Windows Defender Advanced Threat Protection (ATP) is a unified platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
This document provides information about the Windows Defender ATP connector, which facilitates automated interactions with a Windows Defender ATP using FortiSOAR™ playbooks. Add the Windows Defender ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as isolate a specified machine from accessing an external network, retrieves a list of logged on users, and preventing a file from being executed in the organization.
Connector Version: 2.0.0
FortiSOAR™ Versions Tested on: 5.1.1-58
Authored By: Fortinet.
Certified: Yes
Following enhancements have been made to the Windows Defender ATP connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-windows-defender-atp
For the detailed procedure to install a connector, click here
Important: You must also create an application with appropriate permissions that will access Microsoft Windows Defender ATP. For more information, see the "Create an app to access Microsoft Defender ATP without a user" article.
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Windows Defender ATP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Service-based URI to which you will connect and perform the automated operations. For better performance, you can use a server that is close to your geographic location. You can use one of the following URIs:
|
Client ID | Client ID of the Azure application that is used to access Windows Defender ATP. |
Client Secret | Secret string that the application (used to access Windows Defender ATP) uses to prove its identity. To get the secret key, see "Create an app to access Microsoft Defender ATP without a user" article. |
Tenant ID | Tenant ID of the Azure application. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Machines List | Retrieves the collection of all recently seen machines or specific machines based on the search query and other input parameters that you have specified. | get_endpoints Investigation |
Find Machine Information By IP | Searches for and retrieves information about a machine from Window Defender ATP, based on the requested internal IP in the time range of 15 minutes prior and after a given timestamp. | get_endpoints Investigation |
Get Machine Logged on Users | Retrieves a list of users logged on a specified machine, based on the machine ID you have specified, from Window Defender ATP. | get_logged_users Investigation |
Get Machine Alerts | Retrieves the collection of alerts related to the specified machine, based on the machine ID you have specified, from Window Defender ATP. | get_alerts Investigation |
Isolate Machine | Isolates a specified machine, based on the machine ID you have specified, from accessing an external network. | isolate_machine Investigation |
Remove Isolation | Removes the Isolation of a specified machine, based on the machine ID you have specified. | unisolate_machine Investigation |
Restrict Application Execution | Restricts application execution on a specified machine, based on the machine ID you have specified. | restrict_app Investigation |
Remove Application Restriction | Removes the execution restriction of a set of predefined applications from a specified machine, based on the machine ID you have specified. | remove_restriction Investigation |
Run Antivirus Scan | Initiates a Windows Defender Antivirus scan on a machine, based on the machine ID you have specified. | run_antivirus Investigation |
Get File Information | Retrieves a file, based on the file identifier (SHA1, SHA256, or MD5) you have specified, from Window Defender ATP. | get_file_info Investigation |
Get File Statistics | Retrieves the prevalence (statistics) about a specific file, based on the SHA1 of the file you have specified, from Window Defender ATP. | get_file_statistics Investigation |
Get File Related Machines | Retrieves the collection of machines associated with the filehash (SHA1 only) you have specified, from Window Defender ATP. | get_endpoints Investigation |
Get File Related Alerts | Retrieves the collection of alerts associated with the filehash (SHA1 only) you have specified, from Window Defender ATP. | get_alerts Investigation |
Get Domain Related Alerts | Retrieves the collection of alerts associated with the domain you have specified, from Window Defender ATP. | get_alerts Investigation |
Get Domain Related Machines | Retrieves the collection of machines associated with the domain you have specified, from Window Defender ATP. | get_endpoints Investigation |
Get Domain Statistics | Retrieves the prevalence (statistics) about a specific domain, based on the domain name you have specified, from Window Defender ATP. | get_domain_statistics Investigation |
Get IP Related Alerts | Retrieves the collection of alerts associated with the IP address you have specified, from Window Defender ATP. | get_alerts Investigation |
Get IP Statistics | Retrieves the prevalence (statistics) about a specific IP, based on the IP address you have specified, from Window Defender ATP. | get_ip_statistics Investigation |
Get Alert By ID | Retrieves details for a specific alert from Window Defender ATP, based on the alert ID you have specified. | get_alerts Investigation |
Get Alert List | Retrieves all alerts or specific alerts based on the search query and other input parameters that you have specified. | get_alerts Investigation |
Get Domains by Alert | Retrieves domains that are related to a specific alert, based on the alert ID you have specified, from Window Defender ATP. | get_domain Investigation |
Get Files by Alert | Retrieves files that are related to a specific alert, based on the alert ID you have specified, from Window Defender ATP. | get_file Investigation |
Get IPs by Alert | Retrieves IP addresses that are related to a specific alert, based on the alert ID you have specified, from Window Defender ATP. | get_ip Investigation |
