Microsoft Defender 2.0.0
App Vendor: Microsoft
App Category: Network Security
Connector Version: 2.0.3
API Version: v1
Note
Microsoft has officially rebranded its security solution from Microsoft Advanced Threat Protection (ATP) to Microsoft Defender. To ensure consistency, we have updated the connector name accordingly.
Throughout this document, the product names ATP (Advanced Threat Protection) and Defender are used interchangeably to refer to the same security solution.
About App
Microsoft Defender provides a security solution that helps to detect and investigate security incidents across networks.
The Microsoft Defender app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add or Remove Machine Tags | This action adds or removes machine tags. |
Collect Investigation Package of Machine | This action collects the investigation package of a machine. |
Create Alert | This action creates an alert. |
Delete Indicator | This action deletes an indicator. |
Filter Alerts by OData Query | This action filters alerts by OData filter query. |
Generic Action | This is a generic action to perform any additional use cases on Microsoft Defender. |
Get Alert Details by ID | This action retrieves the alert details based on the alert ID. |
Get Alert Related Domains | This action retrieves the domain details related to an alert. |
Get Alert Related Files | This action retrieves all the alert-related file information. |
Get Alert Related IP Addresses Information | This action retrieves all the IP addresses related to the alert. |
GET Alert Related Machine Information | This action retrieves alert-related machine information. |
Get Alert Related Users | This action retrieves the user information related to an alert. |
Get All Alerts | This action retrieves all the alerts. |
Get Anti Virus Scans Information | This action retrieves the anti-virus scans information by OData query. |
Get Domain Related Alerts | This action retrieves alerts related to a domain. |
Get Domain Related Machines | This action retrieves all the machines related to a domain. |
Get File Information | This action retrieves all the file related information. |
Get File Related Alerts | This action retrieves all the alerts related to a file. |
Get File Related Machines | This action retrieves machines related to a file. |
Get IP Address Related Machines | This action retrieves machines related to an IP address. |
Get IP Related Alerts | This action retrieves alerts related to an IP address. |
Get Logged on Users | This action retrieves a collection of logged-on users on a specific device. |
Get Machine Actions | This action retrieves all the machines. |
Get Machine Information by ID | This action retrieves the machine details by machine ID. |
Get Machine Related Alerts | This action retrieves machine-related alerts. |
Get Machines by IP Address | This action retrieves machines by IP address. |
Get Machines Information | This action retrieves machine information by OData query. |
Get User Related Alerts | This action retrieves all user-related alerts. |
Get User Related Machines | This action retrieves all user-related machines. |
Initiate Machine Investigation | This action initiates an investigation on a machine. |
Isolate a Machine | This action isolates a machine. |
List all Indicators | This action lists all indicators. |
List all Machines | This action lists all the machines. |
List Machine Actions | This action lists all the actions of a machine. |
Perform Advanced Hunting | This action performs advanced hunting based on the specified query. |
Remove App Restriction | This action removes all restrictions for an app. |
Remove Machine from Isolation | This action removes a machine from isolation. |
Restrict App Execution on Machine | This action restricts the execution of all apps on a machine. |
Run Anti Virus Scan on Machine | This action initiates an anti virus scan on a machine. |
Stop Execution and Quarantine a File | This action stops the execution and quarantine a file. |
Submit Indicator | This action submits an indicator. You must have "ti.readwrite" and "ti.readwrite.all" permissions to perform this action. |
Configuration Parameters
The following configuration parameters are required for the Microsoft Defender app to communicate with the Microsoft Defender enterprise application. The parameters can be configured by creating instances in the app. To know more about how to add an instance, see Add Instances.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Application ID | Enter the application ID of the user’s app instance. | Text | Required | |
Client Secret | Enter the client's secret key for authentication. | Password | Required | |
Tenant ID | Enter the tenant ID to authenticate. | Text | Required | |
Base URL | Enter the base URL to access Microsoft Defender. Example: "https://api.securitycenter.windows.com" | Text | Optional |
Permissions
Some of the actions supported by Microsoft Defender may need specific permissions on Azure application to execute them. Read and understand the required permissions that are documented in the corresponding action.
Action: Add or Remove Machine Tags
This action adds or removes machine tags.
Note
You must have Machine.ReadWrite.All (Read and write all machine information) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8c83ec1b19adaf497b625" | Text | Required | You can retrieve machine IDs from the List All Machines action. |
Tag Name | Enter the name of the tag to add or remove. Example: "Example Tag" | Text | Required | |
Specify Action | Enter the action for the tag. Example: "remove" | Text | Required | Accepted values:
|
Example Request
[
{
"machine_id": "111e6dd8c83ec1b19adaf497b625",
"tag_name": "Example Tag",
"add_or_remove": "remove"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
add_instance_aadDeviceId | Null | Azure Active Directory Device ID, if any. Example: null |
add_instance_agentVersion | String | Version of the security agent installed. Example: 10.8295.22621.1023 |
add_instance_computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
add_instance_defenderAvStatus | String | Status of Defender Antivirus. Example: NotSupported |
add_instance_deviceValue | String | Value assigned to the device. Example: Normal |
add_instance_exclusionReason | Null | Reason for exclusion, if any. Example: null |
add_instance_exposureLevel | String | Exposure level of the device. Example: High |
add_instance_firstSeen | String | Date and time when the device was first seen in UTC. Example: 2024-01-25T01:14:55.2599599Z |
add_instance_healthStatus | String | Health status of the device. Example: Inactive |
add_instance_id | String | Unique identifier for the device. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
add_instance_ipAddresses | Array | List of IP addresses associated with the device. Example: [{"ipAddress": "10.0.1.4", "macAddress": "000D3AA0BCDC", "operationalStatus": "Up", "type": "Ethernet"}, {"ipAddress": "fe80::2856:7673:71a5:d039", "macAddress": "000D3AA0BCDC", "operationalStatus": "Up", "type": "Ethernet"}, {"ipAddress": "127.0.0.1", "macAddress": null, "operationalStatus": "Up", "type": "SoftwareLoopback"}, {"ipAddress": "::1", "macAddress": null, "operationalStatus": "Up", "type": "SoftwareLoopback"}, {"ipAddress": "fe80::5efe:10.0.1.4", "macAddress": "00000000000000E0", "operationalStatus": "Down", "type": "Tunnel"}] |
