Microsoft Defender Advanced Threat Protection

Overview


Use the Microsoft Defender Advanced Threat Protection (ATP) integration for preventative protection, post-breach detection, automated investigation, and response.

Microsoft Defender Advanced Threat Protection Playbook


Microsoft Defender Advanced Threat Protection Get Machine Action Status

Use Cases


  1. Fetch incidents.
  2. Managing machines and performing actions on them.
  3. Blocking files and applications.

Configure Microsoft Defender Advanced Threat Protection on Cortex XSOAR


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Microsoft Defender Advanced Threat Protection.
  3. Click Add instance to create and configure a new integration instance.
| **Parameter** | **Description** | **Example** |
| --------- | ----------- | ------- |
| Name | A meaningful name for the integration instance. | XXXXX Instance Alpha |
| Host URL | The URL to the Microsoft Defender Advanced Threat Protection server, including the scheme. | https://api.securitycenter.windows.com |
| ID | The ID used to gain access to the integration. | N/A |
| Token | A piece of data that servers use to verify for authenticity | eea810f5-a6f6 |
| Fetch Incidents | Whether to fetch the incidents or not. | N/A |
| Incident Type | The type of incident to select. | Phishing |
| Status to filter out alerts for fetching as incidents| The property values are, "New", "InProgress" or "Resolved". Comma-separated values supported. | New,Resolved |
| Severity to filter out alerts for fetching as incidents | The property values are, "Informational", "Low", "Medium" and "High". Comma-separated values supported. | Medium,High |
| Trust any Certificate (Not Secure) | When selected, certificates are not checked. | N/A |
| Use system proxy settings | Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. | https://proxyserver.com |
| First Fetch Timestamp | The first timestamp to be fetched in number, time unit format. | 12 hours, 7 days |
  1. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

  1. id
  2. incidentId
  3. investigationId
  4. assignedTo
  5. severity
  6. status
  7. classification
  8. determination
  9. investigationState
  10. detectionSource
  11. category
  12. threatFamilyName
  13. title
  14. description
  15. alertCreationTime
  16. firstEventTime
  17. lastEventTime
  18. lastUpdateTime
  19. resolvedTime
  20. machineId
  21. computerDnsName
  22. aadTenantId
  23. relatedUser
  24. comments
  25. evidence

Commands


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. microsoft-atp-isolate-machine 2. microsoft-atp-unisolate-machine 3. microsoft-atp-get-machines 4. microsoft-atp-get-file-related-machines 5. microsoft-atp-get-machine-details 6. microsoft-atp-run-antivirus-scan 7. microsoft-atp-list-alerts 8. microsoft-atp-update-alert 9. microsoft-atp-advanced-hunting 10. microsoft-atp-create-alert 11. microsoft-atp-get-alert-related-user 12. microsoft-atp-get-alert-related-files 13. microsoft-atp-get-alert-related-ips 14. microsoft-atp-get-alert-related-domains 15. microsoft-atp-list-machine-actions-details 16. microsoft-atp-collect-investigation-package 17. microsoft-atp-get-investigation-package-sas-uri 18. microsoft-atp-restrict-app-execution 19. microsoft-atp-remove-app-restriction 20. microsoft-atp-stop-and-quarantine-file 21. microsoft-atp-list-investigations 22. microsoft-atp-start-investigation 23. microsoft-atp-get-domain-statistics 24. microsoft-atp-get-domain-alerts 25. microsoft-atp-get-domain-machines 26. microsoft-atp-get-file-statistics 27. microsoft-atp-get-file-alerts 28. microsoft-atp-get-ip-statistics 29. microsoft-atp-get-ip-alerts 30. microsoft-atp-get-user-alerts 31. microsoft-atp-get-user-machines 32. microsoft-atp-add-remove-machine-tag

1. microsoft-atp-isolate-machine


Isolates a machine from accessing external network.

Required Permissions

Machine.Isolate

Base Command

microsoft-atp-isolate-machine

Input
Argument NameDescriptionRequired
machine_idThe machine ID to be used for isolation. For example, "0a3250e0693a109f1affc9217be9459028aa8426".Required
commentThe comment to associate with the action.Required
isolation_typeWhether to fully isolate or selectively isolate. Selectively restricting only limits a set of applications from accessing the network.Required
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe machine action ID.
MicrosoftATP.MachineAction.TypeStringThe type of the machine action.
MicrosoftATP.MachineAction.ScopeUnknownThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" or "MD5".
Command Example

!microsoft-atp-isolate-machine machine_id=a70f9fe6b29cd9511652434919c6530618f06606 comment="test isolate machine" isolation_type=Selective

Context Example
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:07:48.6818309Z",
"MachineID": "a70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "Isolate",
"ID": "70ab787a-0719-4493-b98d-2535c8fe6817",
"RequestorComment": "test isolate machine"
}
}
Human Readable Output
The isolation request has been submitted successfully:
IDTypeRequestorRequestorCommentStatusMachineID
70ab787a-0719-4493-b98d-2535c8fe6817Isolate2f48b784-5da5-4e61-9957-012d2630f1e4test isolate machinePendinga70f9fe6b29cd9511652434919c6530618f06606

2. microsoft-atp-unisolate-machine


Remove a machine from isolation.

Required Permissions

Machine.Isolate

Base Command

microsoft-atp-unisolate-machine

Input
Argument NameDescriptionRequired
machine_idMachine ID to be used to stop the isolation. For example, "0a3250e0693a109f1affc9217be9459028aa8426".Required
commentThe comment to associate with the action.Required
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeUnknownThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe fileIdentifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5".
Command Example

!microsoft-atp-unisolate-machine machine_id=f70f9fe6b29cd9511652434919c6530618f06606 comment="test unisolate machine"

Context Example
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:07:50.7692907Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "Unisolate",
"ID": "3d30f7c9-e41c-4839-a678-f528a201778c",
"RequestorComment": "test unisolate machine"
}
}
Human Readable Output
The request to stop the isolation has been submitted successfully:
IDTypeRequestorRequestorCommentStatusMachineID
3d30f7c9-e41c-4839-a678-f528a201778cUnisolate2f48b784-5da5-4e61-9957-012d2630f1e4test unisolate machinePendingf70f9fe6b29cd9511652434919c6530618f06606

3. microsoft-atp-get-machines


Retrieves a collection of machines that has communicated with WDATP cloud within the last 30 days.

Base Command

microsoft-atp-get-machines

Input
Argument NameDescriptionRequired
hostnameThe DNS name of the computer.Optional
ipThe last machine IP address to access the internet.Optional
risk_scoreThe risk score of the machine.Optional
health_statusThe health status of the machine.Optional
os_platformThe machine's OS platform. Only a single platform can be added.Optional
Context Output
PathTypeDescription
MicrosoftATP.Machine.IDStringThe ID of the machine.
MicrosoftATP.Machine.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Machine.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last machine IP address to access the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe health status of the machine.
MicrosoftATP.Machine.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.Machine.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.Machine.RiskScoreStringThe risk score of the machine.
MicrosoftATP.Machine.ExposureLevelStringThe exposure score of the machine.
MicrosoftATP.Machine.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.Machine.MachineTagsStringThe set of machine tags.
Command Example

!microsoft-atp-get-machines health_status=Active risk_score=Medium

Context Example
{
"MicrosoftATP.Machine": [
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
},
{
"OSBuild": 14393,
"ExposureLevel": "Medium",
"OSPlatform": "WindowsServer2016",
"ComputerDNSName": "ec2amaz-ua9hieu",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.3720.16299.2010",
"LastExternalIPAddress": "51.29.51.184",
"LastIPAddress": "175.31.7.116",
"RiskScore": "Medium",
"ID": "f3bba49af4d3bacedc62ca0fe580a4d5925af8aa",
"FirstSeen": "2020-01-26T14:02:55.1863281Z",
"LastSeen": "2020-03-22T20:18:54.9792497Z"
}
]
}
Human Readable Output
Microsoft Defender ATP Machines:
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows10192.168.1.7381.166.99.236ActiveMediumMedium
f3bba49af4d3bacedc62ca0fe580a4d5925af8aaec2amaz-ua9hieuWindowsServer2016175.31.7.11651.29.51.184ActiveMediumMedium

4. microsoft-atp-get-file-related-machines


Gets a collection of machines related to a given file's SHA1 hash.

