MDE Integration with SIR and Isolate Capability

Rachel3
Tera Contributor

‎03-03-2025 08:11 AM

Looking at the Microsoft Defender Endpoint integration with Security Incident Response and can't find documentation anywhere that goes into detail about contacting a host that is no longer online. Is there a looping process that continues to try to isolate (or any of the other options available) a host if it can't be found or what happens if you choose to do something with a host and it's offline? Will the process keep checking or just stop?

0 Helpfuls
  • 419 Views
1 REPLY 1

VaranAwesomenow
Mega Sage

‎04-29-2025 01:59 AM

Based on the subflows : Security Operations - Isolate Host - Microsoft Defender for Endpoint | Workflow Studio | ServiceNow there are two actions (using subflows - Microsoft Defender for Endpoint Isolate Host) that isolate a host 

 

VaranAwesomenow_0-1745916911426.png

VaranAwesomenow_1-1745916979127.png

above subflow has a loop which iterates until below conditions are met (times out or success or failure or canceled)

VaranAwesomenow_2-1745917066028.png

based on above analysis if a host is offline / unresponsive then it may result in time out scenario.

 

Checkout Varan awesomenow youtube channel for more learning videos!
0 Helpfuls