Get Machines by Alert | Retrieves machines that are related to a specific alert from Window Defender ATP, based on the alert ID you have specified. | get_endpoints Investigation |
Get Machine Action List | Retrieves all collection actions done on machines or specific collection actions based on the search query and other input parameters that you have specified. | get_machine_collection Investigation |
Get Machine Action | Retrieves details of the machine action object from Windows Defender ATP, based on the machine action object ID you have specified. | get_machine_collection Investigation |
Submit Indicator | Submits or updates a new Indicator entity to Windows Defender ATP based on the indicator value and type, expiration time, action, and other input parameters you have specified. | submit_indicator Investigation |
Get Indicator List | Retrieves a collection of all TI (Threat Intelligence) indicators or specific TI based on the search query and other input parameters that you have specified. | get_indicators Investigation |
Delete Indicator | Deletes an indicator entity from Windows Defender ATP based on the indicator ID you have specified. | delete_indicator Investigation |
Collect Investigation Package | Initiates forensics collection on a specific machine based on the machine ID you have specified. | collect_investigation_package Investigation |
Offboard Machine | Offboards a machine from Windows Defender ATP, based on the machine ID you have specified. | restrict_app Investigation |
Get Package SAS URI | Retrieves a URI from Windows Defender ATP that allows downloading of an investigation package, based on the machine action ID you have specified. | download_investigation_package Investigation |
Get Machine by ID | Retrieves the details of a specific machine from Windows Defender ATP, based on the machine ID you have specified. | get_endpoints Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Search Query | Query using which you want to search for machines in Windows Defender ATP. The OData's filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". For example, [machineTags/any(tag: tag eq 'ExampleTag')] gets all the machines with the tag 'ExampleTag'. |
Number of Machines to Fetch | Maximum number of machines that this operation should return from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"osPlatform": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"firstSeen": "",
"isAadJoined": "",
"rbacGroupId": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": "",
"@odata.count": ""
}
Parameter | Description |
---|---|
Time | Timestamp, based on which you want to find the machine entity in Windows Defender ATP. The timestamp that you specify must be within the last 30 days.
The response of this operation will return a list of all machines that had reported the specified IP address 15 minutes before and after the timestamp. |
FQDN/IP | IP address that you want to lookup on Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"osPlatform": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"firstSeen": "",
"isAadJoined": "",
"rbacGroupId": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine whose logged on users' list you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"accountDomainName": "",
"mostPrevalentMachineId": "",
"firstSeen": "",
"leastPrevalentMachineId": "",
"id": "",
"logonTypes": "",
"isDomainAdmin": "",
"accountName": "",
"accountSid": "",
"logOnMachinesCount": "",
"isOnlyNetworkUser": "",
"lastSeen": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine whose related alerts collection you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"recommendedAction": "",
"severity": "",
"category": "",
"resolvedTime": "",
"alertCreationTime": "",
"determination": "",
"id": "",
"title": "",
"classification": "",
"description": "",
"firstEventTime": "",
"status": "",
"assignedTo": "",
"lastEventTime": "",
"threatFamilyName": "",
"detectionSource": ""
}
],
"@odata.context": "",
"@odata.count": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine that you want to isolate. |
Comment | Comment that you want to associate with isolating the machine. |
Isolation Type | Type of isolation that you want to apply to the specified machine. You can choose one of the following: Full: Complete isolation, i.e., the specified machine cannot access the external network. Selective: Restricts only a limited set of applications present on the specified machine from accessing the network. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"error": "",
"status": "",
"creationDateTimeUtc": "",
"machineId": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine that you want to unisolate, i.e., whose isolation you want to remove. |
Comment | Comment that you want to associate with unisolating the machine. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"error": "",
"status": "",
"creationDateTimeUtc": "",
"machineId": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine on which you want to restrict application execution. |
Comment | Comment that you want to associate with restricting application execution. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"creationDateTimeUtc": "",
"status": "",
"machineId": "",
"error": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine from which remove the application execution restriction. |
Comment | Comment that you want to associate with removing the application execution restriction. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"creationDateTimeUtc": "",
"status": "",
"machineId": "",
"error": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine on which you want to initiate a Windows Defender Antivirus scan. |
Comment | Comment that you want to associate with initiating a Windows Defender Antivirus scan. |
