Skip to main content

Workflow Template: QuickAction - Isolate or Release a Device on MS Defender Endpoint

Isolate or release a remote device from isolation when a quick action button is pressed.

Updated today

The "QuickAction - Isolate or Release a Device on MS Defender Endpoint" workflow template is designed to enhance security operations by allowing SOC analysts to quickly isolate or release devices using Microsoft Defender for Endpoint. Triggered by a Quick Action, this workflow provides a user-friendly interface for analysts to decide on isolating a suspicious device or releasing a remediated one. It ensures efficient case management by automatically adding action results as notes to the relevant case, streamlining incident response and documentation.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Runs in response of a Quick Action execution.

  2. Let the analyst choose between isolating or releasing a device.

  3. Waits for the host to be contacted and confirm that the action has finished successfully.

  4. Add a note to the case with the result of the action.

Vendors

Utils, Microsoft Defender for Endpoint, Torq Cases

Related Articles
Workflow Template: Isolate or Unisolate device on Microsoft Defender for Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
Workflow Template: QuickAction - Fetch a File from Device on SentinelOne
Workflow Template: QuickAction - Remediation Menu for MS Defender for Endpoint
Did this answer your question?