Microsoft Defender ATP Machine Isolation Integration

Microsoft Defender ATP Machine Isolation Integration

Description

Microsoft Defender Advanced Threat Protection (ATP) is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response. In addition, Microsoft Defender ATP can isolate machines from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. Machine isolation disconnects the potentially compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.

By integrating with the Reveal(x) system, users can automatically collect investigation packages, run antivirus scans, and isolate machines that meet certain conditions and thresholds found in Reveal(x) detections. The details of every machine isolation are stored within the Reveal(x) system for further analysis and auditing. In addition, the integration tracks the list of high-risk offender devices where an associated Defender ATP machine was not found, and therefore the offender could not be isolated.

Interested in obtaining this bundle? Create a service request.

Requirements

You must have:

• An ExtraHop Discover or Command appliance with version 8.0 or later and a user account that has Unlimited privileges
• Access to Azure with a user account that has the Global Administrator role to create an Azure Active Directory application
• Access to the Microsoft Defender Advanced Threat Protection Platform

Contents 

• 1x Application
  • MS Defender ATP
• 1x Dashboard
  • Microsoft Defender ATP
• 1x Record Format
  • MS Defender ATP
• 1x Trigger
  • MS Defender ATP