepts an endpoint ID, IP address, or hostname and unisolates it using the Microsoft Defender for Endpoint integration (relevant for Cortex XSIAM v6.2 and earlier).

Authentication

For more details about the authentication used for components in this content pack, see Microsoft Integrations - Authentication.

Endpoint URL

Environment Type	Endpoint URL
Worldwide	https://api.securitycenter.microsoft.com
Us Geo Proximity	https://api.securitycenter.microsoft.com
Eu Geo Proximity	https://api-eu.securitycenter.microsoft.com
UK Geo Proximity	https://api-uk.securitycenter.microsoft.com
Us GCC	https://api-gcc.securitycenter.microsoft.us
Us GCC-High	https://api-gcc.securitycenter.microsoft.us
DoD	https://api-gov.securitycenter.microsoft.us

To find the appropriate Endpoint URI, use the following resources:

For Worldwide or Geo Proximity URLs, see Supported Microsoft 365 Defender APIs
For Us Government & DoD URLs, see Microsoft Defender for Endpoint for US Government customers

Log ingestion

Licence information

Available for E3, E5, and standalone licenses.

Automations

Name	Description
TransformIndicatorToMSDefenderIOC	Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output (at TransformIndicatorToMSDefenderIOC.JsonOutput) is a json representation of the indicators in MSDE format. This json can be the input for the microsoft-atp-indicator-batch-update command.

Classifiers

Name	Description
Microsoft Defender For Endpoint Mapper

Incident Fields

Name	Description
Microsoft Defender for Endpoint Evidence Type
Microsoft Defender for Endpoint Evidence Creation Time

Incident Types

Name	Description
Microsoft Defender For Endpoint

Integrations

Name	Description
Microsoft Defender for Endpoint	Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.

Playbooks

Name	Description
MDE - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.
MDE SIEM ingestion - Get Incident Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles incident ingestion from a SIEM. The user provides the incident fields containing the alert ID. This playbook also enables changing the severity according to a user-defined scale to override the default assigned severity.
MDE - Retrieve File	This playbook is part of the ‘Malware Investigation And Response’ pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Live Response feature to retrieve a file from an endpoint. The playbook supports a supplied machine id as an input. Otherwise, it will take the Device ID incident field. The playbook supports only one element to be retrieved for each task (if needed more then one - use the playbook loop feature).
Microsoft Defender For Endpoint - Collect investigation package	This playbook simplifies retrieving investigation packages to Cortex XSOAR from supported machines (See https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide). The playbook receives information about the target devices (host name, IP, and device ID), validates the devices exist, and retrieves the collection package from those machines into the Cortex XSOAR console. Note: This action may take time, the average package size is around ~15 MB.
MDE - Block File	This playbook receives an MD5 or a SHA256 hash and adds it to the block list in Microsoft Defender for Endpoint. The playbook uses the integration "Microsoft Defender for Endpoint".
MDE - Pro-Active Actions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook supports investigation actions for the analyst, including: Running a full AV scan for a specific endpoint Requesting an investigation package (a zip file containing forensic data with a size of ~ 15MB) from an endpoint. Requesting to run automatic investigation on an endpoint.
MDE - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles closing false positive incidents for Microsoft Defender for Endpoint.
MDE - Host Advanced Hunting For Network Activity	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host network activity.
MDE - Host Advanced Hunting	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature based on the provided inputs.
MDE - Host Advanced Hunting For Powershell Executions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions.
MDE - Search and Compare Process Executions	This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes", input the playbook should receive an array that contains the following keys: value: process name commands: command-line arguments
MDE - Search And Block Software	This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block.
MDE - Host Advanced Hunting For Persistence	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host persistence evidence.
MDE Malware - Investigation and Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses - Microsoft Defender For Endpoint Advanced Hunting - Command Line Analysis - Deduplication - Sandbox hash search and detonation - Proactive investigation actions (AV scan, investigation package collection, running automated investigation on an endpoint) - Microsoft Defender For Endpoint alert enrichment - Incident handling (true/false positive)
Microsoft Defender For Endpoint - Isolate Endpoint	This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration.
Microsoft Defender Advanced Threat Protection Get Machine Action Status	This playbook used generic polling to get machine action information.
Microsoft Defender For Endpoint - Unisolate Endpoint	This playbook accepts an endpoint ID, IP, or host name and unisolates it using the Microsoft Defender For Endpoint integration.
MDE Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.

