Microsoft Defender 1.6.2
- 06 Apr 2025
- 3 Minutes to read
- DarkLight
- PDF
Microsoft Defender 1.6.2
- Updated on 06 Apr 2025
- 3 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Microsoft Defender - 1.6.2
tags: python | Microsoft Defender ATP | Enrichment
Table of Contents
Description
Integration with Microsoft Defender ATP EDR is created to support CDC users by providing the enrichment consisting of details of host, user, hash, IP, Vulnerability; which enable CDC users to take an informed decision in incident response.
Microsoft Defender ATP is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into IT environments.
We use customized adaptive cards to display host, user, hash, IP, vulnerabilities related information in meaningful intuitive GUI, to facilitate easy understanding of data received from Microsoft Defender ATP.
We have provided CLI commands to enrich basic host information, user information, hash, IP, Vulnerabilities information available on Microsoft Defender ATP. For complex queries - Investigation framework will be used.
| Integration Type: | EPP/ EDR |
| Information read: | Host, User, File, IP, Vulnerability information |
| API Supported: | API V1.0 |
| Input: | Device ID/ Device Name/ IP/ CVE ID/ Hash for enrichment. |
| Output: | Detailed enrichment consisting of host/user/IP/Hash/ Vulnerability information |
Customer Configuration
No Customer Configuration
CDC Command Lines
* **get_indicator_details_cli**
Retrieves indicator details.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| indicator_value | string | Identity of the Indicator entity. | True |
* **block_indicator_cli**
CLI of the CDC to block an indicator entitiy.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| indicator_value | string | Identity of the Indicator entity. | True |
* **get_file_information_cli**
Command line interface of CDC to Retrieve a File by identifier Sha1, or Sha256. Note
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| file_hash | string | Sha1 or Sha256. | True |
* **get_vulnerability_by_id_cli**
Command line interface of CDC for retrieving vulnerability information by its CVE ID.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| cve_id | string | CVE id. | True |
* **get_machine_by_id_cli**
Command line interface of CDC for retrieving specific Machine by its machine ID.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| machine_id | string | Machine id. | True |
* **get_ip_statistics_cli**
Command line interface of CDC for Retrieving the statistics for the given IP. Please Note
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| ip | string | Ip Address. | True |
| lookBackHours | integer | Look Back hours. Maximum Value for Look back hours is 720 Hours(30days). | False |
* **get_user_related_machines_cli**
Command line interface of CDC for retrieving a collection of devices related to a given user ID. The input 'ID' is not the full UPN, but only the user name.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| user_id | string | User id. The ID is not the full UPN, but only the user name. | True |
* **get_machine_by_ip_cli**
Command line interface of CDC for finding Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp. Please note
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| ip | string | Ip address to get machine details. | True |
| timestamp | string | Timestamp to get Machines within time range. | True |
Workflows
* **post_get_machine_by_ip**
Post get-machine-by-ip in CDC by ID of incident/message/chanel.
* **post_block_indicator**
Post update-indicator in CDC by ID of incident/message/chanel.
* **post_get_machine_by_id**
Post get-machine-by-id in CDC by ID of incident/message/chanel.
* **inject_ms_defender_alert_to_cdc**
Inject MS Defender ATP alert to cdc using cdc async api.
* **post_get_vulnerability_by_id**
Post get-vulnerability-by-id in CDC by ID of incident/message/chanel.
* **post_get_indicator_details**
Post get-indicator-details in CDC by ID of incident/message/chanel.
* **block_indicator**
Block an indicator.
* **post_get_file_information**
Post get-file-information in CDC by ID of incident/message/chanel.
* **automate_alert_closing**
closing MS Defender alerts
* **post_get_user_related_machines**
Post get-user-related-machines in CDC by ID of incident/message/chanel.
* **post_get_ip_statistics**
Post get-ip-statistics in CDC by ID of incident/message/chanel.
Rules
* **cdc_new_alert_from_ms_defender**
Triggers injections of a new alert to CDC workflow when created in Microsoft ATP Defender.
* **close_cdc_alert_in_ms_defender**
Close Alerts in MS Defender
Sensors
* **MsDefenderSensor**
Sensor to pull reported detections from Microsoft Defender ATP.
Poll interval - 30s
Triggers
No triggers
Known Issues
No issues
Was this article helpful?