Scan Type | Type of Windows Defender Antivirus scan that you want to initiate on the specified machine. You can choose one of the following: Quick: Performs a quick scan on the specified machine. Full: Performs a full scan on the specified machine. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"error": "",
"status": "",
"creationDateTimeUtc": "",
"machineId": "",
"lastUpdateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Filehash | SHA1, SHA256, or MD5D of the file that you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"filePublisher": "",
"signerHash": "",
"size": "",
"md5": "",
"isPeFile": "",
"globalLastObserved": "",
"globalFirstObserved": "",
"fileProductName": "",
"sha256": "",
"issuer": "",
"sha1": "",
"globalPrevalence": "",
"windowsDefenderAVThreatName": "",
"isValidCertificate": "",
"signer": "",
"@odata.context": "",
"fileType": ""
}
Parameter | Description |
---|---|
Filehash | SHA1 of the file whose prevalence (statistics) you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"sha1": "",
"orgFirstSeen": "",
"orgPrevalence": "",
"orgLastSeen": "",
"topFileNames": [],
"@odata.context": ""
}
Parameter | Description |
---|---|
Filehash | SHA1 of the file whose related collection of machines you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"firstSeen": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"osPlatform": "",
"rbacGroupId": "",
"isAadJoined": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Filehash | SHA1 of the file whose related collection of alerts you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"recommendedAction": "",
"severity": "",
"category": "",
"resolvedTime": "",
"title": "",
"determination": "",
"id": "",
"alertCreationTime": "",
"classification": "",
"description": "",
"firstEventTime": "",
"status": "",
"assignedTo": "",
"lastEventTime": "",
"threatFamilyName": "",
"detectionSource": ""
}
],
"@odata.context": "",
"@odata.count": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain whose related collection of alerts you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"status": "",
"id": "",
"recommendedAction": "",
"description": "",
"severity": ""
}
],
"@odata.count": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain whose related collection of machines you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"firstSeen": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"osPlatform": "",
"rbacGroupId": "",
"isAadJoined": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain whose prevalence (statistics) you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"orgPrevalence": "",
"orgFirstSeen": "",
"orgLastSeen": "",
"@odata.context": "",
"host": ""
}
Parameter | Description |
---|---|
IP Address | IP address whose related collection of alerts you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"status": "",
"id": "",
"recommendedAction": "",
"description": "",
"severity": ""
}
],
"@odata.count": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
IP Address | IP address whose prevalence (statistics) you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"orgLastSeen": "",
"ipAddress": "",
"orgFirstSeen": "",
"orgPrevalence": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose details you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"resolvedTime": "",
"severity": "",
"alertCreationTime": "",
"recommendedAction": "",
"lastEventTime": "",
"classification": "",
"id": "",
"title": "",
"category": "",
"description": "",
"firstEventTime": "",
"status": "",
"assignedTo": "",
"determination": "",
"threatFamilyName": "",
"detectionSource": ""
}
],
"@odata.count": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
Search Query | Query using which you want to search for alerts in Windows Defender ATP. The OData's filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". For example, the [alertCreationTime gt 2019-09-22T00:00:00Z] query will retrieve all the alerts that created after 2019-09-22T00:00:00Z |
Number of Alerts to Fetch | Maximum number of alerts that this operation should return from Windows Defender ATP. |
Include more Details of |
Object of the alert for which you want to retrieve additional information. You can choose from the following options: Files, IPs, or Domains. Note: If you do not select any option, the additional information will not get populated in the final result. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"incidentId": "",
"assignedTo": "",
"classification": "",
"severity": "",
"title": "",
"status": "",
"alertCreationTime": "",
"determination": "",
"description": "",
"threatFamilyName": "",
"investigationState": "",
"machineId": "",
"firstEventTime": "",
"resolvedTime": "",
"category": "",
"lastEventTime": "",
"detectionSource": "",
"id": ""
}
]
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related domains you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"host": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related files you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"filePublisher": "",
"size": "",
"md5": "",
"isPeFile": "",
"globalLastObserved": "",
"globalFirstObserved": "",
"signer": "",
"sha256": "",
"issuer": "",
"signerHash": "",
"sha1": "",
"fileType": "",
"windowsDefenderAVThreatName": "",
"isValidCertificate": "",
"fileProductName": "",
"globalPrevalence": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related IP addresses you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related machines you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"firstSeen": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"systemProductName": "",
"rbacGroupId": "",
"isAadJoined": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"id": "",
"osVersion": "",
"@odata.context": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"osPlatform": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Search Query | Query using which you want to search for collection actions done on machines in Windows Defender ATP. The OData's filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor", and "CreationDateTimeUtc". |
