cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bulk Isolation Using Defender for Endpoint API

ShahinMo
Copper Contributor

‎May 29 2022 11:37 AM

‎May 29 2022 11:37 AM

Bulk Isolation Using Defender for Endpoint API

Hi Everyone, 

 

I have been recently studying the implementation of Defender for Endpoint API to perform bulk isolation/release for endpoints.

This documentation (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/isolate-machine?view=o365-...) says that there's a limitation of 100 calls/minute and 1500 calls/hour. So I have to think of another way to overcome this.

API structure uses endpoint ID as follows: POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate

One of the things I thought of is that if I can run this API and fill in a 'Device Group' ID instead of endpoint ID...Not quite sure if this is applicable as per my understanding device groups are used to identify set of permissions on multiple devices. Would it work though?

 

If there's any other solution to this I'm happy to receive suggestions.

2,295 Views
0 Likes
5 Replies
Reply
5 Replies
PatrickEl

‎Dec 06 2023 02:03 AM

‎Dec 06 2023 02:03 AM

Re: Bulk Isolation Using Defender for Endpoint API

Hi @ShahinMo, I also try to figure out a solution do isolate/unisolate devices in bulk, have you found a solution yet? I found some graph batch documentation, but sadly thats not helping.
Regards Patrick
0 Likes
Reply
jbmartin6

‎Dec 06 2023 05:28 AM

‎Dec 06 2023 05:28 AM

Re: Bulk Isolation Using Defender for Endpoint API

you can make a custom detection rule and choose isolate device as the response action
0 Likes
Reply
PatrickEl

‎Dec 06 2023 05:40 AM

‎Dec 06 2023 05:40 AM

Re: Bulk Isolation Using Defender for Endpoint API

thanks for your reply! :)
I know, but this would be one device OR if the detection rule trigger more often a bunch of devices.
If the detection rule triggers something false positive with alot of devices we would have a big problem.. this is why I try to find a feature to unisolate alot of the devices at the same time in BULK. its all about the bulk :)
0 Likes
Reply
jbmartin6

‎Dec 06 2023 05:50 AM

‎Dec 06 2023 05:50 AM

Re: Bulk Isolation Using Defender for Endpoint API

You control the contents of the detection rule so false positives aren't a problem. For instance, set a certain registry value you create, e.g. 'isolateme' and then have the detection rule trigger on that event. Then use some other tool to flip the registry value on the hosts you want to isolate.

But reversing it, I don't know of a way to do that in bulk.

What problem are you trying to solve by bulk isolating devices? Maybe there is some other way to solve it besides MDE isolation.
0 Likes
Reply
PatrickEl

‎Jan 23 2024 04:32 AM

‎Jan 23 2024 04:32 AM

Re: Bulk Isolation Using Defender for Endpoint API

@jbmartin6 

sorry for my late reply.

we recently had a pentest and we had some alerts that will only trigger if something is really wrong,

the idea was, that we create a detection rule to automatically isolate these devices these alerts are happening.
the unisolation via bulk is for a false positive.. lets say, our software distribution tool does something unexpected and triggers one of the detection rule, which will isolate x devices, we need a fast unisolate to resolve it.

 

0 Likes
Reply