Microsoft Defender Investigation

Microsoft Defender Investigation playbook uses Microsoft Defender for Endpoint API to investigate a threat and returns the investigation details.

Trigger: It retrieves the IP Address and sys_id from the parent playbook to continue the investigation.

Script: It uses a Python script to calculate the present time and the time that is one month behind the present time.

API: It uses Microsoft Defender API to get the access token.

API: It uses Microsoft Defender API to get the Machine ID from the IP Address.

Script: It uses a Python script to extract values from the API's response.

Parameters: It sets the global parameter OS_Type.

If Then: It checks if the value of OS_Type is found. If found, it will continue the investigation. If not, it will get the global parameter.

If Then: It checks if the OS_Type is Mac OS. If it is, it will call API that fetches the alerts. If not, it will call API that starts an investigation.

Parameters: It sets the global parameter Status to Machine Not Found.

API: It uses Microsoft Defender API to start the threat investigation.

API: It uses Microsoft Defender API to extract all the machine alerts.

If Then: It checks if the alerts are found. If found, it filters the data. If not, It prepares investigation details.

Filter: It filters the machine alerts to remove some of the unrelated alerts.

Script: It runs a Python script to prepare an investigation detail.

Format: It formats the investigation details into a specific format.

API: It uses ServiceNow API to update machine information.

API: It uses ServiceNow API to update machine alerts.

API: It uses ServiceNow API to update AIR.

End: It ends the playbook, and returns OS_Type and Status.