Number of Machine Actions to Fetch | Maximum number of collection actions that this operation should return from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"type": "",
"lastUpdateDateTimeUtc": "",
"creationDateTimeUtc": "",
"machineId": "",
"scope": "",
"relatedFileInfo": "",
"cancellationComment": "",
"id": "",
"errorHResult": "",
"status": "",
"requestor": "",
"requestorComment": "",
"cancellationDateTimeUtc": "",
"cancellationRequestor": ""
}
]
}
Parameter | Description |
---|---|
Machine Action ID | ID of the machine action object whose details you want to retrieve from Windows Defender ATP. You can generate a machine action object ID by running the "Restrict Apps" or "Run Antivirus Scan" operations. |
The output contains the following populated JSON schema:
{
"type": "",
"lastUpdateDateTimeUtc": "",
"creationDateTimeUtc": "",
"machineId": "",
"relatedFileInfo": "",
"cancellationComment": "",
"requestorComment": "",
"id": "",
"errorHResult": "",
"status": "",
"requestor": "",
"cancellationRequestor": "",
"@odata.context": "",
"cancellationDateTimeUtc": "",
"scope": ""
}
Parameter | Description |
---|---|
Indicator Value | Indicator value or identity of the indicator entity that you want to submit to Windows Defender ATP. |
Indicator Type | Type of the indicator that you want to submit to Windows Defender ATP. You can choose from the following options: FileSha1, FileSha256, IpAddress, DomainName, or and Url. |
Action | Action that will be taken if the indicator is discovered in the organization. You can choose from the following options: Alert only, Alert and block, or Allowed. |
Expiration Time | Duration after which the indicator will expire in Windows Defender ATP. |
Alert Title | (Optional) Title of the alert associated with the indicator. |
Alert Severity | (Optional) Severity of the alert associated with the indicator. You can choose from the following options: Informational, Low, Medium, or High. |
Description | (Optional) Description of the indicator that you want to submit to Windows Defender ATP. |
Recommended Actions | (Optional) Recommended actions that get performed as a part of a response. For example, a recovery action that is performed if a certain event occurs. |
The output contains the following populated JSON schema:
{
"severity": "",
"rbacGroupNames": [],
"title": "",
"indicatorType": "",
"description": "",
"createdBy": "",
"expirationTime": "",
"indicatorValue": "",
"@odata.context": "",
"recommendedActions": "",
"creationTimeDateTimeUtc": "",
"action": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Search Query | Query using which you want to search for TI indicators in Windows Defender ATP. The OData's filter query is supported. For example, the query: [action eq 'AlertAndBlock'] retrieves all Indicators with the "AlertAndBlock" action. |
Number of Indicators to Fetch | Maximum number of indicators that this operation should return from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"createdBy": "",
"expirationTime": "",
"indicatorValue": "",
"description": "",
"rbacGroupNames": [],
"severity": "",
"title": "",
"indicatorType": "",
"recommendedActions": "",
"creationTimeDateTimeUtc": "",
"action": ""
}
]
}
Parameter | Description |
---|---|
Indicator ID | ID of the indicator that you want to delete from the Windows Defender ATP. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Machine ID | ID of the machine on which you want to initiate forensic collection. |
Comment | Comment that you want to associate with the action |
The output contains the following populated JSON schema:
{
"requestor": "",
"type": "",
"@odata.context": "",
"relatedFileInfo": "",
"lastUpdateTimeUtc": "",
"machineId": "",
"requestorComment": "",
"status": "",
"creationDateTimeUtc": "",
"id": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine that you want to offboard from Windows Defender ATP. |
Comment | Comment that you want to associate with the action. |
The output contains the following populated JSON schema:
{
"requestor": "",
"type": "",
"@odata.context": "",
"relatedFileInfo": "",
"lastUpdateTimeUtc": "",
"machineId": "",
"requestorComment": "",
"status": "",
"creationDateTimeUtc": "",
"id": ""
}
Parameter | Description |
---|---|
Machine Action ID | ID of the machine action whose SAS URI you want so that you can download the investigation package from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine whose details you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"rbacGroupId": "",
"firstSeen": "",
"agentVersion": "",
"riskScore": "",
"exposureLevel": "",
"computerDnsName": "",
"lastIpAddress": "",
"id": "",
"osBuild": "",
"version": "",
"aadDeviceId": "",
"osVersion": "",
"@odata.context": "",
"machineTags": [],
"lastSeen": "",
"healthStatus": "",
"rbacGroupName": "",
"osPlatform": "",
"lastExternalIpAddress": "",
"osProcessor": ""
}
The Sample - Windows Defender ATP - 1.0.0 playbook collection comes bundled with the Windows Defender ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Windows Defender ATP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Windows Defender Advanced Threat Protection (ATP) is a unified platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
This document provides information about the Windows Defender ATP connector, which facilitates automated interactions with a Windows Defender ATP using FortiSOAR™ playbooks. Add the Windows Defender ATP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as isolate a specified machine from accessing an external network, retrieves a list of logged on users, and preventing a file from being executed in the organization.
Connector Version: 2.0.0
FortiSOAR™ Versions Tested on: 5.1.1-58
Authored By: Fortinet.
