Forum Discussion
Bulk Isolation Using Defender for Endpoint API
Hi Everyone,
I have been recently studying the implementation of Defender for Endpoint API to perform bulk isolation/release for endpoints.
This documentation (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/isolate-machine?view=o365-worldwide) says that there's a limitation of 100 calls/minute and 1500 calls/hour. So I have to think of another way to overcome this.
API structure uses endpoint ID as follows: POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate
One of the things I thought of is that if I can run this API and fill in a 'Device Group' ID instead of endpoint ID...Not quite sure if this is applicable as per my understanding device groups are used to identify set of permissions on multiple devices. Would it work though?
If there's any other solution to this I'm happy to receive suggestions.
- jbmartin6Iron Contributoryou can make a custom detection rule and choose isolate device as the response action
- PatrickElCopper Contributorthanks for your reply! 🙂
I know, but this would be one device OR if the detection rule trigger more often a bunch of devices.
If the detection rule triggers something false positive with alot of devices we would have a big problem.. this is why I try to find a feature to unisolate alot of the devices at the same time in BULK. its all about the bulk 🙂- jbmartin6Iron ContributorYou control the contents of the detection rule so false positives aren't a problem. For instance, set a certain registry value you create, e.g. 'isolateme' and then have the detection rule trigger on that event. Then use some other tool to flip the registry value on the hosts you want to isolate.
But reversing it, I don't know of a way to do that in bulk.
What problem are you trying to solve by bulk isolating devices? Maybe there is some other way to solve it besides MDE isolation.