Base Command

microsoft-atp-get-file-related-machines

Input
Argument NameDescriptionRequired
file_hashThe file's SHA1 hash to get the related machines.Required
Context Output
PathTypeDescription
MicrosoftATP.FileMachine.Machines.IDStringThe ID of the machine.
MicrosoftATP.FileMachine.Machines.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.FileMachine.Machines.FirstSeenDateThe first date and time when the machine was observed by Microsoft Defender ATP.
MicrosoftATP.FileMachine.Machines.LastSeenDateThe last date and time when the machine was observed by Microsoft Defender ATP.
MicrosoftATP.FileMachine.Machines.OSPlatformStringThe operating system platform.
MicrosoftATP.FileMachine.Machines.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.FileMachine.Machines.OSBuildNumberThe operating system build number.
MicrosoftATP.FileMachine.Machines.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.FileMachine.Machines.LastExternalIPAddressStringThe last machine IP address to access the internet.
MicrosoftATP.FileMachine.Machines.HelathStatusStringThe health status of the machine.
MicrosoftATP.FileMachine.Machines.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.FileMachine.Machines.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.FileMachine.Machines.RiskScoreStringThe risk score of the machine.
MicrosoftATP.FileMachine.Machines.ExposureLevelStringThe exposure score of the machine.
MicrosoftATP.FileMachine.Machines.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.FileMachine.Machines.AADDeviceIDstringThe AAD device ID.
MicrosoftATP.FileMachine.Machines.MachineTagsStringThe set of machine tags.
MicrosoftATP.FileMachine.FileStringThe machine related file hash.
Command Example

!microsoft-atp-get-file-related-machines file_hash=36c5d12033b2eaf251bae61c00690ffb17fddc87

Context Example
{
"MicrosoftATP.FileMachine": {
"Machines": [
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"ComputerDNSName": "desktop-s2455r8",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "High",
"ID": "4899036531e374137f63289c3267bad772c13fef",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"LastSeen": "2020-03-23T08:10:41.473428Z"
},
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
}
],
"File": "36c5d12033b2eaf251bae61c00690ffb17fddc87"
}
}
Human Readable Output
Microsoft Defender ATP machines related to file 36c5d12033b2eaf251bae61c00690ffb17fddc87
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8Windows10192.168.1.7181.166.99.236ActiveHighMedium
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows10192.168.1.7381.166.99.236ActiveMediumMedium

5. microsoft-atp-get-machine-details


Gets a machine's details by its identity.

Base Command

microsoft-atp-get-machine-details

Input
Argument NameDescriptionRequired
machine_idThe machine ID to be used to get the machine details. For example, "0a3250e0693a109f1affc9217be9459028aa8426".Required
Context Output
PathTypeDescription
MicrosoftATP.Machine.IDStringThe ID of the machine.
MicrosoftATP.Machine.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Machine.FirstSeenDateThe first date and time when the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time when the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last machine IP address to access the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe health status of the machine.
MicrosoftATP.Machine.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.Machine.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.Machine.RiskScoreStringThe risk score of the machine.
MicrosoftATP.Machine.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.Machine.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.Machine.MachineTagsStringThe set of machine tags.
Command Example

!microsoft-atp-get-machine-details machine_id=f70f9fe6b29cd9511652434919c6530618f06606

Context Example
{
"MicrosoftATP.Machine": {
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
}
}
Human Readable Output
Microsoft Defender ATP machine f70f9fe6b29cd9511652434919c6530618f06606 details:
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows10192.168.1.7381.166.99.236ActiveMediumMedium

6. microsoft-atp-run-antivirus-scan


Initiates Microsoft Defender Antivirus scan on a machine.

Required Permissions

Machine.Scan

Base Command

microsoft-atp-run-antivirus-scan

Input
Argument NameDescriptionRequired
machine_idThe machine ID to run the scan on.Required
commentThe comment to associate with the action.Required
scan_typeDefines the type of the scan.Required
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeUnknownThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID the action was executed on.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5".
Command Example

!microsoft-atp-run-antivirus-scan machine_id=f70f9fe6b29cd9511652434919c6530618f06606 comment="testing anti virus" scan_type=Quick

Context Example
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:07:54.3942786Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "RunAntiVirusScan",
"ID": "55680be3-162c-49d1-a4d6-37f9dc47e9d8",
"RequestorComment": "testing anti virus"
}
}
Human Readable Output
Antivirus scan successfully triggered
IDTypeRequestorRequestorCommentStatusMachineID
55680be3-162c-49d1-a4d6-37f9dc47e9d8RunAntiVirusScan2f48b784-5da5-4e61-9957-012d2630f1e4testing anti virusPendingf70f9fe6b29cd9511652434919c6530618f06606

7. microsoft-atp-list-alerts


Gets a list of alerts that are present on the system. Filtering can be done on a single argument only.

Base Command

microsoft-atp-list-alerts

Input
Argument NameDescriptionRequired
severityThe alert's severity.Optional
statusThe alert's status.Optional
categoryThe alert's category, only one can be added.Optional
Context Output
PathTypeDescription
MicrosoftATP.Alert.IDStringThe ID of the alert.
MicrosoftATP.Alert.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe classification of the alert.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family of the alert.
MicrosoftATP.Alert.TitleStringThe title of the alert.
MicrosoftATP.Alert.DescriptionStringThe description of the alert.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.Alert.MachineIDStringThe machine's ID that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe alert comment string.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe time and date yje alert comment was created.
Command Example

!microsoft-atp-list-alerts severity=Low

Context Example
{
"MicrosoftATP.Alert": [
{
"Category": "Backdoor",
"ThreatFamilyName": null,
"Severity": "Low",
"LastEventTime": "2020-02-19T10:31:22.7894742Z",
"FirstEventTime": "2020-02-19T10:31:22.7894742Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2020-03-17T11:35:16.8861429Z",
"Status": "InProgress",
"Description": "testing",
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "testing",
"InvestigationID": 10,
"Determination": null,
"IncidentID": 14,
"AssignedTo": "Automation",
"DetectionSource": "CustomerTI",
"ResolvedTime": null,
"ID": "da637200417169017725_183736971",
"LastUpdateTime": "2020-03-23T10:00:16.8633333Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": []
},
{
"Category": "Backdoor",
"ThreatFamilyName": null,
"Severity": "Low",
"LastEventTime": "2020-02-23T07:22:07.1532018Z",
"FirstEventTime": "2020-02-23T07:22:07.1532018Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2020-03-22T15:44:23.5446957Z",
"Status": "New",
"Description": "test",
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "testing alert",
"InvestigationID": 10,
"Determination": null,
"IncidentID": 18,
"AssignedTo": null,
"DetectionSource": "CustomerTI",
"ResolvedTime": null,
"ID": "da637204886635759335_1480542752",
"LastUpdateTime": "2020-03-22T15:44:24.6533333Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": []
}
]
}
Human Readable Output
Microsoft Defender ATP alerts:
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637200417169017725_183736971testingtesting14LowInProgressBackdoor4899036531e374137f63289c3267bad772c13fef
da637204886635759335_1480542752testing alerttest18LowNewBackdoor4899036531e374137f63289c3267bad772c13fef

8. microsoft-atp-update-alert


Updates the properties of an alert entity.

Base Command

microsoft-atp-update-alert

Input
Argument NameDescriptionRequired
alert_idThe alert ID to update.Required
statusThe alert status to update.Optional
assigned_toThe owner of the alert.Optional
classificationSpecifies the specification of the alert.Optional
determinationSpecifies the determination of the alert.Optional
commentThe comment to be added to the alert.Optional
Context Output
PathTypeDescription
MicrosoftATP.Alert.IDStringThe ID of the alert.
MicrosoftATP.Alert.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe alert classification.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family of the alert.
MicrosoftATP.Alert.TitleStringThe title of the alert.
MicrosoftATP.Alert.DescriptionStringThe description of the alert.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.Alert.MachineIDStringThe ID of the machine that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe comment string of the alert.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert's comment created by the string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe time and date the alert's comment was created.
Command Example

!microsoft-atp-update-alert alert_id=da637200417169017725_183736971 status=InProgress

Context Example
{
"MicrosoftATP.Alert": {
"Status": "InProgress",
"ID": "da637200417169017725_183736971"
}
}
Human Readable Output

The alert da637200417169017725_183736971 has been updated successfully

9. microsoft-atp-advanced-hunting


Runs programmatic queries in Microsoft Defender ATP Portal (https://securitycenter.windows.com/hunting). You can only run a query on data from the last 30 days. The maximum number of rows is 10,000. The number of executions is limited to 15 calls per minute, and 15 minutes of running time every hour, and 4 hours of running time a day.

