Microsoft Defender Actions

Actions for Microsoft Defender #

Isolate Machine. Disconnects one or more devices from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

Unisolate Machine. Reconnects one or more devices to the network.

Devices that are behind a full VPN tunnel won’t be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. Microsoft recommends using a split-tunneling VPN for Microsoft Defender for Endpoint traffic.

Prerequisites #

Before you can execute the actions for Microsoft Defender, you must first create an application to access Microsoft Defender. To do this, see https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide. The application requires WindowsDefenderATP Write permission.

Microsoft Defender Configuration #

Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

URL. The base URL for Microsoft Defender API

Client ID. The client ID of the application.

Client Secret. The client secret associated with the client ID.

Tenant ID. Before configuring the Microsoft Defender Advanced Threat Protection connector in Lucidum, you must first create an application that has read and write access to Microsoft Defender Advanced Threat Protection. For details, see the documentation for Microsoft Defender. The application requires WindowsDefenderATP Write permission. In this field, specify the tenant ID of the application.

Create or Edit an Action #

To create an action for Microsoft Defender:

In the Create a New Action page, in the General step, enter:

Action Type. Select an action from the pulldown options.
Configuration Name. Select an action configuration from the pulldown options.
Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.
Description. Description of the action.

Click the Next (>) icon.

In the Filters page, click Configure Filters.

The Build a Query page appears.

In the Build a Query page, you define the query for the assets or users that the action will act upon.

Click Next.

In the Build a Current Query page, enter the fields, operators, and values for the query. For existing actions, the query is already loaded in this page.

For details on creating and editing queries in Lucidum, see the section on Building Queries.

NOTE: To optimize performance, the default time range is Current. If you need to access historical data, contact Lucidum Custom Success for help on using historical data without affecting performance.

Click the Apply (page and pencil) icon.

Click the Next (>) icon.

In the Schedule step, enter:

Schedule Type. Define the schedule for the action. Choices are:
- Recurrence. Specify a frequency for the recurring schedule.
- After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.
Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

Click the Next (>) icon.

In the Details step, enter the following:

Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.
Machine Action. Specify the type of action to perform. Choices are:
- ISOLATE_MACHINE. When an attack has been detected, you can ISOLATE_MACHINE to isolate the device from the network.
- UNISOLATE_MACHINE. When the attack has been remediated, you can UNISOLATE_MACHINE to allow the device on the network.

Actions for Microsoft Defender #

Use Cases #

Prerequisites #

Workflows #

Microsoft Defender Configuration #

Create or Edit an Action #

What are your Feelings

Share This Article :

Still stuck? How can we help?

@ 2024 Lucidum, Inc.