Edit

MachineAction resource type

  • Article

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Note

If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Tip

For better performance, you can use server closer to your geo location:

  • us.api.security.microsoft.com
  • eu.api.security.microsoft.com
  • uk.api.security.microsoft.com
  • au.api.security.microsoft.com
  • swa.api.security.microsoft.com
Method Return Type Description
List MachineActions Machine Action List Machine Action entities.
Get MachineAction Machine Action Get a single Machine Action entity.
Collect investigation package Machine Action Collect investigation package from a machine.
Get investigation package SAS URI Machine Action Get URI for downloading the investigation package.
Isolate machine Machine Action Isolate machine from network.
Release machine from isolation Machine Action Release machine from Isolation.
Restrict app execution Machine Action Restrict application execution.
Remove app restriction Machine Action Remove application execution restriction.
Run antivirus scan Machine Action Run an AV scan using Windows Defender (when applicable).
Offboard machine Machine Action Offboard machine from Microsoft Defender for Endpoint.
Stop and quarantine file Machine Action Stop execution of a file on a machine and delete it.
Run live response Machine Action Runs a sequence of live response commands on a device
Get live response result URL entity Retrieves specific live response command result download link by its index.
Cancel machine action Machine Action Cancel an active machine action.

Properties

Property Type Description
ID Guid Identity of the Machine Action entity.
type Enum Type of the action. Possible values are: RunAntiVirusScan, Offboard, LiveResponse, CollectInvestigationPackage, Isolate, Unisolate, StopAndQuarantineFile, RestrictCodeExecution, and UnrestrictCodeExecution.
scope string Scope of the action. Full or Selective for Isolation, Quick or Full for antivirus scan.
requestor String Identity of the person that executed the action.
externalID String Id the customer can submit in the request for custom correlation.
requestSource string The name of the user/application that submitted the action.
commands array Commands to run. Allowed values are PutFile, RunScript, GetFile.
cancellationRequestor String Identity of the person that canceled the action.
requestorComment String Comment that was written when issuing the action.
cancellationComment String Comment that was written when canceling the action.
status Enum Current status of the command. Possible values are: Pending, InProgress, Succeeded, Failed, TimeOut, and Cancelled.
machineId String ID of the machine on which the action was executed.
computerDnsName String Name of the machine on which the action was executed.
creationDateTimeUtc DateTimeOffset The date and time when the action was created.
cancellationDateTimeUtc DateTimeOffset The date and time when the action was canceled.
lastUpdateDateTimeUtc DateTimeOffset The last date and time when the action status was updated.
title String Machine action title.
relatedFileInfo Class Contains two Properties. string fileIdentifier, Enum fileIdentifierType with the possible values: Sha1, Sha256, and Md5.

Json representation

{
        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
        "type": "Isolate",
        "scope": "Selective",
        "requestor": "Analyst@TestPrd.onmicrosoft.com",
        "requestorComment": "test for docs",
        "status": "Succeeded",
        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
        "computerDnsName": "desktop-test",
        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
        "relatedFileInfo": null
}

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.