Forum Discussion
Bulk Isolation Using Defender for Endpoint API
Hi Everyone, I have been recently studying the implementation of Defender for Endpoint API to perform bulk isolation/release for endpoints. This documentation (https://docs.microsoft.com/en-us/...
you can make a custom detection rule and choose isolate device as the response action
thanks for your reply! 🙂
I know, but this would be one device OR if the detection rule trigger more often a bunch of devices.
If the detection rule triggers something false positive with alot of devices we would have a big problem.. this is why I try to find a feature to unisolate alot of the devices at the same time in BULK. its all about the bulk 🙂
I know, but this would be one device OR if the detection rule trigger more often a bunch of devices.
If the detection rule triggers something false positive with alot of devices we would have a big problem.. this is why I try to find a feature to unisolate alot of the devices at the same time in BULK. its all about the bulk 🙂
- You control the contents of the detection rule so false positives aren't a problem. For instance, set a certain registry value you create, e.g. 'isolateme' and then have the detection rule trigger on that event. Then use some other tool to flip the registry value on the hosts you want to isolate.
But reversing it, I don't know of a way to do that in bulk.
What problem are you trying to solve by bulk isolating devices? Maybe there is some other way to solve it besides MDE isolation.sorry for my late reply.
we recently had a pentest and we had some alerts that will only trigger if something is really wrong,
the idea was, that we create a detection rule to automatically isolate these devices these alerts are happening.
the unisolation via bulk is for a false positive.. lets say, our software distribution tool does something unexpected and triggers one of the detection rule, which will isolate x devices, we need a fast unisolate to resolve it.