Base Command

microsoft-atp-advanced-hunting

Input
Argument NameDescriptionRequired
queryThe query to run.Required
Context Output
PathTypeDescription
MicrosoftATP.Hunt.ResultStringThe query results.
Command Example

!microsoft-atp-advanced-hunting query="LogonEvents | take 1 | project MachineId, ReportId, tostring(EventTime)"

Context Example
{
"MicrosoftATP.Hunt.Result": [
{
"MachineId": "4899036531e374137f63289c3267bad772c13fef",
"EventTime": "2020-02-23T07:14:42.1599815Z",
"ReportId": "35275"
}
]
}
Human Readable Output
Hunt results
EventTimeMachineIdReportId
2020-02-23T07:14:42.1599815Z4899036531e374137f63289c3267bad772c13fef35275

10. microsoft-atp-create-alert


Creates a new alert entity using event data, as obtained from the Advanced Hunting.

Base Command

microsoft-atp-create-alert

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine on which the event was identified.Required
severityThe severity of the alert.Required
titleThe title of the alert.Required
descriptionThe description of the alert.Required
recommended_actionThe action that is recommended to be taken by the security officer when analyzing the alert.Required
event_timeThe time of the event, as obtained from the advanced query.Required
report_idThe reportId, as obtained from the advanced query.Required
categoryThe category of the alert.Required
Context Output
PathTypeDescription
MicrosoftATP.Alert.IDStringThe ID of the alert.
MicrosoftATP.Alert.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.Alert.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.Alert.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.Alert.AssignedToStringThe owner of the alert.
MicrosoftATP.Alert.SeverityStringThe severity of the alert.
MicrosoftATP.Alert.StatusStringThe current status of the alert.
MicrosoftATP.Alert.ClassificationStringThe classification of the alert.
MicrosoftATP.Alert.DeterminationStringThe determination of the alert.
MicrosoftATP.Alert.DetectionSourceStringThe detection source.
MicrosoftATP.Alert.CategoryStringThe category of the alert.
MicrosoftATP.Alert.ThreatFamilyNameStringThe threat family of the alert.
MicrosoftATP.Alert.TitleStringThe title of the alert.
MicrosoftATP.Alert.DescriptionStringThe description of the alert.
MicrosoftATP.Alert.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.Alert.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.Alert.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.Alert.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.Alert.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.Alert.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Alert.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.Alert.Comments.CommentStringThe comment string of the alert.
MicrosoftATP.Alert.Comments.CreatedByStringThe alert's comment created by the string.
MicrosoftATP.Alert.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example

!microsoft-atp-create-alert category=Backdoor description="test" report_id=20279 event_time=2020-02-23T07:22:07.1532018Z machine_id=4899036531e374137f63289c3267bad772c13fef recommended_action="runAntiVirusScan" severity=Low title="testing alert"

Context Example
{
"MicrosoftATP.Alert": {
"Category": "Backdoor",
"ThreatFamilyName": null,
"Severity": "Low",
"LastEventTime": "2020-02-23T07:22:07.1532018Z",
"FirstEventTime": "2020-02-23T07:22:07.1532018Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2020-03-22T15:44:23.5446957Z",
"Status": "New",
"Description": "test",
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "testing alert",
"InvestigationID": 10,
"Determination": null,
"IncidentID": 18,
"AssignedTo": null,
"DetectionSource": "CustomerTI",
"ResolvedTime": null,
"ID": "da637204886635759335_1480542752",
"LastUpdateTime": "2020-03-22T15:44:24.6533333Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": []
}
}
Human Readable Output
Alert created:
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637204886635759335_1480542752testing alerttest18LowNewBackdoor4899036531e374137f63289c3267bad772c13fef

11. microsoft-atp-get-alert-related-user


Retrieves the user associated to a specific alert.

Base Command

microsoft-atp-get-alert-related-user

Input
Argument NameDescriptionRequired
idThe ID of the alert.Required
Context Output
PathTypeDescription
MicrosoftATP.AlertUser.User.IDStringThe ID of the user.
MicrosoftATP.AlertUser.User.AccountNameStringThe account name.
MicrosoftATP.AlertUser.User.AccountDomainStringThe account domain.
MicrosoftATP.AlertUser.User.AccountSIDStringThe account SID.
MicrosoftATP.AlertUser.User.FirstSeenDateThe user first seen date and time.
MicrosoftATP.AlertUser.User.LastSeenDateThe user last seen date and time.
MicrosoftATP.AlertUser.User.MostPrevalentMachineIDStringThe most prevalent machine ID.
MicrosoftATP.AlertUser.User.LeastPrevalentMachineIDStringThe least prevalent machine ID.
MicrosoftATP.AlertUser.User.LogonTypesStringThe user logon types.
MicrosoftATP.AlertUser.User.LogonCountNumberThe user logon count.
MicrosoftATP.AlertUser.User.DomainAdminNumberWhether the user is the domain admin.
MicrosoftATP.AlertUser.User.NetworkUserNumberWhether the user is the domain admin.
MicrosoftATP.AlertUser.AlertIDStringThe ID of the alert.
Command Example

!microsoft-atp-get-alert-related-user id=da637175364995825348_1865170845

Context Example
{
"MicrosoftATP.AlertUser": {
"User": {
"LeastPrevalentMachineID": "4899036531e374137f63289c3267bad772c13fef",
"MostPrevalentMachineID": "4899036531e374137f63289c3267bad772c13fef",
"LogonCount": 1,
"NetworkUser": false,
"DomainAdmin": false,
"LogonTypes": null,
"AccountName": "demisto",
"LastSeen": "2020-03-03T12:32:51Z",
"AccountSID": "S-1-5-21-4197691174-1403503641-4006700887-1001",
"AccountDomain": "desktop-s2455r8",
"ID": "desktop-s2455r8\\demisto",
"FirstSeen": "2020-02-23T07:14:42Z"
},
"AlertID": "da637175364995825348_1865170845"
}
}
Human Readable Output
Alert Related User:
AccountDomainAccountNameAccountSIDDomainAdminFirstSeenIDLastSeenLeastPrevalentMachineIDLogonCountMostPrevalentMachineIDNetworkUser
desktop-s2455r8demistoS-1-5-21-4197691174-1403503641-4006700887-1001false2020-02-23T07:14:42Zdesktop-s2455r8\demisto2020-03-03T12:32:51Z4899036531e374137f63289c3267bad772c13fef14899036531e374137f63289c3267bad772c13feffalse

12. microsoft-atp-get-alert-related-files


Retrieves the files associated to a specific alert.

Base Command

microsoft-atp-get-alert-related-files

Input
Argument NameDescriptionRequired
idThe ID of the alert.Required
limitThe limit of files to display.Optional
offsetThe page from which to get the related files.Optional
Context Output
PathTypeDescription
MicrosoftATP.AlertFile.Files.FilePublisherStringThe file's publisher.
MicrosoftATP.AlertFile.Files.SizeNumberThe size of the file.
MicrosoftATP.AlertFile.Files.GlobalLastObservedDateThe last time the file was observed.
MicrosoftATP.AlertFile.Files.Sha1StringThe SHA1 hash of the file.
MicrosoftATP.AlertFile.Files.IsValidCertificateNumberWhether the signing of the certificate was successfully verified by the Microsoft Defender ATP agent.
MicrosoftATP.AlertFile.Files.Sha256StringThe SHA256 hash of the file.
MicrosoftATP.AlertFile.Files.SignerStringThe file signer.
MicrosoftATP.AlertFile.Files.GlobalPrevalenceNumberThe file prevalence across the organization.
MicrosoftATP.AlertFile.Files.DeterminationValueStringThe determination of the file's value.
MicrosoftATP.AlertFile.Files.GlobalFirstObservedDateThe first time the file was observed.
MicrosoftATP.AlertFile.Files.FileTypeStringThe type of the file.
MicrosoftATP.AlertFile.Files.SignerHashStringThe hash of the signing certificate.
MicrosoftATP.AlertFile.Files.IssuerStringThe file issuer.
MicrosoftATP.AlertFile.Files.IsPeFileNumberWether the file is portable executable.
MicrosoftATP.AlertFile.Files.DeterminationTypeStringThe determination type of the file.
MicrosoftATP.AlertFile.Files.FileProductNameUnknownThe product name of the file.
MicrosoftATP.AlertFile.Files.Md5StringThe MD5 hash of the file.
Command Example