Widgets

Name	Description
API Call Results for Microsoft Defender for Endpoint

Automations

Name	Description
TransformIndicatorToMSDefenderIOC	Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output (at TransformIndicatorToMSDefenderIOC.JsonOutput) is a json representation of the indicators in MSDE format. This json can be the input for the microsoft-atp-indicator-batch-update command.

Classifiers

Name	Description
Microsoft Defender For Endpoint Mapper

Correlation Rules

Name	Description
Microsoft Defender for Endpoint - Malware Detected	This alert will trigger in an event where Malware was detected by Microsoft Defender for Endpoints.

Incident Fields

Name	Description
Microsoft Defender for Endpoint Evidence Creation Time
Microsoft Defender for Endpoint Evidence Type

Incident Types

Name	Description
Microsoft Defender For Endpoint

Integrations

Name	Description
Microsoft Defender for Endpoint Alerts	Microsoft 365 Defender Event Collector integration.
Microsoft Defender for Endpoint	Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.

Modeling Rules

Name	Description
Microsoft 365 Defender Event Collector Modeling Rule

Parsing Rules

Name	Description
Microsoft Defender Advanced Threat Protection Parsing Rule

Playbooks

Name	Description
MDE - Pro-Active Actions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook supports investigation actions for the analyst, including: Running a full AV scan for a specific endpoint Requesting an investigation package (a zip file containing forensic data with a size of ~ 15MB) from an endpoint. Requesting to run automatic investigation on an endpoint.
MDE - Search And Block Software	This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block.
MDE Malware - Alert Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.
MDE - Host Advanced Hunting For Persistence	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host persistence evidence.
Microsoft Defender For Endpoint - Collect investigation package	This playbook simplifies retrieving investigation packages to Cortex XSIAM from supported machines (See https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide). The playbook receives information about the target devices (host name, IP, and device ID), validates the devices exist, and retrieves the collection package from those machines into the Cortex XSIAM console. Note: This action may take time, the average package size is around ~15 MB.
MDE - Host Advanced Hunting	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature based on the provided inputs.
MDE - False Positive Alert Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles closing false positive alerts for Microsoft Defender for Endpoint.
MDE - Host Advanced Hunting For Powershell Executions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions.
MDE SIEM ingestion - Get Alert Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles alert ingestion from a SIEM. The user provides the alert fields containing the alert ID. This playbook also enables changing the severity according to a user-defined scale to override the default assigned severity.
MDE - True Positive Alert Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This Playbook handles closing a true positive alert for Microsoft Defender for Endpoint.
MDE - Host Advanced Hunting For Network Activity	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host network activity.
Microsoft Defender Advanced Threat Protection Get Machine Action Status	This playbook used generic polling to get machine action information.
Microsoft Defender For Endpoint - Isolate Endpoint	This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration.
Microsoft Defender for Endpoint - Malware Detected	This playbook investigates “Malware detected by Microsoft Defender for Endpoint” by gathering Hash and User information and performing remediation based on the information gathered and received from the enrichment. Used Sub-playbooks: Enrichment for Verdict To link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation AND Alert Name = Malware detected by Microsoft Defender for Endpoint
MDE - Block File	This playbook receives an MD5 or a SHA256 hash and adds it to the block list in Microsoft Defender for Endpoint. The playbook uses the integration "Microsoft Defender for Endpoint".
Microsoft Defender For Endpoint - Unisolate Endpoint	This playbook accepts an endpoint ID, IP, or host name and unisolates it using the Microsoft Defender For Endpoint integration.
MDE - Search and Compare Process Executions	This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes", input the playbook should receive an array that contains the following keys: value: process name commands: command-line arguments
MDE - Retrieve File	This playbook is part of the ‘Malware Investigation And Response’ pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Live Response feature to retrieve a file from an endpoint. The playbook supports a supplied machine id as an input. Otherwise, it will take the Device ID alert field. The playbook supports only one element to be retrieved for each task (if needed more then one - use the playbook loop feature).

