Hey all, I’ve noticed that the Microsoft Defender ATP SOAR Integration has “Create Isolate Machine Task” and accompanying unisolate machine task actions. However, these find the host directly from the alert. I want to be able to have isolate and unisolate actions that can take in a hostname/hostid as an input so that they can be ran ad-hoc. Any ideas?
Page 1 / 1
You would need to add the hostname or ip address as an entity to a case (new or existing) and then run the action ad-hoc. The integration actions are really meant to be run against cases and their associated entities. Another option could be to clone the actions and customize as needed. You would likely need to run them from the IDE or as an ad-hoc job.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.