add_instance_isAadJoined | Boolean | Indicates if the device is joined to Azure Active Directory. Example: false |
add_instance_isExcluded | Boolean | Indicates if the device is excluded. Example: false |
add_instance_isPotentialDuplication | Boolean | Indicates if the device is potentially a duplicate. Example: false |
add_instance_lastExternalIpAddress | String | Last external IP address seen. Example: 13.67.39.195 |
add_instance_lastIpAddress | String | Last IP address seen. Example: 10.0.1.4 |
add_instance_lastSeen | String | Date and time when the device was last seen in UTC. Example: 2024-05-19T17:47:35.5619845Z |
add_instance_machineTags | Array | Tags assigned to the machine. Example: ["test"] |
add_instance_managedBy | String | Entity managing the device. Example: Unknown |
add_instance_managedByStatus | String | Status of the entity managing the device. Example: Unknown |
add_instance_mergedIntoMachineId | Null | ID of the machine into which this device was merged, if any. Example: null |
add_instance_onboardingStatus | String | Status of the device onboarding process. Example: Onboarded |
add_instance_osArchitecture | String | Architecture of the operating system. Example: 64-bit |
add_instance_osBuild | Integer | Build number of the operating system. Example: 9600 |
add_instance_osPlatform | String | Platform of the operating system. Example: WindowsServer2012R2 |
add_instance_osProcessor | String | Processor type of the operating system. Example: x64 |
add_instance_osVersion | Null | Version of the operating system, if any. Example: null |
add_instance_rbacGroupId | Integer | ID of the RBAC group. Example: 0 |
add_instance_rbacGroupName | Null | Name of the RBAC group, if any. Example: null |
add_instance_riskScore | String | Risk score of the device. Example: High |
add_instance_version | String | Version of the operating system. Example: 6.3 |
add_instance_vmMetadata | Object | Metadata of the virtual machine. Example: {"cloudProvider": "Azure", "resourceId": "/subscriptions/9677ae65-e240-48aa-b929-13d57393b8c9/resourceGroups/CYWARE_THREAT_RESEARCH_TEAM/providers/Microsoft.Compute/virtualMachines/ADSERVER", "subscriptionId": null, "vmId": "fff95344-2341-459c-964a-001df0c97daa"} |
Action: Collect Investigation Package of Machine
This action collects the investigation package of a machine.
Note
You must have Machine.CollectForensics (Collect forensics) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8c8231ec1b19adaf497b625" | Text | Required | You can retrieve machine IDs using the List all Machines action. |
Comments | Enter the required comments for reference. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8c831ec1b19adaf497b625",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | Unique identifier for the action. Example: 5382f7ea-7557-4ab7-9782-d50480024a4e |
app_instance.type | String | Type of the action performed. Example: Isolate |
app_instance.scope | String | Scope of the action. Example: Selective |
app_instance.requestor | String | Email of the person who requested the action. Example: Analyst@TestPrd.onmicrosoft.com |
app_instance.requestorComment | String | Comment provided by the requestor. Example: test for docs |
app_instance.status | String | Status of the action. Example: Succeeded |
app_instance.machineId | String | Unique identifier for the machine. Example: 7b1f4967d9728e5aa3c06a9e617a22a4a5a17378 |
app_instance.computerDnsName | String | DNS name of the computer. Example: desktop-test |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2019-01-02T14:39:38.2262283Z |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2019-01-02T14:40:44.6596267Z |
app_instance.relatedFileInfo | Null | Information about the related file, if any. |
Action: Create Alert
This action creates an alert on top of an Event. You need to supply three parameters from the Event in the request: Event Time, Machine ID, and Report ID. If there existing an open alert on the same Device with the same Title, the newly created alert is merged with it.
An automatic investigation starts automatically on alerts created using this action.
Note
You must have Alert.ReadWrite.All (Read and write all alerts) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert Title | Enter the title of the alert. Example: "Sample Alert" | Text | Required | |
Machine ID | Enter the machine ID of the device on which the event was identified. | Text | Required | You can retrieve machine IDs from the List all Machines action. |
Severity | Enter the severity of the alert. | Text | Required | Allowed values:
|
Alert Description | Enter the alert description. Example: "Sample Description" | Text | Required | |
Recommended Action | Enter the action recommended by security officer while analyzing the alert. Example: "Remediation" | Text | Required | |
Event Time | Enter the time of the event, as obtained from the advanced query. The time must be in UTC format. Example: "2018-08-03t16:45:21.7115183z" | Text | Required | |
Report ID | Enter the report ID as obtained from the advanced query. | Text | Required | |
Alert Category | Enter the category of the alert. | Text | Optional | Default value:
Allowed values:
|
Example Request
[
{
"machine_id": "111e6dd8c83ec1b19adaf497b625",
"severity": "low",
"description": "Sample Description",
"alert_title": "Sample Title",
"recommended_action": "Remediation",
"event_time": "2018-08-03t16:45:21.7115183z",
"report_id": "8c83ec1b19adaf497b625111e6dd",
"category": "trojan"
}
]Action Response Parameters
Action | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | ID of the application instance. Example: "da637472900382838869_1364969609". |
app_instance.incidentId | Number | ID of the incident. Example: 1126093. |
app_instance.investigationId | Null | Investigation ID. Example: null. |
app_instance.assignedTo | Null | Assigned user or group. Example: null. |
app_instance.severity | String | Severity level of the incident. Example: "Low". |
app_instance.status | String | Status of the incident. Example: "New". |
app_instance.classification | Null | Classification of the incident. Example: null. |
app_instance.determination | Null | Determination of the incident. Example: null. |
app_instance.investigationState | String | State of the investigation. Example: "Queued". |
app_instance.detectionSource | String | Source of detection. Example: "WindowsDefenderAtp". |
app_instance.detectorId | String | ID of the detector. Example: "17e10bbc-3a68-474a-8aad-faef14d43952". |
app_instance.category | String | Category of the incident. Example: "Execution". |
app_instance.threatFamilyName | Null | Name of the threat family. Example: null. |
app_instance.title | String | Title of the incident. Example: "Low-reputation arbitrary code executed by signed executable". |
app_instance.description | String | Description of the incident. Example: "Binaries signed by Microsoft can be used to run low-reputation arbitrary code...". |