Trigger

Name	Description
Malware detected by Microsoft Defender for Endpoint	This trigger is responsible for handling the alert Malware detected by Microsoft Defender for Endpoint

XSIAM Dashboards

Name	Description
Microsoft Defender for Endpoint Overview Dashboard

Required Content Packs (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
Atlassian Jira	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (9)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.17.3 - 1675652 (November 20, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue where the Client Credentials Flow in GCC High was redirecting to the wrong endpoint.

Related pull requests:
- 37302

Download

1.17.2 - 1669335 (November 19, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue in MicrosoftApiModule where the GCC High Defender endpoint was incorrect.

Related pull requests:
- 37253

Download

1.17.1 - 1666862 (November 18, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37228
- 37223

Download

1.17.0 - 1663384 (November 18, 2024)

Integrations

Microsoft Defender for Endpoint

The microsoft-atp-get-file-statistics command now returns a File indicator with the following fields:

New: Organization Prevalence
New: Global Prevalence
New: Organization First Seen
New: Organization Last Seen
First Seen By Source
Last Seen By Source

Related pull requests:
- 37022

Download

1.16.44 - 1647729 (November 14, 2024)

Scripts

TransformIndicatorToMSDefenderIOC

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139

Download

1.16.43 - 1615839 (November 10, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37120
- 37113

Download

1.16.42 - 1599475 (November 6, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37066
- 37060

Download

1.16.41 - 1574765 (October 31, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue when reaching API rate limit, where the retry later mechanism failed to run for all commands.

Related pull requests:
- 37000

Download

1.16.40 - 1559973 (October 29, 2024)

Integrations

Microsoft Defender for Endpoint

Updated the Docker image to: demisto/crypto:1.0.0.114611.

Related pull requests:
- 36826

Download

1.16.39 - 1480610 (October 8, 2024)

Integrations

Microsoft Defender for Endpoint

Added infrastructure support for Microsoft Graph Application endpoints.

Related pull requests:
- 36407

Download

1.16.38 - 1417991 (September 22, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36417

Download

1.16.37 - 1320807 (August 28, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 35949

Download

1.16.36 - 1244506 (August 5, 2024)

Integrations

Microsoft Defender for Endpoint

Updated the MicrosoftApiModule with exchange_online endpoints.

Related pull requests:
- 34917
- 34909
- 34903
- 34906
- 34147
- 34217
- 34908
- 34619
- 34911
- 34823
- 34837
- 34918
- 34816
- 34630
- 34871
- 34767
- 34879
- 34912
- 34840
- 34931
- 34892
- 34920
- 34926
- 34814
- 34811
- 34964
- 34967
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 34975
- 34999
- 34913
- 35000
- 34990
- 35002
- 34932
- 34862
- 35005
- 34868
- 34977
- 35009
- 34969
- 34591
- 34693
- 34657
- 34671
- 34681
- 34676
- 34672
- 34372
- 34701
- 34660
- 34684
- 34700
- 34702
- 34696
- 34117
- 34704
- 34706
- 34692
- 33735
- 34714
- 34703
- 34353
- 34725
- 34694
- 34734
- 34640
- 34724
- 34652
- 34443
- 34730
- 34653
- 34732
- 34667
- 34709
- 34755
- 34759
- 32423
- 34598
- 34758
- 34745
- 34762
- 34327
- 34742
- 34474
- 34766
- 34774
- 34782
- 34763
- 34756
- 34747
- 34645
- 34532
- 34675
- 34777
- 34788
- 34804
- 34729
- 34796
- 34691
- 34784
- 34783
- 34765
- 34485
- 34768
- 34593
- 34813
- 34818
- 34832
- 34772
- 34830
- 34833
- 34829
- 34834
- 34839
- 34828
- 34388
- 34838
- 34761
- 34858
- 34861
- 34764
- 34738
- 34538
- 34831
- 34748
- 34846
- 34845
- 34864
- 34817
- 34686
- 34865
- 34867
- 34863
- 34880
- 34876
- 34386
- 34881
- 34884
- 34799
- 34827
- 34883
- 34886
- 34512
- 34887
- 34889
- 34877
- 34904
- 34905
- 34909
- 34903
- 34906
- 34147
- 34217
- 34908
- 34619
- 34911
- 34823
- 34837
- 34918
- 34816
- 34630
- 34871
- 34767
- 34879
- 34912
- 34840
- 34931
- 34892
- 34920
- 34926
- 34814
- 34811
- 34964
- 34967
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 34608
- 35026
- 35029
- 35015
- 35023
- 34776
- 34654
- 34978
- 34986
- 34938
- 34506
- 35011
- 35014
- 34779
- 35019
- 35039
- 34897
- 35049
- 35016
- 35046
- 35051
- 35040
- 34614
- 32477

