Microsoft Defender for Endpoint
With the Microsoft Defender for Endpoint Playbook and Service App, you can ingest alerts into ThreatConnect and then automate triage and investigative actions across your security stack. This app provides a powerful set of actions that can be leveraged within a larger security workflow orchestration or even simple automation. Immediate actions can be taken to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence. The following actions are available:
- Add Machine Tags – Action to add a tag to a machine.
- Advanced Hunting – Action for advance hunting.
- Collect Investigation Package – Action to collect investigation package for a machine. As this action may take time for a result to return, the playbook retry functionality is required for full processing and to return the binary/zip package.
- Delete All Indicators – Action to delete all indicators.
- Delete Indicators – Action to delete identified indicators.
- Get Investigation Package – Action to download an investigation package after Collect Investigation Package has been run.
- Get Alert – Action to retrieve an Alert.
- Get Investigation – Action to get an investigation.
- Get Machine – Action to get information about a machine.
- Get Machine Action – Action to get information about a machine action.
- Get Machine Related Alerts – Action to get a machine’s related alerts.
- Get Machine Logged on Users – Action to get a machine’s logged in users.
- Get Machine Installed Software – Action to get a machine’s installed software.
- Get Machine Discovered Vulnerabilities – Action to a machines discovered vulnerabilities.
- Isolate Machine – Action to isolate a machine.
- List Indicators – Action to list indicators.
- List Machines – Action to list machines.
- Remove Machine Tags – Action to remove a tag from a machine.
- Restrict App Execution – Action to restrict an app from executing.
- Run Antivirus Scan – Action to run an antivirus scan.
- Start Investigation – Action to start an investigation.
- Stop and Quarantine File – Action to stop and quarantine a file.
- Submit Indicators – Action to submit indicators.
- Unisolate Machine – Action to unisolate a machine.
- Unrestrict App Execution – Action to allow an app to execute.
- Update Alert – Action to update an alert.
For more information, including how to choose permissions, please see here.
There is both a Playbook App and Service App for this integration. They can be found in the ThreatConnect App Catalog under the names Microsoft Defender for Endpoint (Playbook), Microsoft Defender for Endpoint Service (Custom Trigger)