Certified: Yes
Following enhancements have been made to the Windows Defender ATP connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-windows-defender-atp
For the detailed procedure to install a connector, click here
Important: You must also create an application with appropriate permissions that will access Microsoft Windows Defender ATP. For more information, see the "Create an app to access Microsoft Defender ATP without a user" article.
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Windows Defender ATP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Service-based URI to which you will connect and perform the automated operations. For better performance, you can use a server that is close to your geographic location. You can use one of the following URIs:
|
Client ID | Client ID of the Azure application that is used to access Windows Defender ATP. |
Client Secret | Secret string that the application (used to access Windows Defender ATP) uses to prove its identity. To get the secret key, see "Create an app to access Microsoft Defender ATP without a user" article. |
Tenant ID | Tenant ID of the Azure application. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Machines List | Retrieves the collection of all recently seen machines or specific machines based on the search query and other input parameters that you have specified. | get_endpoints Investigation |
Find Machine Information By IP | Searches for and retrieves information about a machine from Window Defender ATP, based on the requested internal IP in the time range of 15 minutes prior and after a given timestamp. | get_endpoints Investigation |
Get Machine Logged on Users | Retrieves a list of users logged on a specified machine, based on the machine ID you have specified, from Window Defender ATP. | get_logged_users Investigation |
Get Machine Alerts | Retrieves the collection of alerts related to the specified machine, based on the machine ID you have specified, from Window Defender ATP. | get_alerts Investigation |
Isolate Machine | Isolates a specified machine, based on the machine ID you have specified, from accessing an external network. | isolate_machine Investigation |
Remove Isolation | Removes the Isolation of a specified machine, based on the machine ID you have specified. | unisolate_machine Investigation |
Restrict Application Execution | Restricts application execution on a specified machine, based on the machine ID you have specified. | restrict_app Investigation |
Remove Application Restriction | Removes the execution restriction of a set of predefined applications from a specified machine, based on the machine ID you have specified. | remove_restriction Investigation |
Run Antivirus Scan | Initiates a Windows Defender Antivirus scan on a machine, based on the machine ID you have specified. | run_antivirus Investigation |
Get File Information | Retrieves a file, based on the file identifier (SHA1, SHA256, or MD5) you have specified, from Window Defender ATP. | get_file_info Investigation |
Get File Statistics | Retrieves the prevalence (statistics) about a specific file, based on the SHA1 of the file you have specified, from Window Defender ATP. | get_file_statistics Investigation |
Get File Related Machines | Retrieves the collection of machines associated with the filehash (SHA1 only) you have specified, from Window Defender ATP. | get_endpoints Investigation |
Get File Related Alerts | Retrieves the collection of alerts associated with the filehash (SHA1 only) you have specified, from Window Defender ATP. | get_alerts Investigation |
Get Domain Related Alerts | Retrieves the collection of alerts associated with the domain you have specified, from Window Defender ATP. | get_alerts Investigation |
Get Domain Related Machines | Retrieves the collection of machines associated with the domain you have specified, from Window Defender ATP. | get_endpoints Investigation |
Get Domain Statistics | Retrieves the prevalence (statistics) about a specific domain, based on the domain name you have specified, from Window Defender ATP. | get_domain_statistics Investigation |
Get IP Related Alerts | Retrieves the collection of alerts associated with the IP address you have specified, from Window Defender ATP. | get_alerts Investigation |
Get IP Statistics | Retrieves the prevalence (statistics) about a specific IP, based on the IP address you have specified, from Window Defender ATP. | get_ip_statistics Investigation |
Get Alert By ID | Retrieves details for a specific alert from Window Defender ATP, based on the alert ID you have specified. | get_alerts Investigation |
Get Alert List | Retrieves all alerts or specific alerts based on the search query and other input parameters that you have specified. | get_alerts Investigation |
Get Domains by Alert | Retrieves domains that are related to a specific alert, based on the alert ID you have specified, from Window Defender ATP. | get_domain Investigation |
Get Files by Alert | Retrieves files that are related to a specific alert, based on the alert ID you have specified, from Window Defender ATP. | get_file Investigation |
Get IPs by Alert | Retrieves IP addresses that are related to a specific alert, based on the alert ID you have specified, from Window Defender ATP. | get_ip Investigation |
Get Machines by Alert | Retrieves machines that are related to a specific alert from Window Defender ATP, based on the alert ID you have specified. | get_endpoints Investigation |
Get Machine Action List | Retrieves all collection actions done on machines or specific collection actions based on the search query and other input parameters that you have specified. | get_machine_collection Investigation |
