Forum Discussion

ShahinMo's avatar
ShahinMo
Copper Contributor
May 29, 2022

Bulk Isolation Using Defender for Endpoint API

Hi Everyone, 

 

I have been recently studying the implementation of Defender for Endpoint API to perform bulk isolation/release for endpoints.

This documentation (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/isolate-machine?view=o365-worldwide) says that there's a limitation of 100 calls/minute and 1500 calls/hour. So I have to think of another way to overcome this.

API structure uses endpoint ID as follows: POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate

One of the things I thought of is that if I can run this API and fill in a 'Device Group' ID instead of endpoint ID...Not quite sure if this is applicable as per my understanding device groups are used to identify set of permissions on multiple devices. Would it work though?

 

If there's any other solution to this I'm happy to receive suggestions.

  • PatrickEl's avatar
    PatrickEl
    Copper Contributor
    Hi ShahinMo, I also try to figure out a solution do isolate/unisolate devices in bulk, have you found a solution yet? I found some graph batch documentation, but sadly thats not helping.
    Regards Patrick
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    you can make a custom detection rule and choose isolate device as the response action
    • PatrickEl's avatar
      PatrickEl
      Copper Contributor
      thanks for your reply! 🙂
      I know, but this would be one device OR if the detection rule trigger more often a bunch of devices.
      If the detection rule triggers something false positive with alot of devices we would have a big problem.. this is why I try to find a feature to unisolate alot of the devices at the same time in BULK. its all about the bulk 🙂
      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        You control the contents of the detection rule so false positives aren't a problem. For instance, set a certain registry value you create, e.g. 'isolateme' and then have the detection rule trigger on that event. Then use some other tool to flip the registry value on the hosts you want to isolate.

        But reversing it, I don't know of a way to do that in bulk.

        What problem are you trying to solve by bulk isolating devices? Maybe there is some other way to solve it besides MDE isolation.

Resources