Skip to main content

QuickAction - Isolate or Release a Device on MS Defender Endpoint - Workflow Template

Isolate or release a remote device from isolation when a quick action button is pressed.

Updated today

This workflow template enables security teams to quickly isolate or release devices from isolation with one click in response to a Quick Action execution. This process is essential for effective case management and endpoint detection and response (EDR) scenarios. The template waits for confirmation that the host has been successfully contacted before updating case notes with the action result, streamlining incident response and reducing the risk of spreading threats within the network environment.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Runs in response of a Quick Action execution.

  2. Let the analyst choose between isolating or releasing a device.

  3. Waits for the host to be contacted and confirm that the action has finished successfully.

  4. Add a note to the case with the result of the action.

Vendors

Utils, Microsoft Defender for Endpoint, Torq Cases

Related Articles
Run Antivirus Scan on a device on Microsoft Defender for Endpoint - Workflow Template
Isolate or Unisolate device on Microsoft Defender for Endpoint - Workflow Template
Run LiveResponses on Microsoft Defender for Endpoint - Workflow Template
QuickAction - Scan Device on MS Defender for Endpoint - Workflow Template
QuickAction - Fetch a File from Device on MS Defender Endpoint - Workflow Template
Did this answer your question?