!microsoft-atp-get-alert-related-files id=da637175364995825348_1865170845

Context Example
{
"MicrosoftATP.AlertFile": {
"Files": [
{
"DeterminationType": "Unknown",
"SignerHash": "84ec67b9ac9d7789bab500503a7862173f432adb",
"Sha1": "d487580502354c61808c7180d1a336beb7ad4624",
"IsPeFile": true,
"GlobalPrevalence": 45004,
"SizeInBytes": 181248,
"Signer": "Microsoft Windows",
"GlobalFirstObserved": "2019-03-21T22:37:42.7608151Z",
"IsValidCertificate": true,
"GlobalLastObserved": "2020-03-22T22:48:20.608421Z",
"Sha256": "f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3",
"Md5": "f1139811bbf61362915958806ad30211",
"Issuer": "Microsoft Windows Production PCA 2011"
},
{
"DeterminationType": "Unknown",
"SignerHash": "84ec67b9ac9d7789bab500503a7862173f432adb",
"Sha1": "36c5d12033b2eaf251bae61c00690ffb17fddc87",
"IsPeFile": true,
"GlobalPrevalence": 1316463,
"SizeInBytes": 451584,
"Signer": "Microsoft Windows",
"GlobalFirstObserved": "2019-03-21T08:31:08.1952647Z",
"IsValidCertificate": true,
"GlobalLastObserved": "2020-03-23T09:24:49.9664767Z",
"Sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"Md5": "cda48fc75952ad12d99e526d0b6bf70a",
"Issuer": "Microsoft Windows Production PCA 2011"
}
],
"AlertID": "da637175364995825348_1865170845"
}
}
Human Readable Output
Alert da637175364995825348_1865170845 Related Files:
Sha1Sha256SizeInBytes
d487580502354c61808c7180d1a336beb7ad4624f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3181248
36c5d12033b2eaf251bae61c00690ffb17fddc87908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53451584

13. microsoft-atp-get-alert-related-ips


Retrieves the IP addresses associated to a specific alert.

Base Command

microsoft-atp-get-alert-related-ips

Input
Argument NameDescriptionRequired
idThe ID of the alert.Required
limitThe limit of IP addresses to display.Optional
offsetThe page from which to get the related IP addresses.Optional
Context Output
PathTypeDescription
MicrosoftATP.AlertIP.IPs.IpAddressStringThe address of the IP address.
MicrosoftATP.AlertIP.AlertIDStringThe ID of the alert.
Command Example

!microsoft-atp-get-alert-related-ips id=da637200417169017725_183736971 limit=3 offset=0

Context Example
{
"MicrosoftATP.AlertIP": {
"IPs": [],
"AlertID": "da637200417169017725_183736971"
}
}
Human Readable Output

Alert da637200417169017725_183736971 Related IPs: []

14. microsoft-atp-get-alert-related-domains


Retrieves the domains associated to a specific alert.

Base Command

microsoft-atp-get-alert-related-domains

Input
Argument NameDescriptionRequired
idThe ID of the alert.Required
limitThe limit of domains to display.Optional
offsetThe page from which to get the related domains.Optional
Context Output
PathTypeDescription
MicrosoftATP.AlertDomain.Domains.DomainStringThe domain address.
MicrosoftATP.AlertDomain.AlertIDUnknownThe ID of the alert.
Command Example

!microsoft-atp-get-alert-related-domains id=da637175364995825348_1865170845 limit=2 offset=0

Context Example
{
"MicrosoftATP.AlertDomain": {
"Domains": [],
"AlertID": "da637175364995825348_1865170845"
}
}
Human Readable Output

Alert da637175364995825348_1865170845 Related Domains: []

15. microsoft-atp-list-machine-actions-details


Returns the machine's actions. If an action ID is set it will return the information on the specific action. Filtering can only be done on a single argument.

Base Command

microsoft-atp-list-machine-actions-details

Input
Argument NameDescriptionRequired
idThe ID of the action.Optional
statusThe action status of the machine.Optional
machine_idThe machine's ID which the action was executed on. Only one can be added.Optional
typeThe action type of the machine.Optional
requestorThe ID of the user that executed the action. Only one can be added.Optional
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name which the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5"
Command Example

!microsoft-atp-list-machine-actions-details type=RestrictCodeExecution

Context Example
{
"MicrosoftATP.MachineAction": [
{
"Status": "Succeeded",
"CreationDateTimeUtc": "2020-03-23T10:00:26.5923766Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": "desktop-s2455r9",
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "RestrictCodeExecution",
"ID": "655b9413-0f41-49bc-a811-1aadc2c827d6",
"RequestorComment": "test restrict app"
},
{
"Status": "Cancelled",
"CreationDateTimeUtc": "2020-02-10T13:32:03.0534738Z",
"MachineID": "f3bba49af4d3bacedc62ca0fe580a4d5925af8aa",
"LastUpdateTimeUtc": null,
"ComputerDNSName": "ec2amaz-ua9hieu",
"Requestor": "7bb424e0-d74b-47c8-816f-21955e7a30d3",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "RestrictCodeExecution",
"ID": "a57cd8a4-8d21-49e5-9a67-9fda06e1e637",
"RequestorComment": "Restrict code execution due to alert 1234"
}
]
}
Human Readable Output
Machine actions Info:
IDTypeRequestorRequestorCommentStatusMachineIDComputerDNSName
655b9413-0f41-49bc-a811-1aadc2c827d6RestrictCodeExecution2f48b784-5da5-4e61-9957-012d2630f1e4test restrict appSucceededf70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9
a57cd8a4-8d21-49e5-9a67-9fda06e1e637RestrictCodeExecution7bb424e0-d74b-47c8-816f-21955e7a30d3Restrict code execution due to alert 1234Cancelledf3bba49af4d3bacedc62ca0fe580a4d5925af8aaec2amaz-ua9hieu

16. microsoft-atp-collect-investigation-package


Collects an investigation package from a machine.

Required Permissions

Machine.CollectForensics

Base Command

microsoft-atp-collect-investigation-package

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Required
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5".
Command Example

!microsoft-atp-collect-investigation-package comment="testing" machine_id=f70f9fe6b29cd9511652434919c6530618f06606

Context Example
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:08:05.8010798Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "CollectInvestigationPackage",
"ID": "fa952f94-d672-47a6-a637-70b91339c079",
"RequestorComment": "testing"
}
}
Human Readable Output
Initiating collect investigation package from f70f9fe6b29cd9511652434919c6530618f06606 machine :
IDTypeRequestorRequestorCommentStatusMachineID
fa952f94-d672-47a6-a637-70b91339c079CollectInvestigationPackage2f48b784-5da5-4e61-9957-012d2630f1e4testingPendingf70f9fe6b29cd9511652434919c6530618f06606

17. microsoft-atp-get-investigation-package-sas-uri


Gets a URI that allows downloading of an investigation package.

Required Permissions

Machine.CollectForensics

Base Command

microsoft-atp-get-investigation-package-sas-uri

Input
Argument NameDescriptionRequired
action_idThe action ID of the machine.Required
Context Output
PathTypeDescription
MicrosoftATP.InvestigationURI.LinkStringThe investigation package URI.
Command Example

!microsoft-atp-get-investigation-package-sas-uri action_id=6ae51f8f-68e6-4259-abae-0018fdf2e418

Context Example
{
"MicrosoftATP.InvestigationURI": {
"Link": "https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=MIICYwYJKoZIhvcNAQcCoIICV"
}
}
Human Readable Output

Success. This link is valid for a very short time and should be used immediately for downloading the package to a local storagehttps: //userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=MIICYwYJKoZIhvcNAQcCoIICV

18. microsoft-atp-restrict-app-execution


Restricts the execution of all applications on the machine except a predefined set.

