Isolate Machine -playbook in Sentinel

JukkaV 5 Reputation points


we are trying to create isolate machine Sentinel incident playbook but we only get error message 404 resource not found when running it. Is it possible to use that playbook if machine accounts are synced from on-premise ad or does it need something else when comparing to Azure joined machine accounts?

~ Jukka ~

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,023 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JukkaV 5 Reputation points
    1 person found this answer helpful.
    0 comments No comments

  2. Andrew Blumhardt 9,676 Reputation points Microsoft Employee

    Maybe share some screen shots of your logic app for better understanding. The JSON source is hard to read. I recommend looking at the Content Hub and Sentinel GitHub repo for similar examples. These examples can often clarify something you may have overlooked. I am certain this has been done before.

    I assume you are calling the Defender for Endpoint isolation capability. If that is the case, on-prem or AD credentials are not involved. Possibly the target systems have not been onboarded to MDE. Also, you probably need to pass the MDE Device ID for isolation. Without looking closer, I assume the Sentinel entity might have the device ID. If not, you need to run an additional enrichment to get the ID. For example, a query to MDE advanced hunting logs.