Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will isolate (full) the machine in Microsoft Defender for Endpoint. It is triggered by an alert in Microsoft Sentinel. The playbook will add a comment to the incident with the result of the isolation.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | MicrosoftDefenderForEndpoint |
| Source | View on GitHub |
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
wdatp |
Managed | 1 | 2 |
azuresentinel (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Alert_-_Get_incident | get | /Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])} |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)1 | post | /Incidents/Comment |
— |
wdatp (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Actions_-_Isolate_machine | post | /api/machines/@{encodeURIComponent(variables('MDEDeviceId'))}/isolate |
— |
| Machines_-_Get_list_of_machines | get | /api/machines |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