Get Machine Action | Retrieves details of the machine action object from Windows Defender ATP, based on the machine action object ID you have specified. | get_machine_collection Investigation |
Submit Indicator | Submits or updates a new Indicator entity to Windows Defender ATP based on the indicator value and type, expiration time, action, and other input parameters you have specified. | submit_indicator Investigation |
Get Indicator List | Retrieves a collection of all TI (Threat Intelligence) indicators or specific TI based on the search query and other input parameters that you have specified. | get_indicators Investigation |
Delete Indicator | Deletes an indicator entity from Windows Defender ATP based on the indicator ID you have specified. | delete_indicator Investigation |
Collect Investigation Package | Initiates forensics collection on a specific machine based on the machine ID you have specified. | collect_investigation_package Investigation |
Offboard Machine | Offboards a machine from Windows Defender ATP, based on the machine ID you have specified. | restrict_app Investigation |
Get Package SAS URI | Retrieves a URI from Windows Defender ATP that allows downloading of an investigation package, based on the machine action ID you have specified. | download_investigation_package Investigation |
Get Machine by ID | Retrieves the details of a specific machine from Windows Defender ATP, based on the machine ID you have specified. | get_endpoints Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Search Query | Query using which you want to search for machines in Windows Defender ATP. The OData's filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". For example, [machineTags/any(tag: tag eq 'ExampleTag')] gets all the machines with the tag 'ExampleTag'. |
Number of Machines to Fetch | Maximum number of machines that this operation should return from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"osPlatform": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"firstSeen": "",
"isAadJoined": "",
"rbacGroupId": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": "",
"@odata.count": ""
}
Parameter | Description |
---|---|
Time | Timestamp, based on which you want to find the machine entity in Windows Defender ATP. The timestamp that you specify must be within the last 30 days.
The response of this operation will return a list of all machines that had reported the specified IP address 15 minutes before and after the timestamp. |
FQDN/IP | IP address that you want to lookup on Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"osPlatform": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"firstSeen": "",
"isAadJoined": "",
"rbacGroupId": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine whose logged on users' list you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"accountDomainName": "",
"mostPrevalentMachineId": "",
"firstSeen": "",
"leastPrevalentMachineId": "",
"id": "",
"logonTypes": "",
"isDomainAdmin": "",
"accountName": "",
"accountSid": "",
"logOnMachinesCount": "",
"isOnlyNetworkUser": "",
"lastSeen": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine whose related alerts collection you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"recommendedAction": "",
"severity": "",
"category": "",
"resolvedTime": "",
"alertCreationTime": "",
"determination": "",
"id": "",
"title": "",
"classification": "",
"description": "",
"firstEventTime": "",
"status": "",
"assignedTo": "",
"lastEventTime": "",
"threatFamilyName": "",
"detectionSource": ""
}
],
"@odata.context": "",
"@odata.count": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine that you want to isolate. |
Comment | Comment that you want to associate with isolating the machine. |
Isolation Type | Type of isolation that you want to apply to the specified machine. You can choose one of the following: Full: Complete isolation, i.e., the specified machine cannot access the external network. Selective: Restricts only a limited set of applications present on the specified machine from accessing the network. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"error": "",
"status": "",
"creationDateTimeUtc": "",
"machineId": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine that you want to unisolate, i.e., whose isolation you want to remove. |
Comment | Comment that you want to associate with unisolating the machine. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"error": "",
"status": "",
"creationDateTimeUtc": "",
"machineId": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine on which you want to restrict application execution. |
Comment | Comment that you want to associate with restricting application execution. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"creationDateTimeUtc": "",
"status": "",
"machineId": "",
"error": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine from which remove the application execution restriction. |
Comment | Comment that you want to associate with removing the application execution restriction. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"creationDateTimeUtc": "",
"status": "",
"machineId": "",
"error": "",
"lastUpdateDateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine on which you want to initiate a Windows Defender Antivirus scan. |
Comment | Comment that you want to associate with initiating a Windows Defender Antivirus scan. |
Scan Type | Type of Windows Defender Antivirus scan that you want to initiate on the specified machine. You can choose one of the following: Quick: Performs a quick scan on the specified machine. Full: Performs a full scan on the specified machine. |
