Microsoft Defender For Endpoint - Isolate Endpoint
This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration.
Microsoft Defender for Endpoint · 23 tasks · 4 inputs · 6 outputs
Inputs
Device_id— The device ID to isolate. For more information about the device, you can use the following commands: !microsoft-atp-get-machine-details !microsoft-atp-get-machinesHostname— The host name you want to isolate.Device_IP— The device IP you want to isolate.Isolation_type— Optional Values: Full/Selective. Default is Full. For more information see Microsoft documentation: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network
Outputs
MicrosoftATP.MachineAction.ID— The machine action ID.MicrosoftATP.IsolateList— The machine IDs that were isolated.MicrosoftATP.NonIsolateList— The machine IDs that will not be isolated.MicrosoftATP.IncorrectIDs— Incorrect device IDs entered.MicrosoftATP.IncorrectHostnames— Incorrect device host names entered.MicrosoftATP.IncorrectIPs— Incorrect device IPs entered.
Commands used
endpoint
microsoft-atp-isolate-machine