Nov 08 2023 01:35 PM
Nov 08 2023 01:35 PM
I'm looking for a way for our helpdesk to view if a device is isolated, but without giving them permissions to isolate or remove machines from isolation. Often when the helpdesk runs into networking issues they immediately suspect the device has been isolated by Defender for Endpoint, but because they are unable to check if a device is isolated they transfer the ticket to the security team to simply check the status, and then the security team often just ends up transferring the ticket back them once it is confirmed that the endpoint is not isolated, which delays troubleshooting had they just had the ability to check themselves in the first place and often causes troubleshooting to take much longer than necessary.
Our organization has implemented the new Unified RBAC permissions for Microsoft 365 Defender and activated all workloads. I have everyone in our helpdesk assigned to a custom role which gives them read-only access for all areas of Defender (Security operations: All read-only permissions, Security posture: All read-only permissions, Authorization and settings: All read-only permissions).
The security team can go to the Microsoft 365 Defender portal, go to Devices, select a device, and then when going to the device action menu can choose to isolate (inferring it is not currently isolated), or we can remove from isolation (we infer it is already isolated); however, our helpdesk doesn't see these options in this menu because they have read-only access to the portal.
I considered the action center, but the helpdesk also doesn't have access with read-only access. On top of that, you can only see actions from the last six months, and so if a device was isolated more than 6 months ago you would also not be able to determine the devices' isolation status.
I determined the commands required get a list of isolated machines using the API Explorer, which it does appear they have access to, but the helpdesk users don't get results whereas the security team does, so I concluded that they also have insufficient permissions for running this command:
GET https://api-us.securitycenter.microsoft.com/api/machineactions?$filter=type eq 'Isolate'
Helpdesk users get the following response in the API explorer for running this GET command:
Success - Status code 200, 1345ms
...but the Response Body shows the value as empty brackets instead of a valid response:
I checked the related documentation for the MachineActions API
This documentation describes how to assign permissions to an Enterprise App or App Registration, but not to an end-user.
This other documentation states, "Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role."
Anyone have any other ideas how to view/list isolation status of endpoints for users with read-only permissions to the Defender portal?
Nov 13 2023 12:53 AM - edited Nov 13 2023 01:07 AM
You can try M365 Defender Custom roles, Security data basics (read) - this custom security data permission give required read access.