Descriptor: Name: DefenderDailyOperations DisplayName: Defender Daily Operations Description: XDR Scenarios we use repeatedly for daily operations. SkillGroups: - Format: KQL Skills: - Name: GetDefenderDevices DisplayName: Get Defender Devices Description: Get the top 10 devices from defender based on device state, exposure etc for the last 8 hours Inputs: - Name: devicehealthstate Description: Provide the state of the device you want to fetch - e.g. Active Required: true - Name: exposurelevel Description: provide the exposure level you want to consider - e.g. High, Medium, Low Required: false Settings: Target: Defender Template: |- DeviceInfo | where SensorHealthState =~ '{{devicehealthstate}}' | where ExposureLevel contains '{{exposurelevel}}' | where TimeGenerated > ago(8h) | project DeviceName,DeviceCategory,OnboardingStatus,SensorHealthState, LoggedOnUsers, ExposureLevel, JoinType,TimeGenerated | top 10 by TimeGenerated desc - Name: GetLatestEmailsByRecipient DisplayName: Get Latest Emails By Recipient Description: Fetches the latest emails received by the user with the specified email address Inputs: - Name: email Description: The email address of the recipient - e.g. xxxxxxx@contoso.com Required: true Settings: Target: Defender Template: |- EmailEvents | where RecipientEmailAddress =~ '{{email}}' | project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, Subject, DeliveryLocation | top 10 by Timestamp desc