Microsoft Defender ATP - Isolate/Unisolate Assets
  • 12 Feb 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

Microsoft Defender ATP - Isolate/Unisolate Assets

  • Dark
    Light
  • PDF

Article summary

Microsoft Defender ATP - Isolate Assets quarantines each of the query results assets (endpoints) from the network that are the result of the saved query supplied as a trigger (or devices selected in the asset table).

Microsoft Defender ATP - Unisolate Assets restores full network connectivity to each of the query results entities (endpoints).

NOTE
To use the actions below, you must successfully configure a Microsoft Defender for Endpoint adapter connection.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

General Settings

  • Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

Isolate in Microsoft Defender ATP

Action Settings

  1. Comment - Enter a comment that will be displayed.
  2. Isolation Type - Select an isolation type, either 'Full' or 'Selective'.

Unisolate in Microsoft Defender ATP

Action Settings

  1. Comment - Enter a comment that will be displayed.
  2. Isolation Type - Select an isolation type, either 'Full' or 'Selective'.

Required Permissions

The Microsoft Entra ID (Azure AD) application configured in the Defender ATP adapter must have the following Application permission:

  • Machine.Isolate

See Microsoft Defender ATP documentation for more information.


For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?