Microsoft Defender ATP - Isolate/Unisolate Assets
  • 12 Feb 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

Microsoft Defender ATP - Isolate/Unisolate Assets

  • Dark
    Light
  • PDF

Article summary

Microsoft Defender ATP - Isolate Assets quarantines each of the query results assets (endpoints) from the network that are the result of the saved query supplied as a trigger (or devices selected in the asset table).

Microsoft Defender ATP - Unisolate Assets restores full network connectivity to each of the query results entities (endpoints).

NOTE
To use the actions below, you must successfully configure a Microsoft Defender for Endpoint adapter connection.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

General Settings

  • Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
  • Add description - Add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
  • Run action on assets matching following query (required) - Select an asset category and a query. The Enforcement Action will be run on the assets that match the query parameters.
  • Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

Isolate in Microsoft Defender ATP

Action Settings

  1. Comment - Enter a comment that will be displayed.
  2. Isolation Type - Select an isolation type, either 'Full' or 'Selective'.

Unisolate in Microsoft Defender ATP

Action Settings

  1. Comment - Enter a comment that will be displayed.
  2. Isolation Type - Select an isolation type, either 'Full' or 'Selective'.

Required Permissions

The Microsoft Entra ID (Azure AD) application configured in the Defender ATP adapter must have the following Application permission:

  • Machine.Isolate

See Microsoft Defender ATP documentation for more information.


For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?