MDATP Python automation - Automate machine isolation with Python script

I'm not familiar with the Auto IR feature request, I may have missed that.

The ability to even create a Flow for this would be difficult for many SMB's. I wish that wasn't true, but it is. I'm sure you've heard about the ransomware payouts in Florida; I live an hour away from one of those sites, and I can tell you from experience that InfoSec is the wild west in Florida, if not the entire world. It's a mess because security solutions are either difficult to deploy and manage, they are much too expensive, or the lack of talent or just plain bad management. I'm preaching to the choir here though, I am sure you are familiar with all the reasons why InfoSec practices are as bad as they are.

I just feel that Microsoft has a real chance of changing all of that, more than just about any vendor out there, especially in the SMB market.

With the machine learning that WDATP has available, what I envision is that the WDATP service would auto-isolate a machine due to the current risk level of either the user or the machine. That is different than what other vendors do now. Other vendor solutions have the ability to isolate a machine if various risks are found, C2 traffic, the firewall was disabled, the engine was disabled. How much that feature is used, I don't know, but for a small shop, I'd rather a machine be auto isolated than risk data loss. Much like MFA, Isolation isn't fool proof, but the benefits well outweigh the limitations.

I'm all for Flow, and if Flow is the way that you envision this working, then that Flow needs to be deployed from the MDATP console, not needing to be searched for, and not needing any other configuration. It just needs to be easy. Some of that functionality is also available in Intune, but again, you are heading into the "this is difficult to deploy" category. I know there are some Flows in preview that Microsoft has build for MDATP and Cloud App security, that just need to be extended a bit more. Also with the Unified console in preview, the ability to build all sorts of wonderful things will be available, but not all companies are going to be able to build those Flows. I'm not saying Microsoft needs to build Flows for all situations, but some of the major ones, such as isolation should be. (Yes, there is a flow already built for this, but I only know about it because I searched for it, there is nothing in the MDATP console that says, hey, go here and do this.) Again, certain things just need to be "easy". Also, the more Microsoft develops Flows and makes they easy to find, the more that companies are going to look at them and see how they can use Flow to develop their own solutions :)

Due to the complexity, instead of deploying MDATP, a company will probably just go with a third-party solution that gives them most of that functionality fairly easily by just clicking on an option to auto isolate a machine if it's "compromised" in any way.

One last thing; I had NO idea that Flow could have been used to isolate a machine until looking at this post and I work on and research security products every day. 

I hope you don't feel that I'm being overly critical. I just feel that Microsoft has a real opportunity to change InfoSec practices, and the easier you make it, the more people will move to the MDATP solution.