app_instance.alertCreationTime | String | Timestamp when the alert was created. Example: "2021-01-26T20:33:57.7220239Z". |
app_instance.firstEventTime | String | Timestamp of the first event related to the incident. Example: "2021-01-26T20:31:32.9562661Z". |
app_instance.lastEventTime | String | Timestamp of the last event related to the incident. Example: "2021-01-26T20:31:33.0577322Z". |
app_instance.lastUpdateTime | String | Timestamp of the last update to the incident. Example: "2021-01-26T20:33:59.2Z". |
app_instance.resolvedTime | Null | Timestamp when the incident was resolved. Example: null. |
app_instance.machineId | String | ID of the affected machine. Example: "111e6dd8c833c8a052ea231ec1b19adaf497b625". |
app_instance.computerDnsName | String | DNS name of the affected computer. Example: "temp123.middleeast.corp.microsoft.com". |
app_instance.rbacGroupName | String | RBAC group name. Example: "A". |
app_instance.aadTenantId | String | Azure Active Directory tenant ID. Example: "a839b112-1253-6432-9bf6-94542403f21c". |
app_instance.threatName | Null | Name of the threat. |
app_instance.mitreTechniques | Array | MITRE ATTCK techniques associated with the incident. |
app_instance.relatedUser.userName | String | Username of the related user. Example: "temp123". |
app_instance.relatedUser.domainName | String | Domain name of the related user. Example: "DOMAIN". |
app_instance.comments.comment | String | Comment associated with the incident. Example: "test comment for docs". |
app_instance.comments.createdBy | String | User who created the comment. Example: "secop123@contoso.com". |
app_instance.comments.createdTime | String | Timestamp when the comment was created. Example: "2021-01-26T01:00:37.8404534Z". |
app_instance.evidence.entityType | String | Type of entity providing evidence. Example: "User". |
app_instance.evidence.evidenceCreationTime | String | Timestamp when the evidence was created. Example: "2021-01-26T20:33:58.42Z". |
app_instance.evidence.accountName | String | Name of the account associated with the evidence. Example: "name". |
app_instance.evidence.domainName | String | Domain name associated with the evidence. Example: "DOMAIN". |
app_instance.evidence.userSid | String | User SID associated with the evidence. Example: "S-1-5-21-11111607-1111760036-109187956-75141". |
app_instance.evidence.aadUserId | String | Azure Active Directory user ID associated with the evidence. Example: "11118379-2a59-1111-ac3c-a51eb4a3c627" |
app_instance.evidence.userPrincipalName | String | User principal name associated with the evidence. Example: "temp123@microsoft.com". |
Action: Delete Indicator
This action deletes an indicator.
Note
You must have Ti.ReadWrite (Read and write TI Indicators) or Ti.ReadWrite.All (Read and write Indicators) to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator ID | Enter the indicator ID. Example: "995" | Text | Required |
Example Request
[
{
"indicator_id": "995"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.Response | String | No content returned |
app_instance.Status Code | Integer | The status code of the response. Example: 200 |
Action: Filter Alerts by OData Query
This action filters alerts by OData filter query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Query | Enter a filter query. For example, you can use a filter query such as "alertcreationtime gt 2019-09-18t01:00:00z" to retrieve alerts whose creation date is greater than the specified date. | Text | Required | |
Params | Enter a key-value pair for the filter query. For example, to get the top two alerts, use | Key Value | Optional |
Example Request
[
{
"filter_query": "alertcreationtime gt 2019-09-18t01:00:00z",
"params": {"$top":2}
}
]Action: Generic Action
This is a generic action to perform any additional use cases on Microsoft Defender.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint. Example: "/indicators" | Text | Required | |
Method | Enter the HTTP endpoint method in capitals letters. Example: "GET" | Text | Required | Accepted values:
Default value:
|
Headers | Enter additional headers as required. Example: $DICT{ "accept-type":"application/json"} | Key Value | Optional | |
JSON Data | Enter the JSON payload. Example: {"id": "da637472900382838869_1364969609","incidentid": 1126093,"investigationid": null,"assignedto": null,"severity": "low","status": "new"} | Key Value | Optional | |
Query Parameters | Enter the query parameters to pass. Example: {'$filter': filter_query} | Key Value | Optional |
Example Request
{
"action_endpoint":"/indicators",
"method":"GET",
"headers":{
"accept-type":"application/json"
},
"payload":{
"id":"da637472900382838869_1364969609",
"incidentid":1126093,
"investigationid":null,
"assignedto":null,
"severity":"low",
"status":"new"
},
"query_params":{
"$filter":"filter_query"
}
}Action: Get Alert Details by ID
This action retrieves the alert details based on the alert ID.
Note
You must have Alert.Read.All (Read all alerts) or Alert.ReadWrite.All (Read and write all alerts) permissions to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to retrieve the details. Example: "234" | Text | Required | You can retrieve alert ID using the Get All Alerts action. |
Example Request
[
{
"alert_id": "234"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | ID of the application instance. Example: "da637472900382838869_1364969609". |
app_instance.incidentId | Number | ID of the incident. Example: 1126093. |
app_instance.investigationId | Null | Investigation ID. Example: null. |
app_instance.assignedTo | Null | Assigned user or group. Example: null. |
app_instance.severity | String | Severity level of the incident. Example: "Low". |
app_instance.status | String | Status of the incident. Example: "New". |
app_instance.classification | Null | Classification of the incident. Example: null. |
app_instance.determination | Null | Determination of the incident. Example: null. |
app_instance.investigationState | String | State of the investigation. Example: "Queued". |
app_instance.detectionSource | String | Source of detection. Example: "WindowsDefenderAtp". |
app_instance.detectorId | String | ID of the detector. Example: "17e10bbc-3a68-474a-8aad-faef14d43952". |
app_instance.category | String | Category of the incident. Example: "Execution". |
app_instance.threatFamilyName | Null | Name of the threat family. Example: null. |
app_instance.title | String | Title of the incident. Example: "Low-reputation arbitrary code executed by signed executable". |
app_instance.description | String | Description of the incident. Example: "Binaries signed by Microsoft can be used to run low-reputation arbitrary code...". |
app_instance.alertCreationTime | String | Timestamp when the alert was created. Example: "2021-01-26T20:33:57.7220239Z". |
app_instance.firstEventTime | String | Timestamp of the first event related to the incident. Example: "2021-01-26T20:31:32.9562661Z". |
app_instance.lastEventTime | String | Timestamp of the last event related to the incident. Example: "2021-01-26T20:31:33.0577322Z". |
