Defender for Endpoint: How isolate device with high risk automatically?

Sergio Londono 586 Reputation points
2024-03-22T13:38:36.8133333+00:00

Hello team,

How can I auto-isolate a device that comes with a high-risk score?

User's image

User's image

Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
144 questions
0 comments No comments
{count} votes

Accepted answer
  1. Catherine Kyalo 665 Reputation points Microsoft Employee
    2024-04-04T09:13:16.89+00:00

    Hi @Sergio Londono

    1. You can leverage Graph API and Power Automate to achieve auto - Isolation:
    2. Acquire these permissions On your application page, select API Permissions > Add permission > APIs my organization uses > type WindowsDefenderATP and select on WindowsDefenderATP.
    3. Graph Query - https://api.securitycenter.microsoft.com/api/alerts
    4. Power Automate - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide#isolate-the-device-if-the-alerts-severity-is-high
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.