The output contains the following populated JSON schema:
{
"id": "",
"requestorComment": "",
"requestor": "",
"error": "",
"status": "",
"creationDateTimeUtc": "",
"machineId": "",
"lastUpdateTimeUtc": "",
"@odata.context": "",
"type": ""
}
Parameter | Description |
---|---|
Filehash | SHA1, SHA256, or MD5D of the file that you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"filePublisher": "",
"signerHash": "",
"size": "",
"md5": "",
"isPeFile": "",
"globalLastObserved": "",
"globalFirstObserved": "",
"fileProductName": "",
"sha256": "",
"issuer": "",
"sha1": "",
"globalPrevalence": "",
"windowsDefenderAVThreatName": "",
"isValidCertificate": "",
"signer": "",
"@odata.context": "",
"fileType": ""
}
Parameter | Description |
---|---|
Filehash | SHA1 of the file whose prevalence (statistics) you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"sha1": "",
"orgFirstSeen": "",
"orgPrevalence": "",
"orgLastSeen": "",
"topFileNames": [],
"@odata.context": ""
}
Parameter | Description |
---|---|
Filehash | SHA1 of the file whose related collection of machines you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"firstSeen": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"osPlatform": "",
"rbacGroupId": "",
"isAadJoined": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Filehash | SHA1 of the file whose related collection of alerts you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"recommendedAction": "",
"severity": "",
"category": "",
"resolvedTime": "",
"title": "",
"determination": "",
"id": "",
"alertCreationTime": "",
"classification": "",
"description": "",
"firstEventTime": "",
"status": "",
"assignedTo": "",
"lastEventTime": "",
"threatFamilyName": "",
"detectionSource": ""
}
],
"@odata.context": "",
"@odata.count": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain whose related collection of alerts you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"status": "",
"id": "",
"recommendedAction": "",
"description": "",
"severity": ""
}
],
"@odata.count": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain whose related collection of machines you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"firstSeen": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"osPlatform": "",
"rbacGroupId": "",
"isAadJoined": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"systemProductName": "",
"osVersion": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain whose prevalence (statistics) you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"orgPrevalence": "",
"orgFirstSeen": "",
"orgLastSeen": "",
"@odata.context": "",
"host": ""
}
Parameter | Description |
---|---|
IP Address | IP address whose related collection of alerts you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"status": "",
"id": "",
"recommendedAction": "",
"description": "",
"severity": ""
}
],
"@odata.count": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
IP Address | IP address whose prevalence (statistics) you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"orgLastSeen": "",
"ipAddress": "",
"orgFirstSeen": "",
"orgPrevalence": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose details you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"resolvedTime": "",
"severity": "",
"alertCreationTime": "",
"recommendedAction": "",
"lastEventTime": "",
"classification": "",
"id": "",
"title": "",
"category": "",
"description": "",
"firstEventTime": "",
"status": "",
"assignedTo": "",
"determination": "",
"threatFamilyName": "",
"detectionSource": ""
}
],
"@odata.count": "",
"@odata.context": ""
}
Parameter | Description |
---|---|
Search Query | Query using which you want to search for alerts in Windows Defender ATP. The OData's filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". For example, the [alertCreationTime gt 2019-09-22T00:00:00Z] query will retrieve all the alerts that created after 2019-09-22T00:00:00Z |
Number of Alerts to Fetch | Maximum number of alerts that this operation should return from Windows Defender ATP. |
Include more Details of |
Object of the alert for which you want to retrieve additional information. You can choose from the following options: Files, IPs, or Domains. Note: If you do not select any option, the additional information will not get populated in the final result. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"incidentId": "",
"assignedTo": "",
"classification": "",
"severity": "",
"title": "",
"status": "",
"alertCreationTime": "",
"determination": "",
"description": "",
"threatFamilyName": "",
"investigationState": "",
"machineId": "",
"firstEventTime": "",
"resolvedTime": "",
"category": "",
"lastEventTime": "",
"detectionSource": "",
"id": ""
}
]
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related domains you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"host": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related files you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"filePublisher": "",
"size": "",
"md5": "",
"isPeFile": "",
"globalLastObserved": "",
"globalFirstObserved": "",
"signer": "",
"sha256": "",
"issuer": "",
"signerHash": "",
"sha1": "",
"fileType": "",
"windowsDefenderAVThreatName": "",
"isValidCertificate": "",
"fileProductName": "",
"globalPrevalence": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related IP addresses you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"value": [
{
"id": ""
}
],
"@odata.context": ""
}
Parameter | Description |
---|---|
Alert ID | ID of the alert whose related machines you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"firstSeen": "",
"healthStatus": "",
"lastExternalIpAddress": "",
"systemProductName": "",
"rbacGroupId": "",
"isAadJoined": "",