Download

1.16.35 - 1109132 (June 20, 2024)

Integrations

Microsoft Defender for Endpoint

Added a new command- 'microsoft-atp-get-machine-by-ip'.
Updated the Docker image to: demisto/crypto:1.0.0.98336.

Related pull requests:
- 34814

Download

1.16.34 - 1066075 (June 3, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue in where the GCC endpoints were incorrect in the supported integrations.

Related pull requests:
- 34634

Download

1.16.33 - 1054698 (May 29, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue with timeout in download_file function.

Related pull requests:
- 33494

Download

1.16.32 - 1051712 (May 28, 2024)

Integrations

Microsoft Defender for Endpoint

Added support for Microsoft Defender 365 Endpoint in the Microsoft API Module.
Updated the MicrosoftApiModule to better handle the Authorization Code flow in the supported integrations.
Updated the Docker image to: demisto/crypto:1.0.0.96042.

Related pull requests:
- 34495

Download

1.16.31 - R1047063 (May 27, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue in MicrosoftApiModule where the GCC endpoints were incorrect.

Related pull requests:
- 34360

Download

1.16.30 - 919924 (March 28, 2024)

Integrations

Microsoft Defender for Endpoint

Added a timeout value to the retry on rate limit mechanism.

Related pull requests:
- 33566

Download

1.16.29 - 860237 (February 29, 2024)

Integrations

Microsoft Defender for Endpoint

Added support for the OAuth consent dialog after the user signs in using the microsoft-atp-generate-login-url command.

Related pull requests:
- 31942

Download

1.16.28 - 824222 (February 13, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32830

Download

1.16.27 - 819156 (February 11, 2024)

Integrations

Microsoft Defender for Endpoint

Updated the Docker image to: demisto/crypto:1.0.0.87358.

Related pull requests:
- 32812

Download

1.16.26 - 774340 (January 21, 2024)

Playbooks

MDE - Retrieve File

Added a transformer that allows using this playbook as part of a malware investigation or as a standalone playbook.
Added outputs for the playbook: Extracted Files and Action Status.

Related pull requests:
- 32035

Download

1.16.25 - 755215 (January 10, 2024)

Integrations

Microsoft Defender for Endpoint

Fixed an issue where microsoft-atp-sc-indicator-delete command raised an error when got 200 response.

Related pull requests:
- 31979

Download

1.16.24 - 747798 (January 8, 2024)

Playbooks

New: MDE - Block File

New: This playbook receives an MD5 or a SHA256 hash and adds it to the block list in Microsoft Defender for Endpoint.
The playbook uses the integration "Microsoft Defender for Endpoint". (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 31885

Download

1.16.23 - 722180 (December 28, 2023)

Scripts

TransformIndicatorToMSDefenderIOC

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31813

Download

1.16.21 - 7153835 (December 13, 2023)

Integrations

Microsoft Defender for Endpoint

Updated the settings' descriptions.
Updated the Docker image to: demisto/crypto:1.0.0.83343.

Related pull requests:
- 31398

Download

1.16.20 - 7138783 (December 12, 2023)

Playbooks

MDE Malware - Incident Enrichment

Added a command brand specification for !endpoint.

Related pull requests:
- 31399

Download

1.16.19 - 7122577 (December 10, 2023)

Integrations

Microsoft Defender for Endpoint

Updated the Docker image to: demisto/crypto:1.0.0.82826.

Related pull requests:
- 31368

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 9, 2020
Last Release	November 20, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.