Required Permissions

Machine.RestrictExecution

Base Command

microsoft-atp-restrict-app-execution

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Optional
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID the action was executed on.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5".
Command Example

!microsoft-atp-restrict-app-execution machine_id=f70f9fe6b29cd9511652434919c6530618f06606 comment="test restrict app"

Context Example
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:08:07.7643812Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "RestrictCodeExecution",
"ID": "264c80f0-1452-43fb-92d0-5515dd0b821e",
"RequestorComment": "test restrict app"
}
}
Human Readable Output
Initiating Restrict execution of all applications on the machine f70f9fe6b29cd9511652434919c6530618f06606 except a predefined set:
IDTypeRequestorRequestorCommentStatusMachineID
264c80f0-1452-43fb-92d0-5515dd0b821eRestrictCodeExecution2f48b784-5da5-4e61-9957-012d2630f1e4test restrict appPendingf70f9fe6b29cd9511652434919c6530618f06606

19. microsoft-atp-remove-app-restriction


Enables the execution of any application on the machine.

Required Permissions

Machine.RestrictExecution

Base Command

microsoft-atp-remove-app-restriction

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Required
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID the action was executed on.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name the action was executed on.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5".
Command Example

!microsoft-atp-remove-app-restriction machine_id=f70f9fe6b29cd9511652434919c6530618f06606 comment="testing remove restriction"

Context Example
{
"MicrosoftATP.MachineAction": {
"Status": "Pending",
"CreationDateTimeUtc": "2020-03-23T10:08:08.5355244Z",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "UnrestrictCodeExecution",
"ID": "5e3cc0b8-b1a1-4a07-92bf-4d63ecec1b18",
"RequestorComment": "testing remove restriction"
}
}
Human Readable Output
Removing applications restriction on the machine f70f9fe6b29cd9511652434919c6530618f06606:
IDTypeRequestorRequestorCommentStatusMachineID
5e3cc0b8-b1a1-4a07-92bf-4d63ecec1b18UnrestrictCodeExecution2f48b784-5da5-4e61-9957-012d2630f1e4testing remove restrictionPendingf70f9fe6b29cd9511652434919c6530618f06606

20. microsoft-atp-stop-and-quarantine-file


Stops the execution of a file on a machine and deletes it.

Required Permissions

Machine.StopAndQuarantine

Base Command

microsoft-atp-stop-and-quarantine-file

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
file_hashThe file SHA1 hash to stop and quarantine on the machine.Required
commentThe comment to associate with the action.Required
Context Output
PathTypeDescription
MicrosoftATP.MachineAction.IDStringThe action ID of the machine.
MicrosoftATP.MachineAction.TypeStringThe type of the action.
MicrosoftATP.MachineAction.ScopeStringThe scope of the action.
MicrosoftATP.MachineAction.RequestorStringThe ID of the user that executed the action.
MicrosoftATP.MachineAction.RequestorCommentStringThe comment that was written when issuing the action.
MicrosoftATP.MachineAction.StatusStringThe current status of the command.
MicrosoftATP.MachineAction.MachineIDStringThe machine ID on which the action was executed.
MicrosoftATP.MachineAction.ComputerDNSNameStringThe machine DNS name on which the action was executed.
MicrosoftATP.MachineAction.CreationDateTimeUtcDateThe date and time when the action was created.
MicrosoftATP.MachineAction.LastUpdateTimeUtcDateThe last date and time when the action status was updated.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierStringThe file identifier.
MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierTypeStringThe type of the file identifier with the possible values. Can be, "SHA1" ,"SHA256" and "MD5".
Command Example

!microsoft-atp-stop-and-quarantine-file comment="testing" file_hash=abe3ba25e5660c23dfe478d577cfacde5795870c machine_id=12345678

Context Example

{ 'ID': '123',
'Type': 'StopAndQuarantineFile',
'Scope': None,
'Requestor': '123abc',
'RequestorComment': 'Test',
'Status': 'Pending',
'MachineID': '12345678',
'ComputerDNSName': None,
'CreationDateTimeUtc': '2020-03-20T14:21:49.9097785Z',
'LastUpdateTimeUtc': '2020-02-27T12:21:00.4568741Z',
'RelatedFileInfo': {'fileIdentifier': '87654321', 'fileIdentifierType': 'Sha1'}
}
Human Readable Output
Stopping the execution of a file on 12345678 machine and deleting it:
IDTypeRequestorRequestorCommentStatusMachineID
123StopAndQuarantineFile123abcTestPending12345678

21. microsoft-atp-list-investigations


Retrieves a collection of investigations or retrieves specific investigation by its ID.

Base Command

microsoft-atp-list-investigations

Input
Argument NameDescriptionRequired
idThe ID can be the investigation ID or the investigation triggering an alert ID.Optional
limitThe limit of investigations to display.Optional
offsetThe page from which to get the investigations.Optional
Context Output
PathTypeDescription
MicrosoftATP.Investigation.IDStringThe ID of the investigation.
MicrosoftATP.Investigation.StartTimeDateThe date and time when the investigation was created.
MicrosoftATP.Investigation.EndTimeDateThe date and time when the investigation was completed.
MicrosoftATP.Investigation.StateStringThe state of the investigation.
MicrosoftATP.Investigation.CancelledByUnknownThe ID of the user or application that cancelled that investigation.
MicrosoftATP.Investigation.StatusDetailsUnknownThe details of the state of the investigation.
MicrosoftATP.Investigation.MachineIDStringThe machine ID the investigation is executed on.
MicrosoftATP.Investigation.ComputerDNSNameStringThe machine DNS name the investigation is executed on.
MicrosoftATP.Investigation.TriggeringAlertIDStringThe alert ID that triggered the investigation.
Command Example

!microsoft-atp-list-investigations limit=3 offset=0

Context Example
{
"MicrosoftATP.Investigation": [
{
"CancelledBy": null,
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"TriggeringAlertID": "da637200417169017725_183736971",
"ComputerDNSName": "desktop-s2455r8",
"StatusDetails": null,
"StartTime": "2020-03-17T11:35:17Z",
"EndTime": null,
"ID": "10"
},
{
"CancelledBy": null,
"InvestigationState": "PendingApproval",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"TriggeringAlertID": "da637200385941308230_1832866941",
"ComputerDNSName": "desktop-s2455r9",
"StatusDetails": null,
"StartTime": "2020-03-17T10:43:15Z",
"EndTime": null,
"ID": "9"
},
{
"CancelledBy": null,
"InvestigationState": "TerminatedBySystem",
"MachineID": "f70f9fe6b29cd9511652434919c6530618f06606",
"TriggeringAlertID": "da637189366671550108_395377714",
"ComputerDNSName": "desktop-s2455r9",
"StatusDetails": null,
"StartTime": "2020-03-04T16:37:50Z",
"EndTime": "2020-03-11T18:13:42Z",
"ID": "8"
}
]
}
Human Readable Output
Investigations Info:
IDStartTimeEndTimeInvestigationStateMachineIDComputerDNSNameTriggeringAlertID
102020-03-17T11:35:17ZPendingApproval4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8da637200417169017725_183736971
92020-03-17T10:43:15ZPendingApprovalf70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9da637200385941308230_1832866941
82020-03-04T16:37:50Z2020-03-11T18:13:42ZTerminatedBySystemf70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9da637189366671550108_395377714

22. microsoft-atp-start-investigation


Starts an automated investigation on a machine.

Base Command

microsoft-atp-start-investigation

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
commentThe comment to associate with the action.Required
Context Output
PathTypeDescription
MicrosoftATP.Investigation.IDStringThe ID of the investigation.
MicrosoftATP.Investigation.StartTimeDateThe date and time when the investigation was created.
MicrosoftATP.Investigation.EndTimeDateThe date and time when the investigation was completed.
MicrosoftATP.Investigation.StateStringThe state of the investigation.
MicrosoftATP.Investigation.CancelledByUnknownThe ID of the user or application that cancelled that investigation.
MicrosoftATP.Investigation.StatusDetailsUnknownThe details of the state of the investigation.
MicrosoftATP.Investigation.MachineIDStringThe machine ID the investigation is executed on.
MicrosoftATP.Investigation.ComputerDNSNameStringThe machine DNS name the investigation is executed on.
MicrosoftATP.Investigation.TriggeringAlertIDStringThe alert ID that triggered the investigation.
Command Example

!microsoft-atp-start-investigation comment="testing" machine_id=f70f9fe6b29cd9511652434919c6530618f06606

Context Example
{
"MicrosoftATP.Investigation": {
"CancelledBy": null,
"InvestigationState": "PendingApproval",
"MachineID": null,
"TriggeringAlertID": "da637205548921456173_375980286",
"ComputerDNSName": null,
"StatusDetails": null,
"StartTime": null,
"EndTime": null,
"ID": "da637205548921456173_375980286"
}
}
Human Readable Output
Starting investigation da637205548921456173_375980286 on f70f9fe6b29cd9511652434919c6530618f06606 machine:
IDInvestigationStateTriggeringAlertID
da637205548921456173_375980286PendingApprovalda637205548921456173_375980286

23. microsoft-atp-get-domain-statistics


Retrieves the statistics on the given domain.