"computerDnsName": "",
"lastIpAddress": "",
"osBuild": "",
"id": "",
"osVersion": "",
"@odata.context": "",
"agentVersion": "",
"machineTags": [],
"groupName": "",
"osPlatform": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Search Query | Query using which you want to search for collection actions done on machines in Windows Defender ATP. The OData's filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor", and "CreationDateTimeUtc". |
Number of Machine Actions to Fetch | Maximum number of collection actions that this operation should return from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"type": "",
"lastUpdateDateTimeUtc": "",
"creationDateTimeUtc": "",
"machineId": "",
"scope": "",
"relatedFileInfo": "",
"cancellationComment": "",
"id": "",
"errorHResult": "",
"status": "",
"requestor": "",
"requestorComment": "",
"cancellationDateTimeUtc": "",
"cancellationRequestor": ""
}
]
}
Parameter | Description |
---|---|
Machine Action ID | ID of the machine action object whose details you want to retrieve from Windows Defender ATP. You can generate a machine action object ID by running the "Restrict Apps" or "Run Antivirus Scan" operations. |
The output contains the following populated JSON schema:
{
"type": "",
"lastUpdateDateTimeUtc": "",
"creationDateTimeUtc": "",
"machineId": "",
"relatedFileInfo": "",
"cancellationComment": "",
"requestorComment": "",
"id": "",
"errorHResult": "",
"status": "",
"requestor": "",
"cancellationRequestor": "",
"@odata.context": "",
"cancellationDateTimeUtc": "",
"scope": ""
}
Parameter | Description |
---|---|
Indicator Value | Indicator value or identity of the indicator entity that you want to submit to Windows Defender ATP. |
Indicator Type | Type of the indicator that you want to submit to Windows Defender ATP. You can choose from the following options: FileSha1, FileSha256, IpAddress, DomainName, or and Url. |
Action | Action that will be taken if the indicator is discovered in the organization. You can choose from the following options: Alert only, Alert and block, or Allowed. |
Expiration Time | Duration after which the indicator will expire in Windows Defender ATP. |
Alert Title | (Optional) Title of the alert associated with the indicator. |
Alert Severity | (Optional) Severity of the alert associated with the indicator. You can choose from the following options: Informational, Low, Medium, or High. |
Description | (Optional) Description of the indicator that you want to submit to Windows Defender ATP. |
Recommended Actions | (Optional) Recommended actions that get performed as a part of a response. For example, a recovery action that is performed if a certain event occurs. |
The output contains the following populated JSON schema:
{
"severity": "",
"rbacGroupNames": [],
"title": "",
"indicatorType": "",
"description": "",
"createdBy": "",
"expirationTime": "",
"indicatorValue": "",
"@odata.context": "",
"recommendedActions": "",
"creationTimeDateTimeUtc": "",
"action": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Search Query | Query using which you want to search for TI indicators in Windows Defender ATP. The OData's filter query is supported. For example, the query: [action eq 'AlertAndBlock'] retrieves all Indicators with the "AlertAndBlock" action. |
Number of Indicators to Fetch | Maximum number of indicators that this operation should return from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": [
{
"createdBy": "",
"expirationTime": "",
"indicatorValue": "",
"description": "",
"rbacGroupNames": [],
"severity": "",
"title": "",
"indicatorType": "",
"recommendedActions": "",
"creationTimeDateTimeUtc": "",
"action": ""
}
]
}
Parameter | Description |
---|---|
Indicator ID | ID of the indicator that you want to delete from the Windows Defender ATP. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Machine ID | ID of the machine on which you want to initiate forensic collection. |
Comment | Comment that you want to associate with the action |
The output contains the following populated JSON schema:
{
"requestor": "",
"type": "",
"@odata.context": "",
"relatedFileInfo": "",
"lastUpdateTimeUtc": "",
"machineId": "",
"requestorComment": "",
"status": "",
"creationDateTimeUtc": "",
"id": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine that you want to offboard from Windows Defender ATP. |
Comment | Comment that you want to associate with the action. |
The output contains the following populated JSON schema:
{
"requestor": "",
"type": "",
"@odata.context": "",
"relatedFileInfo": "",
"lastUpdateTimeUtc": "",
"machineId": "",
"requestorComment": "",
"status": "",
"creationDateTimeUtc": "",
"id": ""
}
Parameter | Description |
---|---|
Machine Action ID | ID of the machine action whose SAS URI you want so that you can download the investigation package from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"@odata.context": "",
"value": ""
}
Parameter | Description |
---|---|
Machine ID | ID of the machine whose details you want to retrieve from Windows Defender ATP. |
The output contains the following populated JSON schema:
{
"rbacGroupId": "",
"firstSeen": "",
"agentVersion": "",
"riskScore": "",
"exposureLevel": "",
"computerDnsName": "",
"lastIpAddress": "",
"id": "",
"osBuild": "",
"version": "",
"aadDeviceId": "",
"osVersion": "",
"@odata.context": "",
"machineTags": [],
"lastSeen": "",
"healthStatus": "",
"rbacGroupName": "",
"osPlatform": "",
"lastExternalIpAddress": "",
"osProcessor": ""
}
The Sample - Windows Defender ATP - 1.0.0 playbook collection comes bundled with the Windows Defender ATP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Windows Defender ATP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.