Microsoft Defender for Endpoint

Solution: MicrosoftDefenderForEndpoint

MicrosoftDefenderForEndpoint Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2022-01-31
Last Updated	2025-12-14
Solution Folder	MicrosoftDefenderForEndpoint
Marketplace	Azure Marketplace · Rating: ★★☆☆☆ 2.2/5 (4 ratings) · Popularity: 🟢 High (98%)

The Microsoft Defender for Endpoint solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Codeless Connector Platform/Native Microsoft Sentinel Polling

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Microsoft Defender for Endpoint

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`DeviceProcessEvents`	-	Hunting

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
`SecurityAlert`	Microsoft Defender for Endpoint	Analytics

Content Items

This solution includes 27 content item(s):

Content Type	Count
Playbooks	22
Hunting Queries	2
Parsers	2
Analytic Rules	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Aqua Blizzard AV hits - Feb 2022	High	Persistence	Internal use: `SecurityAlert`

Hunting Queries

Name	Tactics	Tables Used
Probable AdFind Recon Tool Usage	Discovery	`DeviceProcessEvents`
SUNBURST suspicious SolarWinds child processes	Execution, Persistence	`DeviceProcessEvents`

Playbooks

Name	Description	Tables Used
Isolate MDE Machine - Alert Triggered	This playbook will isolate (full) the machine in Microsoft Defender for Endpoint. It is triggered by...	-
Isolate MDE Machine using entity trigger	This playbook will isolate Microsoft Defender for Endpoint MDE device using entity trigger. It will ...	-
Isolate endpoint - MDE - Incident Triggered	This playbook will isolate (full) the machine in Microsoft Defender for Endpoint. It is triggered by...	-
Restrict MDE App Execution - Alert Triggered	This playbook will restrict app execution on the machine in Microsoft Defender for Endpoint.	-
Restrict MDE App Execution - Incident Triggered	This playbook will restrict app execution on the machine in Microsoft Defender for Endpoint.	-
Restrict MDE Domain - Alert Triggered	This play book will take DNS entities and generate alert and block threat indicators for each domain...	-
Restrict MDE Domain - Entity Triggered	This playbook will take the triggering entity and generate an alert and block threat indicator for t...	-
Restrict MDE Domain - Incident Triggered	This play book will take DNS entities and generate alert and block threat indicators for each domain...	-
Restrict MDE FileHash - Alert Triggered	This playbook will take FileHash entities and generate alert and block threat indicators for each fi...	-
Restrict MDE FileHash - Entity Triggered	This playbook will take the triggering FileHash entity and generate an alert and block threat indica...	-
Restrict MDE FileHash - Incident Triggered	This playbook will take FileHash entities and generate alert and block threat indicators for each fi...	-
Restrict MDE Ip Address - Alert Triggered	This playbook will take IP entities and generate alert and block threat indicators for each IP in MD...	-
Restrict MDE Ip Address - Entity Triggered	This playbook will and generate alert and block threat indicators for the IP entity in MDE for 90 da...	-
Restrict MDE Ip Address - Incident Triggered	This playbook will take IP entities and generate alert and block threat indicators for each IP in MD...	-
Restrict MDE URL - Entity Triggered	This playbook will take the triggering entity and generate an alert and block threat indicator for t...	-
Restrict MDE Url - Alert Triggered	This playbook will take Url entities and generate alert and block threat indicators for each IP in M...	-
Restrict MDE Url - Incident Triggered	This playbook will take Url entities and generate alert and block threat indicators for each IP in M...	-
Run MDE Antivirus - Alert Triggered	This playbook will run a antivirus (full) scan on the machine in Microsoft Defender for Endpoint. It...	-
Run MDE Antivirus - Incident Triggered	This playbook will run a antivirus (full) scan on the machine in Microsoft Defender for Endpoint. It...	-
Unisolate MDE Machine - Alert Triggered	This playbook will release a machine from isolation in Microsoft Defender for Endpoint. It is trigge...	-
Unisolate MDE Machine - Incident Triggered	This playbook will release a machine from isolation in Microsoft Defender for Endpoint. It is trigge...	-
Unisolate MDE Machine using entity trigger	This playbook will unisolate Microsoft Defender for Endpoint (MDE) device using entity trigger.	-

Parsers

Name	Description	Tables Used
AssignedIPAddress	-	`DeviceNetworkInfo` (read)
Devicefromip	-	`DeviceNetworkInfo` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.6	24-09-2025	Updated MDE Playbooks Instructions to use Microsoft Graph SDK
3.0.5	06-08-2025	Updated MDE Playbooks with newer logic
3.0.4	07-04-2025	Updated ConnectivityCriteria Type in Data Connector.
3.0.3	26-07-2024	Updated Analytical Rule for missing TTP
3.0.2	08-07-2024	Corrected UI changes in Playbook's metadata
3.0.1	24-11-2023	Entities has been mapped for Playbooks
3.0.0	17-07-2023	Initial Solution Release