app_instance.lastUpdateTime | String | Timestamp of the last update to the incident. Example: "2021-01-26T20:33:59.2Z". |
app_instance.resolvedTime | Null | Timestamp when the incident was resolved. Example: null. |
app_instance.machineId | String | ID of the affected machine. Example: "111e6dd8c833c8a052ea231ec1b19adaf497b625". |
app_instance.computerDnsName | String | DNS name of the affected computer. Example: "temp123.middleeast.corp.microsoft.com". |
app_instance.rbacGroupName | String | RBAC group name. Example: "A". |
app_instance.aadTenantId | String | Azure Active Directory tenant ID. Example: "a839b112-1253-6432-9bf6-94542403f21c". |
app_instance.threatName | Null | Name of the threat. Example: null. |
app_instance.mitreTechniques | Array | MITRE ATTCK techniques associated with the incident. Example: ["T1064", "T1085", "T1220"]. |
app_instance.relatedUser.userName | String | Username of the related user. Example: "temp123". |
app_instance.relatedUser.domainName | String | Domain name of the related user. Example: "DOMAIN". |
app_instance.comments.comment | String | Comment associated with the incident. Example: "test comment for docs". |
app_instance.comments.createdBy | String | User who created the comment. Example: "secop123@contoso.com". |
app_instance.comments.createdTime | String | Timestamp when the comment was created. Example: "2021-01-26T01:00:37.8404534Z". |
app_instance.evidence.entityType | String | Type of entity providing evidence. Example: "User". |
app_instance.evidence.evidenceCreationTime | String | Timestamp when the evidence was created. Example: "2021-01-26T20:33:58.42Z". |
app_instance.evidence.accountName | String | Name of the account associated with the evidence. Example: "name". |
app_instance.evidence.domainName | String | Domain name associated with the evidence. Example: "DOMAIN". |
app_instance.evidence.userSid | String | User SID associated with the evidence. Example: "S-1-5-21-11111607-1111760036-109187956-75141". |
app_instance.evidence.aadUserId | String | Azure Active Directory user ID associated with the evidence. Example: "11118379-2a59-1111-ac3c-a51eb4a3c627". |
app_instance.evidence.userPrincipalName | String | User principal name associated with the evidence. Example: "temp123@microsoft.com". |
Action: Get All Alerts
This action retrieves all the alerts.
Note
You must have Alert.Read.All (Read all alerts) to perform this action.
Action Input Parameters
This action does not require any input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | ID of the application instance. Example: "da637472900382838869_1364969609". |
app_instance.incidentId | Number | ID of the incident. Example: 1126093. |
app_instance.investigationId | Null | Investigation ID. Example: null. |
app_instance.assignedTo | Null | Assigned user or group. Example: null. |
app_instance.severity | String | Severity level of the incident. Example: "Low". |
app_instance.status | String | Status of the incident. Example: "New". |
app_instance.classification | Null | Classification of the incident. Example: null. |
app_instance.determination | Null | Determination of the incident. Example: null. |
app_instance.investigationState | String | State of the investigation. Example: "Queued". |
app_instance.detectionSource | String | Source of detection. Example: "WindowsDefenderAtp". |
app_instance.detectorId | String | ID of the detector. Example: "17e10bbc-3a68-474a-8aad-faef14d43952". |
app_instance.category | String | Category of the incident. Example: "Execution". |
app_instance.threatFamilyName | Null | Name of the threat family. Example: null. |
app_instance.title | String | Title of the incident. Example: "Low-reputation arbitrary code executed by signed executable". |
app_instance.description | String | Description of the incident. Example: "Binaries signed by Microsoft can be used to run low-reputation arbitrary code...". |
app_instance.alertCreationTime | String | Timestamp when the alert was created. Example: "2021-01-26T20:33:57.7220239Z". |
app_instance.firstEventTime | String | Timestamp of the first event related to the incident. Example: "2021-01-26T20:31:32.9562661Z". |
app_instance.lastEventTime | String | Timestamp of the last event related to the incident. Example: "2021-01-26T20:31:33.0577322Z". |
app_instance.lastUpdateTime | String | Timestamp of the last update to the incident. Example: "2021-01-26T20:33:59.2Z". |
app_instance.resolvedTime | Null | Timestamp when the incident was resolved. Example: null. |
app_instance.machineId | String | ID of the affected machine. Example: "111e6dd8c833c8a052ea231ec1b19adaf497b625". |
app_instance.computerDnsName | String | DNS name of the affected computer. Example: "temp123.middleeast.corp.microsoft.com". |
app_instance.rbacGroupName | String | RBAC group name. Example: "A". |
app_instance.aadTenantId | String | Azure Active Directory tenant ID. Example: "a839b112-1253-6432-9bf6-94542403f21c". |
app_instance.threatName | Null | Name of the threat. Example: null. |
app_instance.mitreTechniques | Array | MITRE ATTCK techniques associated with the incident. Example: ["T1064", "T1085", "T1220"]. |
app_instance.relatedUser.userName | String | Username of the related user. Example: "temp123". |
app_instance.relatedUser.domainName | String | Domain name of the related user. Example: "DOMAIN". |
app_instance.comments.comment | String | Comment associated with the incident. Example: "test comment for docs". |
app_instance.comments.createdBy | String | User who created the comment. Example: "secop123@contoso.com". |
app_instance.comments.createdTime | String | Timestamp when the comment was created. Example: "2021-01-26T01:00:37.8404534Z". |
app_instance.evidence.entityType | String | Type of entity providing evidence. Example: "User". |
app_instance.evidence.evidenceCreationTime | String | Timestamp when the evidence was created. Example: "2021-01-26T20:33:58.42Z". |
app_instance.evidence.accountName | String | Name of the account associated with the evidence. Example: "name". |
app_instance.evidence.domainName | String | Domain name associated with the evidence. Example: "DOMAIN". |
app_instance.evidence.userSid | String | User SID associated with the evidence. Example: "S-1-5-21-11111607-1111760036-109187956-75141". |
app_instance.evidence.aadUserId | String | Azure Active Directory user ID associated with the evidence. Example: "11118379-2a59-1111-ac3c-a51eb4a3c627". |
app_instance.evidence.userPrincipalName | String | User principal name associated with the evidence. Example: "temp123@microsoft.com". |
Action: Get Anti Virus Scans Information
This action retrieves the anti-virus scan information by OData query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
OData Query | Enter the OData query to filter the Microsoft Defender ATP's anti-virus scan results. Example: You can use this query to get all the anti-virus scans that the user analyst@examples.onmicrosoft.com has performed
| Text | Required | |
Query Params | Enter key-value pairs to filter the query result. Example: To get the top 10 results for the query passed, use this query.
