Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will isolate Microsoft Defender for Endpoint MDE device using entity trigger. It will be triggered by Microsoft Sentinel when an entity of type 'Host' is detected in an incident. The playbook retrieves the list of machines from MDE, checks if the entity's hostname exists in that list, and if it does, it isolates the machine and adds a comment to the incident indicating that the host has been successfully isolated. If the hostname does not exist in MDE, it adds a comment indicating
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | MicrosoftDefenderForEndpoint |
| Source | View on GitHub |
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
wdatp |
Managed | 1 | 2 |
azuresentinel (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3)_-_device_isolated | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
wdatp (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Machines_-_Get_list_of_machines | get | /api/machines |
— |
| Actions_-_Isolate_machine | post | /api/machines/@{encodeURIComponent(item()?['id'])}/isolate |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