Configure Isolate Host capability in Microsoft Defender for Endpoint

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Isolate the host from accessing the network in Microsoft Defender for Endpoint based on the severity of the attack. Isolating the host from the network enables you to prevent any other malicious activities or potential attacks on other hosts.

    Before you begin

    Role required: sn_si.admin or sn_si.analyst

    Table 1. Requirements for Isolate Host capability
    Capability Required Description
    Isolate Host Isolation Type (Required) Type of the Isolation (Full or Selective).
    Comment (Required) Comment to associate with the action.

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
    3. In the Related Links section, click Run EDR Profile(s).
    4. Browse and select a profile with Isolate Host capability selected from the list of available profiles, and click Submit.
      Figure 1. Isolate Host
      Isolate Host capability in Microsoft Defender for Endpoint
      Alternatively, you can perform the following steps:
      1. In the related lists section, click Show All Related Lists.
      2. Click the Configuration Item related list.
      3. Select Isolate Host and select the corresponding capabilities.
    5. Validate the automation activity and activities section, and make sure that the data is as expect.
    6. View the data, and validate the isolate host details on the related lists.