| Key Value | Optional |
Example Request
{
"filter_query":"requestor eq 'analyst@wcdtestprd.onmicrosoft.com' and type eq 'runantivirusscan' ",
"params":{
"$top":10
}
}Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | The context URL for OData metadata. Example: "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity". |
app_instance.id | String | The unique identifier for the action. Example: "5382f7ea-7557-4ab7-9782-d50480024a4e". |
app_instance.type | String | The type of action taken. Example: "runantivirusscan". |
app_instance.scope | String | The scope of the action. Example: "Selective". |
app_instance.requestor | String | The person who requested the action. Example: "Analyst@TestPrd.onmicrosoft.com". |
app_instance.requestorComment | String | Comments from the requestor. Example: "test for docs". |
app_instance.status | String | The current status of the action. Example: "Succeeded". |
app_instance.machineId | String | The unique identifier of the machine. Example: "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378". |
app_instance.computerDnsName | String | The DNS name of the computer. Example: "desktop-test". |
app_instance.creationDateTimeUtc | String | UTC timestamp of when the action was created. Example: "2019-01-02T14:39:38.2262283Z". |
app_instance.lastUpdateDateTimeUtc | String | UTC timestamp of the last update to the action. Example: "2019-01-02T14:40:44.6596267Z". |
app_instance.relatedFileInfo | Null | Information related to the file involved in the action. |
Action: Get File Information
This action retrieves all the file-related information and can be used to look up indicator/hash details.
Note
You must have File.Read.All (Read all file profiles) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sha1 Hash | Enter the sha1 hash value of the file. Example: "35c94fcfb415dbe95f408b9ce91ee846e" | Text | Required |
Example Request
[
{
"file_hash_sha1": "35c94fcfb415dbe95f408b9ce91ee846e"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Type | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | The context URL for OData metadata. Example: "https://api.security.microsoft.com/api/$metadata#Files/$entity". |
app_instance.sha1 | String | The SHA-1 hash of the file. Example: "4388963aaa83afe2042a46a3c017ad50bdcdafb3". |
app_instance.sha256 | String | The SHA-256 hash of the file. Example: "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462". |
app_instance.globalPrevalence | Integer | The number of times the file has been observed globally. Example: 180022. |
app_instance.globalFirstObserved | String | UTC timestamp of when the file was first observed globally. Example: "2017-09-19T03:51:27.6785431Z". |
app_instance.globalLastObserved | String | UTC timestamp of when the file was last observed globally. Example: "2020-01-06T03:59:21.3229314Z". |
app_instance.size | Integer | The size of the file in bytes. Example: 22139496. |
app_instance.fileType | String | The type of the file. Example: "APP". |
app_instance.isPeFile | Boolean | Indicates whether the file is a PE file. Example: true. |
app_instance.filePublisher | String | The publisher of the file. Example: "CHENGDU YIWO Tech Development Co., Ltd.". |
app_instance.fileProductName | String | The product name of the file. Example: "EaseUS MobiSaver for Android". |
app_instance.signer | String | The signer of the file. Example: "CHENGDU YIWO Tech Development Co., Ltd.". |
app_instance.issuer | String | The issuer of the file certificate. Example: "VeriSign Class 3 Code Signing 2010 CA". |
app_instance.signerHash | String | The hash of the signer. Example: "6c3245d4a9bc0244d99dff27af259cbbae2e2d16". |
app_instance.isValidCertificate | Boolean | Indicates whether the certificate is valid. Example: false. |
app_instance.determinationType | String | The type of determination made for the file. Example: "Pua". |
app_instance.determinationValue | String | The value of the determination made for the file. Example: "PUA:Win32/FusionCore". |
Action: Get Logged on Users
This action retrieves the collection of logged-on users on a specific device.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" | Text | Required | You can retrieve machine ID using the List All machines action. |
Example Request
[
{
"machine_id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
app_instance.@odata.context | String | The context URL for OData metadata. Example: "https://api.securitycenter.microsoft.com/api/$metadata#Users". |
app_instance.value | Array | An array of user objects. Each object contains details about a user. |
app_instance.value.id | String | The ID of the user. Example: "contoso\\user1". |
app_instance.value.accountName | String | The account name of the user. Example: "user1". |
app_instance.value.accountDomain | String | The domain of the user account. Example: "contoso". |
app_instance.value.firstSeen | String | UTC timestamp of when the user was first seen. Example: "2019-12-18T08:02:54Z". |
app_instance.value.lastSeen | String | UTC timestamp of when the user was last seen. Example: "2020-01-06T08:01:48Z". |
app_instance.value.logonTypes | String | The types of logons used by the user. Example: "Interactive". |
app_instance.value.isDomainAdmin | Boolean | Indicates whether the user is a domain admin. Example: true. |
app_instance.value.isOnlyNetworkUser | Boolean | Indicates whether the user is only a network user. Example: false. |
Action: Get Machine Actions
This action retrieves all the machines.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine Action ID | Enter the machine action ID. Example: "2e9da30d-27f6-4208-81f2-9cd3d67893ba" | Text | Required | You can retrieve machine actions using the List Machine Actions action. |
Example Request
[
{
"machineaction_id": "2e9da30d-4208-81f2-9cd3d67893ba"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | Unique identifier for the action. Example: 5382f7ea-7557-4ab7-9782-d50480024a4e |
app_instance.type | String | Type of the action performed. Example: Isolate |
app_instance.scope | String | Scope of the action. Example: Selective |
app_instance.requestor | String | Email of the person who requested the action. Example: Analyst@TestPrd.onmicrosoft.com |
app_instance.requestorComment | String | Comment provided by the requestor. Example: test for docs |
app_instance.status | String | Status of the action. Example: Succeeded |
app_instance.machineId | String | Unique identifier for the machine. Example: 7b1f4967d9728e5aa3c06a9e617a22a4a5a17378 |
app_instance.computerDnsName | String | DNS name of the computer. Example: desktop-test |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2019-01-02T14:39:38.2262283Z |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2019-01-02T14:40:44.6596267Z |
app_instance.relatedFileInfo | Null | Information about the related file, if any. Example: null |
Action: Get Machine Information by ID
This action retrieves the machine details by machine ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8c83ec1b19adaf497b625" | Text | Required | You can retrieve machine IDs using the List All Machines action. |
Example Request
[
{
"machine_id": "111e6dd8c83ec1b19adaf497b625"
}
]Action: Get Machines by IP Address
This action retrieves machines by IP address in the given time range.
