Microsoft Defender 1.0.0
App Vendor: Microsoft
App Category: Network Security
Connector Version: 1.0.0
API Version: 1.0.0
Note
Microsoft has officially rebranded its security solution from Microsoft Advanced Threat Protection (ATP) to Microsoft Defender. To ensure consistency, we have updated the connector name accordingly.
Throughout this document, the product name ATP (Advanced Threat Protection) and Defender are used interchangeably to refer to the same security solution.
About App
Microsoft Advanced Threat Protection (ATP) provides a security solution that helps to detect and investigate security incidents across networks.
The Microsoft ATP app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Get all alerts | This action retrieves a list of all the alerts in Microsoft ATP. |
Get alert details | This action retrieves the details of a particular alert in Microsoft ATP. |
Get alert related domain details | This action retrieves the domain information which is related to a particular alert. |
Get alert related files | This action retrieves files related to an alert. |
Get alert related IPs | This action retrieves the IPs related to an alert. |
Get alert related machines | This action retrieves machines related to an alert. |
Get alert related users | This action retrieves users related to an alert. |
Create alert | This action creates an alert on Microsoft ATP. |
List machines | This action retrieves a list of machines on Microsoft ATP. |
Get machine details | This action retrieves machine details on Microsoft ATP. |
Get logon users for machine | This action retrieves all logged in users for a machine. |
Get machine related alerts | This action retrieves alerts related to a machine. |
Get machine by IP address | This action retrieves a machine by IP address. |
Get machine actions | This action retrieves machine actions. |
Get machine action details | This action retrieves machine action details. |
Run AV scan on machine | This action runs an AV scan on a particular machine. |
Isolate machine | This action isolates a machine on Microsoft ATP. |
Unisolate machine | This action unisolates a machine on Microsoft ATP. |
List indicators | This action retrieves a list of all indicators on Microsoft ATP. |
Get file information | This action retrieves details of a file. |
Get file related alerts | This action retrieves alerts related to a file. |
Get file related machines | This action retrieves machines related to a file. |
Query alerts | This action queries alerts from Microsoft ATP. |
Query machines | This action queries machines from Microsoft ATP. |
Query AV scans | This action queries AV scans across Microsoft ATP. |
Configuration Parameters
The following configuration parameters are required for the Microsoft ATP app to communicate with the Microsoft ATP enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tenant ID | Enter the tenant ID to authenticate with. | Text | Required | |
Client ID | Enter the client ID to authenticate with. | Text | Required | |
Client secret | Enter the client secret to authenticate with. | Text | Required | |
Base URL | Enter the base URL to access Microsoft ATP. Example: "https://api.securitycenter.windows.com" | Text | Optional |
Action: Get All Alerts
This action retrieves a list of all alerts in Microsoft ATP.
Action Input Parameters
This action does not require any input parameter.
Action: Get Alert Details
This action retrieves the details of a particular alert in Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to retrieve the details. | Text | Required |
Action: Create alert
This action creates an alert on Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the title of the alert. | Text | Required | |
Machine ID | Enter the machine ID to link to the alert. | Text | Required | |
Severity | Enter the severity of the alert. | Text | Required | Allowed values:
|
Description | Enter the alert description. | Text | Required | |
Recommended action | Enter the action that is recommended to be taken by security officer when analyzing the alert. | Text | Required | |
Event time | Enter the time of the event, as obtained from the advanced query. The time must be in UTC format. Example: "2018-08-03t16:45:21.7115183z" | Text | Required | |
Report ID | Enter the report ID as obtained from the advanced query. | Text | Required | |
Category | Enter the category of the alert. | Text | Optional | Allowed values:
|
Action: List Machines
This action retrieves the list of machines in Microsoft ATP.
Action Input Parameters
This action does not require any input parameter.
Action: Get Machine Details
This action retrieves machine details on Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID to retrieve the details. | Text | Required |
Action: Get Logon Users for Machine
This action retrieves the list of all logged in users for a machine.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID to get the list of all logged in users. | Text | Required |
Action: Get Machine by IP Address
This action retrieves a machine by IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP Address for which you want to retrieve the machine details. | Text | Required | |
Timestamp | Enter the timestamp in ISO-8601 format. Example: 2018-09-22t08:44:05z. | Text | Required |
Action: Get machine actions
This action retrieves the machine actions.
Action Input Parameters
This action does not require any input parameter.
Action: Get Machine Action Details
This action retrieves the machine action details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine action ID | Enter the machine action ID to retrieve the details. | Text | Required |
Action: Run AV Scan on Machine
This action runs an AV scan on a particular machine.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID to scan. | Text | Required | |
Scan type | Enter the type of scan to perform. | Text | Required | Allowed values:
|
Comment | Enter a comment for the scan. | Text | Required |
Action: Isolate Machine
This action isolates a machine on Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID to isolate. | Text | Required | |
Comment | Enter a comment for the isolation. | Text | Required | |
Isolation Type | Enter the type of isolation to perform. | Text | Required | Allowed values:
|
Action: Unisolate Machine
This action unisolates a machine on Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID to unisolate. | Text | Required | |
Comment | Enter a comment for the unisolation. | Text | Required |
Action: List Indicators
This action retrieves the list all indicators on Microsoft ATP.
Action Input Parameters
This action does not require any input parameter.
Action: Get File Information
This action retrieves the details of a file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File hash | Enter the file hash to search for. | Text | Required |
Action: Query Alerts
This action queries alerts from Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query. | Text | Required | |
Extra params | Enter any additional parameters to pass. | Key Value | Optional |
Action: Query Machines
This action queries machines from ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query. | Text | Required | |
Extra params | Enter any additional parameters to pass. | Key Value | Optional |
Action: Query AV Scans
This action queries AV scans across Microsoft ATP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to perform AV scans. | Text | Required | |
Extra params | Enter any additional parameters to pass. | Key Value | Optional |