Base Command

microsoft-atp-get-domain-statistics

Input
Argument NameDescriptionRequired
domainThe domain address.Required
Context Output
PathTypeDescription
MicrosoftATP.DomainStatistics.Statistics.HostStringThe domain host.
MicrosoftATP.DomainStatistics.Statistics.OrgPrevalenceStringThe prevalence of the domain in the organization.
MicrosoftATP.DomainStatistics.Statistics.OrgFirstSeenDateThe first date and time the domain was seen in the organization.
MicrosoftATP.DomainStatistics.Statistics.OrgLastSeenDateThe last date and time the domain was seen in the organization.
Command Example

!microsoft-atp-get-domain-statistics domain=google.com

Context Example
{
"MicrosoftATP.DomainStatistics": {
"Domain": "google.com",
"Statistics": {
"OrgLastSeen": "2020-02-24T13:14:54Z",
"Host": "google.com",
"OrgFirstSeen": "2020-02-24T12:50:04Z",
"OrgPrevalence": "1"
}
}
}
Human Readable Output
Statistics on google.com domain:
HostOrgFirstSeenOrgLastSeenOrgPrevalence
google.com2020-02-24T12:50:04Z2020-02-24T13:14:54Z1

24. microsoft-atp-get-domain-alerts


Retrieves a collection of alerts related to a given domain address.

Base Command

microsoft-atp-get-domain-alerts

Input
Argument NameDescriptionRequired
domainThe domain address.Required
Context Output
PathTypeDescription
MicrosoftATP.DomainAlert.DomainStringThe domain address.
MicrosoftATP.DomainAlert.Alerts.IDStringThe ID of the alert.
MicrosoftATP.DomainAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.DomainAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.DomainAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.DomainAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.DomainAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.DomainAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.DomainAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.DomainAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.DomainAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.DomainAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.DomainAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.DomainAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.DomainAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.DomainAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.DomainAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.DomainAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.DomainAlert.Alerts.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.DomainAlert.Alerts.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.DomainAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.DomainAlert.Alerts.ComputerDNSNameStringThe machine DNS name.
MicrosoftATP.DomainAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.DomainAlert.Alerts.Comments.CommentStringThe alert comment string.
MicrosoftATP.DomainAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.DomainAlert.Alerts.Comments.CreatedTimeDateThe alert comment create time and date.
Command Example

!microsoft-atp-get-domain-alerts domain=google.com

Context Example
{
"MicrosoftATP.DomainAlert": {
"Domain": "google.com",
"Alerts": []
}
}
Human Readable Output
Domain google.com related alerts Info:

No entries.

25. microsoft-atp-get-domain-machines


Retrieves a collection of machines that have communicated with a given domain address.

Base Command

microsoft-atp-get-domain-machines

Input
Argument NameDescriptionRequired
domainThe domain address.Required
Context Output
PathTypeDescription
MicrosoftATP.DomainMachine.DomainStringThe domain address.
MicrosoftATP.DomainMachine.Machines.IDStringThe ID of the machine.
MicrosoftATP.DomainMachine.Machines.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.DomainMachine.Machines.FirstSeenDateThe first date and time when the machine was observed by Microsoft Defender ATP.
MicrosoftATP.DomainMachine.Machines.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.DomainMachine.Machines.OSPlatformStringThe operating system platform.
MicrosoftATP.DomainMachine.Machines.OSVersionStringThe operating system version.
MicrosoftATP.DomainMachine.Machines.OSProcessorStringThe operating system processor.
MicrosoftATP.DomainMachine.Machines.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.DomainMachine.Machines.LastExternalIPAddressStringThe last IP address the machine accessed.
MicrosoftATP.DomainMachine.Machines.OSBuildNumberThe operating system build number.
MicrosoftATP.DomainMachine.Machines.HealthStatusStringThe health status of the machine.
MicrosoftATP.DomainMachine.Machines.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.DomainMachine.Machines.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.DomainMachine.Machines.RiskScoreStringThe risk score of the machine.
MicrosoftATP.DomainMachine.Machines.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.DomainMachine.Machines.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.DomainMachine.Machines.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.DomainMachine.Machines.MachineTagsStringThe set of machine tags.
Command Example

!microsoft-atp-get-domain-machines domain=google.com

Context Example
{
"MicrosoftATP.DomainMachine": {
"Domain": "google.com",
"Machines": [
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"ComputerDNSName": "desktop-s2455r8",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.71",
"OSVersion": "1909",
"RiskScore": "High",
"ID": "4899036531e374137f63289c3267bad772c13fef",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"LastSeen": "2020-03-23T08:10:41.473428Z"
}
]
}
}
Human Readable Output
Machines that have communicated with google.com domain:
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8Windows10192.168.1.7181.166.99.236ActiveHighMedium

26. microsoft-atp-get-file-statistics


Retrieves the statistics for the given file.

Base Command

microsoft-atp-get-file-statistics

Input
Argument NameDescriptionRequired
file_hashThe file SHA1 hash to get statistics on.Required
Context Output
PathTypeDescription
MicrosoftATP.FileStatistics.Sha1StringThe file SHA1 hash.
MicrosoftATP.FileStatistics.Statistics.OrgPrevalenceStringThe prevalence of the file in the organization.
MicrosoftATP.FileStatistics.Statistics.OrgFirstSeenDateThe first date and time the file was seen in the organization.
MicrosoftATP.FileStatistics.Statistics.OrgLastSeenDateThe last date and time the file was seen in the organization.
MicrosoftATP.FileStatistics.Statistics.GlobalPrevalenceStringThe global prevalence of the file.
MicrosoftATP.FileStatistics.Statistics.GlobalFirstObservedDateThe first global observation date and time of the file.
MicrosoftATP.FileStatistics.Statistics.GlobalLastObservedDateThe last global observation date and time of the file.
MicrosoftATP.FileStatistics.Statistics.TopFileNamesStringThe top names of the file.
Command Example

!microsoft-atp-get-file-statistics file_hash=9fe3ba25e5660c23dfe478d577cfacde5795870c

Context Example
{
"MicrosoftATP.FileStatistics": {
"Sha1": "9fe3ba25e5660c23dfe478d577cfacde5795870c",
"Statistics": {
"TopFileNames": [
"lsass.exe"
],
"GlobalFirstObserved": "2019-04-03T04:10:18.1001071Z",
"GlobalPrevalence": "1355899",
"OrgPrevalence": "0",
"GlobalLastObserved": "2020-03-23T09:24:54.169574Z"
}
}
}
Human Readable Output
Statistics on 9fe3ba25e5660c23dfe478d577cfacde5795870c file:
GlobalFirstObservedGlobalLastObservedGlobalPrevalenceOrgPrevalenceTopFileNames
2019-04-03T04:10:18.1001071Z2020-03-23T09:24:54.169574Z13558990lsass.exe

27. microsoft-atp-get-file-alerts


Retrieves a collection of alerts related to a given file hash.

