Skip to content
Recued
Menu
← Back to recipes

Isolate a Microsoft Defender endpoint machine

by recued-core v1

Approval-gated Microsoft Defender for Endpoint machine isolation workflow for one machine. It reads the machine and related alerts for context, then calls recued-core.microsoft-defender-endpoint.machine.isolate for exactly that machine. It does not run live response, offboard devices, run antivirus scans, quarantine files, collect packages, mutate tags, create indicators, bulk-update alerts, or call arbitrary Defender APIs.

How it works 8 steps

Inspect the data fetches, transforms, gates, and output this recipe runs.

Process (8 steps)
machine_id trim
Trim whitespace from setting machine id
comment trim
Trim whitespace from setting comment
machine_before ?
alerts_raw ?
isolate ?
alerts default
Apply default
alert_count count
Count items in alerts
card to_summary
Format results as a summary card
Settings 4 configurable

Configurable at install. Defaults shown — change them anytime in Recued.

comment setting = Isolate machine for security investigation.
machine id setting =
isolation type setting = Selective
microsoft defender setting =

Trust & control

What installing this recipe would let it do. Recued grants these permissions at install — review them there before approving.

Where it runs

Device + server Runs on your device (browser) or your server.

Permissions it requires

Read your Microsoft-defender connection
Declared by the recipe — Recued grants these at install, where you review them before approving.

About

Tags

microsoft-defender-endpoint microsoft-defender-endpointdefender-for-endpointendpoint-securitymachinesisolateincident-responseapprovalpack:microsoft-defender-endpoint

Details

8 steps 4 configurable settings recipe_id: isolate-microsoft-defender-endpoint-machine