Configure Get Related Machines from Defender Capability in Microsoft Defender for Endpoint

  • Release version: Zurich
  • Updated March 12, 2026
  • 1 minute to read

    • Get the list of related machines of specific observables.

    Before you begin

    Note:
    Supported Observable Types are Domain name, SHA1 hash, and Username.
    Role required: sn_si.admin or sn_si.analyst

    About this task

    You can retrieve the list of machines that have accessed the particular observables. You can store the list on the Microsoft Defender for Endpoint Related Machines Details table. You can trigger the Get Related Machines from Defender capability from the Associated Observables related list.

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
    3. In the Related links section, select Show IoC.
    4. Select the Associated Observables related list.
    5. Select the associated observables.
    6. From the Actions list, select the Get Related Machines from Defender capability.
    7. Validate the automation activity and activities section.
    8. View the data, and validate the Microsoft Defender for Endpoint Related Machines details on the related lists.
    9. View the automation activities of the execution, and validate them.