Skip to main content

Microsoft Defender For Endpoint - Unisolate Endpoint

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This playbook accepts an endpoint ID, IP, or host name and unisolates it using the Microsoft Defender For Endpoint integration.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • MicrosoftDefenderAdvancedThreatProtection


  • SetAndHandleEmpty
  • isError
  • IsIntegrationAvailable
  • Print


  • endpoint
  • microsoft-atp-unisolate-machine

Playbook Inputs#

NameDescriptionDefault ValueRequired
Device_idThe device ID to isolate.
For more information about the device, you can use the following commands:
HostnameThe device host name you want to isolate.Optional
Device_IPThe device IP you want to isolate.Optional

Playbook Outputs#

MicrosoftATP.MachineAction.IDThe machine action ID.string
MicrosoftATP.NonUnisolateListThe machine IDs that will not be released from isolation.string
MicrosoftATP.UnisolateListThe machine IDs that were released from isolation.string
MicrosoftATP.IncorrectIDsIncorrect device IDs entered.string
MicrosoftATP.IncorrectHostnamesIncorrect host names entered.string
MicrosoftATP.IncorrectIPsIncorrect device IPs entered.string

Playbook Image#

Microsoft Defender For Endpoint - Unisolate Endpoint