Playbook to update IOCs on Microsoft Advanced Threat Protection (APT)

vhebri — Thu, 27 Jul 2023 12:45:24 GMT

I want to achieve below steps. is there any exiting playbook or have to customized playbook?

Step 1: Checking Existing IOCs in Microsoft APT

In this first step, we will fetch the list of existing IOCs from Microsoft APT and compare them with the IOCs you wish to add.

Step 2: Handling Existing IOCs

Upon comparing the fetched list with your desired IOCs, we will identify the existing items. Those already present in Microsoft APT will be ignored, and a notification email will be sent to your team, providing details about these items.

Step 3: Adding New IOCs to Microsoft APT

For the IOCs that are not already in Microsoft APT, we will proceed to add them using the XSOAR integration with Microsoft APT.

Step 4: Cross-Checking Addition of IOCs

After successfully adding the new IOCs, we will perform a cross-check by fetching the IOCs from Microsoft APT again. This verification step ensures the accuracy of the additions.

Step 5: Notifying the Team

Once the cross-check confirms that the new IOCs are added to Microsoft APT, we will use the "Send Email" integration in XSOAR to notify your team about the successful addition.

if required custom playbook, kindly help me which automation I should use.?

Re: Playbook to update IOCs on Microsoft Advanced Threat Protection (APT)

Ivetto — Tue, 01 Aug 2023 17:54:00 GMT

Hello Vhebri,

I found this content pack from called 'Microsoft Defender for Endpoint' that includes this in the description:

Enriches IOCs from XSOAR to Microsoft Defender for Endpoint and vice versa,

and it allows the Microsoft Defender for Endpoint integration to import events as XSOAR incidents.

This should accomplish the items you are looking for. Hope this helps!

Link here: https://cortex.marketplace.pan.dev/marketplace/details/MicrosoftDefenderAdvancedThreatProtection/