Skip to main content

Microsoft Defender For Endpoint - Isolate Endpoint

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • MicrosoftDefenderAdvancedThreatProtection


  • SetAndHandleEmpty
  • isError
  • IsIntegrationAvailable
  • Print


  • endpoint
  • microsoft-atp-isolate-machine

Playbook Inputs#

NameDescriptionDefault ValueRequired
Device_idThe device ID to isolate.
For more information about the device, you can use the following commands:
HostnameThe host name you want to isolate.Optional
Device_IPThe device IP you want to isolate.Optional
Isolation_typeOptional Values: Full/Selective. Default is Full.

For more information see Microsoft documentation:\#isolate-devices-from-the-network

Playbook Outputs#

MicrosoftATP.MachineAction.IDThe machine action ID.string
MicrosoftATP.IsolateListThe machine IDs that were isolated.string
MicrosoftATP.NonIsolateListThe machine IDs that will not be isolated.string
MicrosoftATP.IncorrectIDsIncorrect device IDs entered.string
MicrosoftATP.IncorrectHostnamesIncorrect device host names entered.string
MicrosoftATP.IncorrectIPsIncorrect device IPs entered.string

Playbook Image#

Microsoft Defender For Endpoint - Isolate Endpoint