Bulk Isolation Using Defender for Endpoint API

Frequent Visitor

Hi Everyone, 

 

I have been recently studying the implementation of Defender for Endpoint API to perform bulk isolation/release for endpoints.

This documentation (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/isolate-machine?view=o365-...) says that there's a limitation of 100 calls/minute and 1500 calls/hour. So I have to think of another way to overcome this.

API structure uses endpoint ID as follows: POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate

One of the things I thought of is that if I can run this API and fill in a 'Device Group' ID instead of endpoint ID...Not quite sure if this is applicable as per my understanding device groups are used to identify set of permissions on multiple devices. Would it work though?

 

If there's any other solution to this I'm happy to receive suggestions.

0 Replies