Note
You must have Machine.Read.All (Read all machine profiles) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine IP Address | Enter the IP address of the machine. Example: "1.1.1.1" | Text | Required | |
Timestamp | Enter the timestamp in ISO 8601 format. Example: "2018-09-22t08:44:05z" | Text | Required |
Example Request
[
{
"machine_ip_address": "1.1.1.1",
"timestamp": "2018-09-22t08:44:05z"
}
]Action: Get Machines Information
This action retrieves machine information by OData query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Query | Enter a query to filter the machines. Example: To retrieve the machines with high-risk scores, use this query.
| Text | Required | |
Query Params | Enter the key-value pairs of extra parameters to filter the query result. Example: To retrieve top 100 machines, use this query.
| Key Value | Optional |
Example Request
{
"filter_query":"riskscore eq 'high'",
"params":{
"$top":100
}
}Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | The context URL for OData metadata. Example: "https://api.security.microsoft.com/api/$metadata#Machine". |
app_instance.id | String | The unique identifier of the machine. Example: "1e5bc9d7e413ddd7902c2932e418702b84d0cc07". |
app_instance.computerDnsName | String | The DNS name of the computer. Example: "mymachine1.contoso.com". |
app_instance.firstSeen | String | UTC timestamp of when the machine was first seen. Example: "2018-08-02T14:55:03.7791856Z". |
app_instance.lastSeen | String | UTC timestamp of when the machine was last seen. Example: "2018-08-02T14:55:03.7791856Z". |
app_instance.osPlatform | String | The operating system platform. Example: "Windows10", "Windows11". |
app_instance.version | String | The version of the operating system. Example: "1709". |
app_instance.osProcessor | String | The processor architecture of the operating system. Example: "x64". |
app_instance.lastIpAddress | String | The last known IP address of the machine. Example: "172.17.230.209". |
app_instance.lastExternalIpAddress | String | The last known external IP address of the machine. Example: "167.220.196.71". |
app_instance.osBuild | Integer | The build number of the operating system. Example: 18209. |
app_instance.healthStatus | String | The health status of the machine. Example: "Active". |
app_instance.rbacGroupId | Integer | The RBAC group ID. Example: 140. |
app_instance.rbacGroupName | String | The name of the RBAC group. Example: "The-A-Team". |
app_instance.riskScore | String | The risk score of the machine. Example: "Low". |
app_instance.exposureLevel | String | The exposure level of the machine. Example: "Medium". |
app_instance.isAadJoined | Boolean | Indicates whether the machine is joined to Azure Active Directory. Example: true. |
app_instance.aadDeviceId | String | The Azure AD device ID. Example: "80fe8ff8-2624-418e-9591-41f0491218f9". |
app_instance.machineTags | String | Tag associated with the machine. Example: "test tag 1". |
Action: Initiate Machine Investigation
This action initiates or starts an investigation on a machine.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8c83ec1b19adaf497b625" | Text | Required | You can retrieve machine ID using the List all Machines action. |
Comment | Enter the comment to associate with the action. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8c83ec1b19adaf497b625",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | The unique identifier of the instance. Example: "63004". |
app_instance.startTime | String | UTC timestamp of when the instance started. Example: "2020-01-06T13:05:15Z". |
app_instance.endTime | String | UTC timestamp of when the instance ended. Null if not ended. Example: null. |
app_instance.state | String | The current state of the instance. Example: "Running". |
app_instance.cancelledBy | String | The identifier of the user who canceled the instance. Null if not canceled. |
app_instance.statusDetails | String | Additional details about the status of the instance. Example: null. |
app_instance.machineId | String | The unique identifier of the machine related to the instance. Example: "e828a0624ed33f919db541065190d2f75e50a071". |
app_instance.computerDnsName | String | The DNS name of the computer. Example: "desktop-test123". |
app_instance.triggeringAlertId | String | The unique identifier of the alert that triggered the instance. Example: "da637139127150012465_1011995739". |
Action: Isolate a Machine
This action isolates a device from accessing external network.
Note
You must have Machine.Isolate (Isolate machine) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8c83ec1b19adaf497b625" | Text | Required | You can retrieve machine ID using the List All Machines action. |
Isolation type | Enter the isolation type. Example: "full" | Text | Required | Allowed values:
|
Comment | Enter the comment associated with the action. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8c83ec1b19adaf497b625",
"isolation_type": "full",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions |
app_instance.cancellationComment | Null | Comment provided when the action was canceled, if any. Example: null |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. Example: null |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. Example: null |
app_instance.commands | Array | List of commands associated with the action. Example: [] |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-05-28T05:51:04.6368462Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: -2145844840 |
app_instance.externalId | Null | External identifier for the action, if any. Example: null |
app_instance.id | String | Unique identifier for the action. Example: c757f294-d3a0-4b55-9a0a-1fda7ac6da98 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-05-31T06:05:27.344646Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing purpose |
app_instance.scope | String | Scope of the action, if any. Example: Full |
app_instance.status | String | Status of the action. Example: TimeOut |
app_instance.title | Null | Title of the action, if any. Example: null |
app_instance.troubleshootInfo | Null | Information for troubleshooting, if any. Example: null |
app_instance.type | String | Type of action performed. Example: Isolate |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: List all Indicators
This action is used to list all active indicators.
Note
You must have Ti.ReadWrite.All (Read and write All Indicators) permission to perform this action.
Action Input Parameters
This action does not require any input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#Indicators |
app_instance.action | String | Action to be taken. Example: Warn |
app_instance.category | Integer | Category of the indicator. Example: 1 |
app_instance.createdBy | String | ID of the user who created the indicator. Example: cfef9c29-4e41-463a-b1a5-77ace2dc862c |
app_instance.createdByDisplayName | String | Display name of the user who created the indicator. Example: sentinel |
app_instance.createdBySource | String | Source of the user who created the indicator. Example: PublicApi |
app_instance.creationTimeDateTimeUtc | String | Creation time of the indicator in UTC format. Example: 2022-04-06T09:03:36.8868829Z |
app_instance.description | String | Description of the indicator. Example: IOC Added from CTIX Rule |
app_instance.generateAlert | Boolean | Flag indicating whether to generate an alert. Example: false |
app_instance.id | String | ID of the indicator. Example: 1 |
app_instance.indicatorType | String | Type of the indicator. Example: IpAddress |
app_instance.indicatorValue | String | Value of the indicator. Example: 1.1.1.1 |
app_instance.lastUpdateTime | String | The last update time for the indicator is in UTC format. Example: 2022-04-06T09:34:48.1592366Z |
app_instance.lastUpdatedBy | String | ID of the user who last updated the indicator. Example: cfef9c29-4e41-463a-b1a5-77ace2dc862c |
app_instance.severity | String | Severity level of the indicator. Example: Informational |
app_instance.title | String | Title of the indicator. Example: IpAddress |
Action: List all Machines
This action is used to list all the machines.