Base Command

microsoft-atp-get-file-alerts

Input
Argument NameDescriptionRequired
file_hashThe file SHA1 hash to get statistics on.Required
Context Output
PathTypeDescription
MicrosoftATP.FileAlert.Sha1StringThe file SHA1 hash.
MicrosoftATP.FileAlert.Alerts.IDStringThe ID of the alert.
MicrosoftATP.FileAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.FileAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.FileAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.FileAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.FileAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.FileAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.FileAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.FileAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.FileAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.FileAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.FileAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.FileAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.FileAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.FileAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.FileAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.FileAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.FileAlert.Alerts.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.FileAlert.Alerts.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.FileAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.FileAlert.Alerts.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.FileAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.FileAlert.Alerts.Comments.CommentStringThe alert comment string.
MicrosoftATP.FileAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.FileAlert.Alerts.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example

!microsoft-atp-get-file-alerts file_hash=9fe3ba25e5660c23dfe478d577cfacde5795870c

Context Example
{
"MicrosoftATP.FileAlert": {
"Sha1": "9fe3ba25e5660c23dfe478d577cfacde5795870c",
"Alerts": [
{
"Category": "None",
"ThreatFamilyName": null,
"Severity": "Medium",
"LastEventTime": "2020-03-15T13:59:14.2438912Z",
"FirstEventTime": "2020-03-15T13:59:14.2438912Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2020-03-17T11:55:31.890247Z",
"Status": "New",
"Description": "Created for test",
"InvestigationState": "PendingApproval",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "test alert",
"InvestigationID": 10,
"Determination": null,
"IncidentID": 15,
"AssignedTo": null,
"DetectionSource": "CustomerTI",
"ResolvedTime": null,
"ID": "da637200429318902470_-1583197054",
"LastUpdateTime": "2020-03-17T11:55:33.0233333Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": [
{
"userPrincipalName": null,
"processId": 656,
"sha1": "9fe3ba25e5660c23dfe478d577cfacde5795870c",
"parentProcessCreationTime": null,
"domainName": null,
"url": null,
"processCommandLine": "lsass.exe",
"entityType": "Process",
"processCreationTime": "2020-03-13T16:58:59Z",
"aadUserId": null,
"fileName": "lsass.exe",
"sha256": null,
"parentProcessId": 512,
"userSid": null,
"filePath": "c:\\windows\\system32\\lsass.exe",
"accountName": null,
"ipAddress": null
}
]
}
]
}
}
Human Readable Output
File 9fe3ba25e5660c23dfe478d577cfacde5795870c related alerts Info:
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637200429318902470_-1583197054test alertCreated for test15MediumNewNone4899036531e374137f63289c3267bad772c13fef

28. microsoft-atp-get-ip-statistics


Retrieves the statistics for the given IP address.

Base Command

microsoft-atp-get-ip-statistics

Input
Argument NameDescriptionRequired
ipThe IP address.Required
Context Output
PathTypeDescription
MicrosoftATP.IPStatistics.Statistics.IPAddressStringThe IP address.
MicrosoftATP.IPStatistics.Statistics.OrgPrevalenceStringThe prevalence of the IP address in the organization.
MicrosoftATP.IPStatistics.Statistics.OrgFirstSeenDateThe first date and time the IP address was seen in the organization.
MicrosoftATP.IPStatistics.Statistics.OrgLastSeenDateThe last date and time the IP address was seen in the organization.
Command Example

!microsoft-atp-get-ip-statistics ip=8.8.8.8

Context Example
{
"MicrosoftATP.IPStatistics": {
"Statistics": {
"OrgLastSeen": "2020-03-01T15:19:40Z",
"OrgPrevalence": "1",
"OrgFirstSeen": "2020-02-22T12:52:35Z"
},
"IPAddress": "8.8.8.8"
}
}
Human Readable Output
Statistics on 8.8.8.8 IP:
OrgFirstSeenOrgLastSeenOrgPrevalence
2020-02-22T12:52:35Z2020-03-01T15:19:40Z1

29. microsoft-atp-get-ip-alerts


Retrieves a collection of alerts related to a given IP address.

Base Command

microsoft-atp-get-ip-alerts

Input
Argument NameDescriptionRequired
ipThe Ip address.Required
Context Output
PathTypeDescription
MicrosoftATP.IPAlert.IPAddressStringThe IP address.
MicrosoftATP.IPAlert.Alerts.IDStringThe alert ID.
MicrosoftATP.IPAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.IPAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.IPAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.IPAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.IPAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.IPAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.IPAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.IPAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.IPAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.IPAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.IPAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.IPAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.IPAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.IPAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.IPAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.IPAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.IPAlert.Alerts.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.IPAlert.Alerts.ResolvedTimeDateThe date and time in which the status of the alert was changed to "Resolved".
MicrosoftATP.IPAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.IPAlert.Alerts.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.IPAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.IPAlert.Alerts.Comments.CommentStringThe alert's comment string.
MicrosoftATP.IPAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.IPAlert.Alerts.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example

!microsoft-atp-get-ip-alerts ip=8.8.8.8

Context Example
{
"MicrosoftATP.IPAlert": {
"Alerts": [],
"IPAddress": "8.8.8.8"
}
}
Human Readable Output
IP 8.8.8.8 related alerts Info:

No entries.

30. microsoft-atp-get-user-alerts


Retrieves a collection of alerts related to a given user ID.

Base Command

microsoft-atp-get-user-alerts

Input
Argument NameDescriptionRequired
usernameThe user ID. The ID is not the full UPN, but only the user name. For example, to retrieve alerts for "user1@test.com" use "user1".Required
Context Output
PathTypeDescription
MicrosoftATP.UserAlert.UsernameStringThe name of the user.
MicrosoftATP.UserAlert.Alerts.IDStringThe ID of the alert.
MicrosoftATP.UserAlert.Alerts.IncidentIDNumberThe incident ID of the alert.
MicrosoftATP.UserAlert.Alerts.InvestigationIDNumberThe investigation ID related to the alert.
MicrosoftATP.UserAlert.Alerts.InvestigationStateStringThe current state of the investigation.
MicrosoftATP.UserAlert.Alerts.AssignedToStringThe owner of the alert.
MicrosoftATP.UserAlert.Alerts.SeverityStringThe severity of the alert.
MicrosoftATP.UserAlert.Alerts.StatusStringThe current status of the alert.
MicrosoftATP.UserAlert.Alerts.ClassificationStringThe alert classification.
MicrosoftATP.UserAlert.Alerts.DeterminationStringThe determination of the alert.
MicrosoftATP.UserAlert.Alerts.DetectionSourceStringThe detection source.
MicrosoftATP.UserAlert.Alerts.CategoryStringThe category of the alert.
MicrosoftATP.UserAlert.Alerts.ThreatFamilyNameStringThe family name of the threat.
MicrosoftATP.UserAlert.Alerts.TitleStringThe title of the alert.
MicrosoftATP.UserAlert.Alerts.DescriptionStringThe description of the alert.
MicrosoftATP.UserAlert.Alerts.AlertCreationTimeDateThe date and time the alert was created.
MicrosoftATP.UserAlert.Alerts.FirstEventTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.UserAlert.Alerts.LastEventTimeDateThe last event time that triggered the alert on that machine.
MicrosoftATP.UserAlert.Alerts.LastUpdateTimeDateThe first event time that triggered the alert on that machine.
MicrosoftATP.UserAlert.Alerts.ResolvedTimeDateThe date and time when the status of the alert was changed to "Resolved".
MicrosoftATP.UserAlert.Alerts.MachineIDStringThe machine ID that is associated with the alert.
MicrosoftATP.UserAlert.Alerts.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.UserAlert.Alerts.AADTenantIDStringThe AAD tenant ID.
MicrosoftATP.UserAlert.Alerts.Comments.CommentStringThe comment string of the alert.
MicrosoftATP.UserAlert.Alerts.Comments.CreatedByStringThe alert comment created by the string.
MicrosoftATP.UserAlert.Alerts.Comments.CreatedTimeDateThe time and date the alert comment was created.
Command Example

