Skip to main content

Workflow Template: Isolate or Unisolate device on Microsoft Defender for Endpoint

Nested workflow to Isolate or Unisolate a device by its machineId or device name.

The "Isolate or Unisolate device on Microsoft Defender for Endpoint" workflow template is designed to enhance endpoint security management by automating the isolation or unisolation of devices. This workflow allows security teams to quickly respond to potential threats by isolating compromised devices or restoring connectivity once threats are mitigated. It accepts inputs such as machine ID or computer DNS name and verifies the success of actions, providing a summary of the status and a history of related actions. This tool is essential for efficient Endpoint Detection and Response (EDR) operations.

Take Me to the Template

Optional Triggers

["This workflow is intended to be used as a function."]

Use Cases

Endpoint Detection and Response (EDR) , Function

Workflow Breakdown

  1. Takes as an input machineId or computerDnsName values.

  2. Submits Isolate or Unisolate action to device by it's machineId.

  3. Workflow will wait an specified period of time to verify the action is successful applied by Endpoint.

  4. Collects a list of previous Isolate or Unisolate actions.

Vendors

Utils, Microsoft Defender for Endpoint

Workflow Output

Summary of status of the action.

Related Articles
Workflow Template: Run Antivirus Scan on a device on Microsoft Defender for Endpoint
Workflow Template: Fetch File Information by Hash from Microsoft Defender
Workflow Template: Run LiveResponses on Microsoft Defender for Endpoint
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Did this answer your question?