Microsoft Defender ATP - Isolate/Unisolate Assets
- 12 Feb 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Microsoft Defender ATP - Isolate/Unisolate Assets
- Updated on 12 Feb 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Microsoft Defender ATP - Isolate Assets quarantines each of the query results assets (endpoints) from the network that are the result of the saved query supplied as a trigger (or devices selected in the asset table).
Microsoft Defender ATP - Unisolate Assets restores full network connectivity to each of the query results entities (endpoints).
NOTE
To use the actions below, you must successfully configure a Microsoft Defender for Endpoint adapter connection.
See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.
Note:
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
General Settings
- Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
Isolate in Microsoft Defender ATP
Action Settings
- Comment - Enter a comment that will be displayed.
- Isolation Type - Select an isolation type, either 'Full' or 'Selective'.
Unisolate in Microsoft Defender ATP
Action Settings
- Comment - Enter a comment that will be displayed.
- Isolation Type - Select an isolation type, either 'Full' or 'Selective'.
Required Permissions
The Microsoft Entra ID (Azure AD) application configured in the Defender ATP adapter must have the following Application permission:
- Machine.Isolate
See Microsoft Defender ATP documentation for more information.
For more details about other Enforcement Actions available, see Action Library.
Was this article helpful?