!microsoft-atp-get-user-alerts username=demisto

Context Example
{
"MicrosoftATP.UserAlert": {
"Username": "demisto",
"Alerts": [
{
"Category": "DefenseEvasion",
"ThreatFamilyName": null,
"Severity": "Medium",
"LastEventTime": "2020-02-17T11:39:09.9948632Z",
"FirstEventTime": "2020-02-17T11:37:11.4901408Z",
"Comments": [
{
"Comment": null,
"CreatedTime": null,
"CreatedBy": null
}
],
"AADTenantID": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"AlertCreationTime": "2020-02-17T11:40:33.5724218Z",
"Status": "InProgress",
"Description": "A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.",
"InvestigationState": "Benign",
"MachineID": "4899036531e374137f63289c3267bad772c13fef",
"Title": "Suspicious process injection observed",
"InvestigationID": 1,
"Determination": null,
"IncidentID": 7,
"AssignedTo": "Automation",
"DetectionSource": "WindowsDefenderAtp",
"ResolvedTime": null,
"ID": "da637175364336494657_410871946",
"LastUpdateTime": "2020-03-17T11:29:55.0066667Z",
"Classification": null,
"ComputerDNSName": "desktop-s2455r8",
"Evidence": [
{
"userPrincipalName": null,
"processId": 11192,
"sha1": "36c5d12033b2eaf251bae61c00690ffb17fddc87",
"parentProcessCreationTime": "2020-02-17T08:03:34.9841426Z",
"domainName": null,
"url": null,
"processCommandLine": "\"powershell.exe\" ",
"entityType": "Process",
"processCreationTime": "2020-02-17T12:38:47.6521977Z",
"aadUserId": null,
"fileName": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"parentProcessId": 9008,
"userSid": null,
"filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"accountName": null,
"ipAddress": null
},
{
"userPrincipalName": null,
"processId": 12508,
"sha1": "d487580502354c61808c7180d1a336beb7ad4624",
"parentProcessCreationTime": "2020-02-17T12:38:47.6521977Z",
"domainName": null,
"url": null,
"processCommandLine": "\"notepad.exe\"",
"entityType": "Process",
"processCreationTime": "2020-02-17T12:41:04.9040946Z",
"aadUserId": null,
"fileName": "notepad.exe",
"sha256": "f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3",
"parentProcessId": 11192,
"userSid": null,
"filePath": "C:\\Windows\\System32",
"accountName": null,
"ipAddress": null
},
{
"userPrincipalName": null,
"processId": null,
"sha1": null,
"parentProcessCreationTime": null,
"domainName": "DESKTOP-S2455R8",
"url": null,
"processCommandLine": null,
"entityType": "User",
"processCreationTime": null,
"aadUserId": null,
"fileName": null,
"sha256": null,
"parentProcessId": null,
"userSid": "S-1-5-21-4197691174-1403503641-4006700887-1001",
"filePath": null,
"accountName": "demisto",
"ipAddress": null
},
{
"userPrincipalName": null,
"processId": 8936,
"sha1": "d487580502354c61808c7180d1a336beb7ad4624",
"parentProcessCreationTime": "2020-02-17T12:38:47.6521977Z",
"domainName": null,
"url": null,
"processCommandLine": "\"notepad.exe\"",
"entityType": "Process",
"processCreationTime": "2020-02-17T12:39:16.3783602Z",
"aadUserId": null,
"fileName": "notepad.exe",
"sha256": "f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3",
"parentProcessId": 11192,
"userSid": null,
"filePath": "C:\\Windows\\System32",
"accountName": null,
"ipAddress": null
}
]
}
]
}
]
}
}
Human Readable Output
User demisto related alerts Info:
IDTitleDescriptionIncidentIDSeverityStatusCategoryMachineID
da637175364336494657_410871946Suspicious process injection observedA process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. As a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.7MediumInProgressDefenseEvasion4899036531e374137f63289c3267bad772c13fef

31. microsoft-atp-get-user-machines


Retrieves a collection of machines related to a given user ID.

Base Command

microsoft-atp-get-user-machines

Input
Argument NameDescriptionRequired
usernameThe user ID. The ID is not the full UPN, but only the user name. For example, to retrieve machines for "user1@test.com" use "user1".Required
Context Output
PathTypeDescription
MicrosoftATP.UserMachine.UsernameStringThe name of the user.
MicrosoftATP.UserMachine.Machines.IDStringThe ID of the machine.
MicrosoftATP.UserMachine.Machines.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.UserMachine.Machines.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.UserMachine.Machines.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.UserMachine.Machines.OSPlatformStringThe operating system platform.
MicrosoftATP.UserMachine.Machines.OSVersionStringThe operating system version.
MicrosoftATP.UserMachine.Machines.OSProcessorStringThe operating system processor.
MicrosoftATP.v.Machines.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.UserMachine.Machines.LastExternalIPAddressStringThe last IP address through which the machine accessed the internet.
MicrosoftATP.UserMachine.Machines.OSBuildNumberThe operating system build number.
MicrosoftATP.UserMachine.Machines.HealthStatusStringThe health status of the machine.
MicrosoftATP.UserMachine.Machines.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.UserMachine.Machines.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.UserMachine.Machines.RiskScoreStringThe risk score of the machine.
MicrosoftATP.UserMachine.Machines.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.UserMachine.Machines.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.UserMachine.Machines.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.UserMachine.Machines.MachineTagsStringThe set of machine tags.
Command Example

!microsoft-atp-get-user-machines username=demisto

Context Example
{
"MicrosoftATP.UserMachine": {
"Username": "demisto",
"Machines": [
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test Tag 2",
"test Tag 5"
],
"AADDeviceID": "cfcf4177-227e-4cdb-ac8e-f9a3da1ca30c",
"ComputerDNSName": "desktop-s2455r8",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.71",
"OSVersion": "1909",
"RiskScore": "High",
"ID": "4899036531e374137f63289c3267bad772c13fef",
"FirstSeen": "2020-02-17T08:30:07.2415577Z",
"LastSeen": "2020-03-23T08:10:41.473428Z"
},
{
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
}
]
}
}
Human Readable Output
Machines that are related to user demisto:
IDComputerDNSNameOSPlatformLastIPAddressLastExternalIPAddressHealthStatusRiskScoreExposureLevel
4899036531e374137f63289c3267bad772c13fefdesktop-s2455r8Windows10192.168.1.7181.166.99.236ActiveHighMedium
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows10192.168.1.7381.166.99.236ActiveMediumMedium

32. microsoft-atp-add-remove-machine-tag


Adds or removes a tag on a specific Machine.

Base Command

microsoft-atp-add-remove-machine-tag

Input
Argument NameDescriptionRequired
machine_idThe ID of the machine.Required
actionThe action to use for the tag.Required
tagThe name of the tag.Required
Context Output
PathTypeDescription
MicrosoftATP.Machine.IDStringThe ID of the machine.
MicrosoftATP.Machine.ComputerDNSNameStringThe DNS name of the machine.
MicrosoftATP.Machine.FirstSeenDateThe first date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.LastSeenDateThe last date and time where the machine was observed by Microsoft Defender ATP.
MicrosoftATP.Machine.OSPlatformStringThe operating system platform.
MicrosoftATP.Machine.OSVersionStringThe operating system version.
MicrosoftATP.Machine.OSProcessorStringThe operating system processor.
MicrosoftATP.Machine.LastIPAddressStringThe last IP address on the machine.
MicrosoftATP.Machine.LastExternalIPAddressStringThe last IP address through which the machine accessed the internet.
MicrosoftATP.Machine.OSBuildNumberThe operating system build number.
MicrosoftATP.Machine.HealthStatusStringThe health status of the machine.
MicrosoftATP.Machine.RBACGroupIDNumberThe RBAC group ID of the machine.
MicrosoftATP.Machine.RBACGroupNameStringThe RBAC group name of the machine.
MicrosoftATP.Machine.RiskScoreStringThe risk score of the machine.
MicrosoftATP.Machine.ExposureLevelStringThe exposure level of the machine.
MicrosoftATP.Machine.IsAADJoinedBooleanWhether the machine is AAD joined.
MicrosoftATP.Machine.AADDeviceIDStringThe AAD device ID.
MicrosoftATP.Machine.MachineTagsStringThe set of machine tags.
Command Example

!microsoft-atp-add-remove-machine-tag action=Add machine_id=f70f9fe6b29cd9511652434919c6530618f06606 tag="test add tag"

Context Example
{
"MicrosoftATP.Machine": {
"OSBuild": 18363,
"ExposureLevel": "Medium",
"OSPlatform": "Windows10",
"MachineTags": [
"test add tag",
"testing123"
],
"ComputerDNSName": "desktop-s2455r9",
"RBACGroupID": 0,
"OSProcessor": "x64",
"HealthStatus": "Active",
"AgentVersion": "10.6940.18362.693",
"LastExternalIPAddress": "81.166.99.236",
"LastIPAddress": "192.168.1.73",
"OSVersion": "1909",
"RiskScore": "Medium",
"ID": "f70f9fe6b29cd9511652434919c6530618f06606",
"FirstSeen": "2020-02-20T14:44:11.4627779Z",
"LastSeen": "2020-03-23T07:55:50.9986715Z"
}
}
Human Readable Output
Succeed to Add tag to f70f9fe6b29cd9511652434919c6530618f06606:
IDComputerDNSNameOSPlatformLastExternalIPAddressHealthStatusRiskScoreExposureLevelMachineTags
f70f9fe6b29cd9511652434919c6530618f06606desktop-s2455r9Windows1081.166.99.236ActiveMediumMediumtest add tag, testing123