Note
You must have Machine.ReadWrite.All (Read and write all machine information) permission to perform this action.
Action Input Parameters
This action does not require any input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | The context URL for OData metadata. Example: "https://api.security.microsoft.com/api/$metadata#Machine". |
app_instance.id | String | The unique identifier of the machine. Example: "1e5bc9d7e413ddd7902c2932e418702b84d0cc07". |
app_instance.computerDnsName | String | The DNS name of the computer. Example: "mymachine1.contoso.com". |
app_instance.firstSeen | String | UTC timestamp of when the machine was first seen. Example: "2018-08-02T14:55:03.7791856Z". |
app_instance.lastSeen | String | UTC timestamp of when the machine was last seen. Example: "2018-08-02T14:55:03.7791856Z". |
app_instance.osPlatform | String | The operating system platform. Example: "Windows10", "Windows11". |
app_instance.version | String | The version of the operating system. Example: "1709". |
app_instance.osProcessor | String | The processor architecture of the operating system. Example: "x64". |
app_instance.lastIpAddress | String | The last known IP address of the machine. Example: "172.17.230.209". |
app_instance.lastExternalIpAddress | String | The last known external IP address of the machine. Example: "167.220.196.71". |
app_instance.osBuild | Integer | The build number of the operating system. Example: 18209. |
app_instance.healthStatus | String | The health status of the machine. Example: "Active". |
app_instance.rbacGroupId | Integer | The RBAC group ID. Example: 140. |
app_instance.rbacGroupName | String | The name of the RBAC group. Example: "The-A-Team". |
app_instance.riskScore | String | The risk score of the machine. Example: "Low". |
app_instance.exposureLevel | String | The exposure level of the machine. Example: "Medium". |
app_instance.isAadJoined | Boolean | Indicates whether the machine is joined to Azure Active Directory. Example: true. |
app_instance.aadDeviceId | String | The Azure AD device ID. Example: "80fe8ff8-2624-418e-9591-41f0491218f9". |
app_instance.machineTags | String | Tag associated with the machine. Example: "test tag 1". |
Action: Perform Advanced Hunting
This action performs advanced hunting based on the specified query.
Note
You must have AdvancedQuery.Read.All (Run advanced queries) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query for Advanced Hunting | Enter the query to perform advanced hunting. Example: "DeviceProcessEvents |where InitiatingProcessFileName =~ 'powershell.exe' |where ProcessCommandLine contains 'appdata' |project Timestamp, FileName, InitiatingProcessFileName, DeviceId |limit 2" | Text | Required |
Example Request
[
{
"query_to_run": "DeviceProcessEvents
|where InitiatingProcessFileName =~ 'powershell.exe'
|where ProcessCommandLine contains 'appdata'
|project Timestamp, FileName, InitiatingProcessFileName, DeviceId
|limit 2"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.Schema | Array | An array of schema definitions for the data. |
app_instance.Schema.Name | String | The name of the schema field. Example: "Timestamp". |
app_instance.Schema.Type | String | The type of the schema field. Example: "DateTime". |
app_instance.Results | Array | An array of results corresponding to the schema. |
app_instance.Results.Timestamp | DateTime | The timestamp of the event. Example: "2020-02-05T01:10:26.2648757Z". |
app_instance.Results.FileName | String | The name of the file involved in the event. Example: "csc.exe". |
app_instance.Results.InitiatingProcessFileName | String | The name of the initiating process. Example: "powershell.exe". |
app_instance.Results.DeviceId | String | The unique identifier of the device. Example: "10cbf9182d4e95660362f65cfa67c7731f62fdb3". |
Action: Remove App Restriction
This action removes all restrictions for an app and enables the execution of any application on the machine.
Note
You must have Machine.RestrictExecution (Restrict code execution) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8231ec1b19adaf497b625" | Text | Required | You can retrieve machine ID using the List All Machines action. |
Comment | Enter the comment to associate with the action. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8231ec1b19adaf497b625",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity |
app_instance.cancellationComment | Null | Comment provided when the action was canceled, if any. Example: null |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. Example: null |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. Example: null |
app_instance.commands | Array | List of commands associated with the action. Example: [] |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-06-14T08:17:31.497485Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: 0 |
app_instance.externalId | Null | External identifier for the action, if any. Example: null |
app_instance.id | String | Unique identifier for the action. Example: 829b7356-9988-4e40-b45a-65d1497d05e7 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-06-14T08:17:31.4974855Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing |
app_instance.scope | Null | Scope of the action, if any. Example: null |
app_instance.status | String | Status of the action. Example: Pending |
app_instance.title | Null | Title of the action, if any. Example: null |
app_instance.type | String | Type of action performed. Example: UnrestrictCodeExecution |
app_instance.status_code | Integer | HTTP status code of the response. Example: 201 |
Action: Remove Machine from Isolation
This action removes a machine from isolation.
Note
You must have Machine.Isolate (Isolate machine) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8231ec1b19adaf497b625" | Text | Required | You can retrieve machine ID using the List All Machines action. |
Comment | Enter the comment to associate with this action. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8231ec1b19adaf497b625",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions |
app_instance.cancellationComment | Null | Comment provided when the action was canceled, if any. Example: null |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. Example: null |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. Example: null |
app_instance.commands | Array | List of commands associated with the action. Example: [] |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-05-28T05:51:04.6368462Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: -2145844840 |
app_instance.externalId | Null | External identifier for the action, if any. Example: null |
app_instance.id | String | Unique identifier for the action. Example: c757f294-d3a0-4b55-9a0a-1fda7ac6da98 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-05-31T06:05:27.344646Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing purpose |
app_instance.scope | String | Scope of the action, if any. Example: Full |
app_instance.status | String | Status of the action. Example: TimeOut |
app_instance.title | Null | Title of the action, if any. Example: null |
app_instance.troubleshootInfo | Null | Information for troubleshooting, if any. Example: null |
app_instance.type | String | Type of action performed. Example: Unisolate |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: Restrict App Execution on Machine
This action restricts the execution of all apps on a machine except a predefined set.
