The "QuickAction - Isolate or Release a Device on MS Defender Endpoint" workflow template offers a streamlined response for cybersecurity teams to either isolate a potentially compromised device or release it from isolation using Microsoft Defender for Endpoint. This ensures timely actions can be taken directly from the incident case, improving case management and response times in an organization's endpoint detection and response (EDR) framework. With intuitive Quick Action buttons, analysts are empowered to swiftly secure or restore devices based on real-time analysis and decision-making, enhancing overall security operations efficiency.
Use Cases
Case Management , Endpoint Detection and Response (EDR)
Workflow Breakdown
Runs in response of a Quick Action execution.
Let the analyst choose between isolating or releasing a device.
Waits for the host to be contacted and confirm that the action has finished successfully.
Add a note to the case with the result of the action.
Vendors
Utils, Microsoft Defender for Endpoint, Torq Cases