Isolate a Microsoft Defender endpoint machine
Approval-gated Microsoft Defender for Endpoint machine isolation workflow for one machine. It reads the machine and related alerts for context, then calls recued-core.microsoft-defender-endpoint.machine.isolate for exactly that machine. It does not run live response, offboard devices, run antivirus scans, quarantine files, collect packages, mutate tags, create indicators, bulk-update alerts, or call arbitrary Defender APIs.
How it works
Inspect the data fetches, transforms, gates, and output this recipe runs.
Process (8 steps)
machine_id
trim
Trim whitespace from setting machine id
comment
trim
Trim whitespace from setting comment
machine_before
?
alerts_raw
?
isolate
?
alerts
default
Apply default
alert_count
count
Count items in alerts
card
to_summary
Format results as a summary card
Settings
Configurable at install. Defaults shown — change them anytime in Recued.
comment
setting
=
Isolate machine for security investigation.
machine id
setting
=
isolation type
setting
=
Selective
microsoft defender
setting
=
Trust & control
What installing this recipe would let it do. Recued grants these permissions at install — review them there before approving.