Note
You must have Machine.RestrictExecution (Restrict code execution) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8231ec1b19adaf497b625" | Text | Required | You can retrieve machine ID using the List All Machines action. |
Comment | Enter the comment. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8231ec1b19adaf497b625",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity |
app_instance.cancellationComment | Null | Comment provided when the action was canceled, if any. |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. |
app_instance.commands | Array | List of commands associated with the action. |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-06-14T08:17:31.497485Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: 0 |
app_instance.externalId | Null | External identifier for the action, if any. |
app_instance.id | String | Unique identifier for the action. Example: 829b7356-9988-4e40-b45a-65d1497d05e7 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-06-14T08:17:31.4974855Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing |
app_instance.scope | Null | Scope of the action, if any. |
app_instance.status | String | Status of the action. Example: Pending |
app_instance.title | Null | Title of the action, if any. |
app_instance.type | String | Type of action performed. Example: RestrictCodeExecution |
app_instance.status_code | Integer | HTTP status code of the response. Example: 201 |
Action: Run Anti Virus Scan on Machine
This action initiates an antivirus scan on a machine.
Note
You must have Machine.Scan (Scan machine) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8231ec1b19adaf497b625" | Text | Required | You can retrieve the machine ID using the List All Machines action. |
Scan Type | Enter the scan type to run antivirus scan on the machine. Example: "Full" | Text | Required | Allowed values:
|
Comment | Enter the comment. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8231ec1b19adaf497b625",
"scan_type": "Full",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.cancellationComment | Null | Comment provided for cancellation, if any. |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was cancelled in UTC, if any. |
app_instance.cancellationRequestor | Null | Person who requested the cancellation, if any. |
app_instance.commands | Array | List of commands associated with the action. |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-06-14T08:17:31.497485Z |
app_instance.errorHResult | Integer | Result code of any error that occurred. Example: 0 |
app_instance.externalId | Null | External identifier for the action, if any. |
app_instance.id | String | Unique identifier for the action. Example: 829b7356-9988-4e40-b45a-65d1497d05e7 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-06-14T08:17:31.4974855Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about the related file, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person or entity who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing |
app_instance.scope | Null | Scope of the action, if any. |
app_instance.status | String | Status of the action. Example: Pending |
app_instance.title | Null | Title of the action, if any. |
app_instance.troubleshootInfo | Null | Troubleshooting information, if any. |
app_instance.type | String | Type of the action performed. Example: RunAntiVirusScan |
Action: Stop Execution and Quarantine a File
This action stops the execution and quarantines a file.
Note
You must have Machine.StopAndQuarantine (Stop And Quarantine) or Machine.Read.All (Read all machine profiles) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8231ec1b19adaf497b625" | Text | Required | You can retrieve machine ID using the List All Machines action. |
SHA1 Value of File | Enter the scan type of the file to stop and quarantine it. Example: "2aae6c35c94fcfb415dbe95f408b9ce" | Text | Required | Allowed values:
|
Comment | Enter the comment. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8231ec1b19adaf497b625",
"file_sha1": "2aae6c35c94fcfb415dbe95f408b9ce",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions |
app_instance.cancellationComment | Null | Comment provided for the action. if any. Example: null |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. Example: null |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. Example: null |
app_instance.commands | Array | List of commands associated with the action. Example: [] |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-06-14T08:17:31.3579952Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: 0 |
app_instance.externalId | Null | External identifier for the action, if any. Example: null |
app_instance.id | String | Unique identifier for the action. Example: 829b7356-9988-4e40-b45a-65d1497d05e7 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-06-14T08:17:31.3579952Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing |
app_instance.scope | String | Scope of the action, if any. Example: Quick |
app_instance.status | String | Status of the action. Example: Pending |
app_instance.title | Null | Title of the action, if any. Example: null |
app_instance.type | String | Type of action performed. Example: StopAndQuarantineFile |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: Submit Indicator
This action submits an indicator.
Note
You must have Ti.ReadWrite (Read and write Indicators) or Ti.ReadWrite.All (Read and write All Indicators) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Value | Enter the indicator value. Example: "220e7d15b011d7fac48f022197f7f" | Text | Required | |
Indicator Type | Enter the indicator type. Example: "filesha1" | Text | Optional | Allowed values:
|
Action to be Taken | Specify the action for the indicator if identified in the organization network. Example: "block" | Text | Required | Allowed values:
|
Indicator Title | Enter the indicator title. Example: "Malicious Hash" | Text | Optional | |
Query Params | Enter optional parameters to pass. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"indicator_value": "220e7d15b011d7fac48f022197f7f",
"indicator_type": "filesha1",
"action": "block"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity |
app_instance.action | String | Action to be taken. Example: Audit |
app_instance.category | Integer | Category of the indicator. Example: 1 |
app_instance.createdBy | String | ID of the user who created the indicator. Example: cfef9c29-4e41-463a-b1a5-77ace2dc862c |
app_instance.createdByDisplayName | String | Display name of the user who created the indicator. Example: sentinel |
app_instance.createdBySource | String | Source of the user who created the indicator. Example: PublicApi |
app_instance.creationTimeDateTimeUtc | String | Creation time of the indicator in UTC format. Example: 2022-04-06T09:43:51.0297936Z |
app_instance.description | String | Description of the indicator. Example: testing |
app_instance.generateAlert | Boolean | Flag indicating whether to generate an alert. Example: true |
app_instance.id | String | ID of the indicator. Example: 42 |
app_instance.indicatorType | String | Type of the indicator. Example: IpAddress |
app_instance.indicatorValue | String | Value of the indicator. Example: 1.1.1.1 |
app_instance.lastUpdateTime | String | Last update time of the indicator in UTC format. Example: 2024-06-14T10:31:04.4946935Z |
app_instance.lastUpdatedBy | String | ID of the user who last updated the indicator. Example: 749a678f-00c8-4214-9526-04bc9119a575 |
app_instance.severity | String | Severity level of the indicator. Example: Informational |
app_instance.title | String | Title of the indicator. Example: test |