Skip to main content

Unisolate Endpoint - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook. It currently supports the following integrations:

  • Carbon Black Response
  • Cortex XDR
  • Crowdstrike Falcon
  • FireEye HX
  • Cybereason
  • Microsoft Defender For Endpoint.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • FireEye HX - Unisolate Endpoint
  • Cortex XDR - Unisolate Endpoint
  • Crowdstrike Falcon - Unisolate Endpoint
  • Microsoft Defender For Endpoint - Unisolate Endpoint
  • Unisolate Endpoint - Cybereason
  • Carbon Black Response - Unisolate Endpoint


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
Endpoint_IDThe endpoint ID/device ID/sensor ID/agent ID that you want to unisolate.Optional
HostnameThe host name of the endpoint to unisolate (using Cybereason or FireEyeHX).Optional
IPIP address of the endpoint to unisolate. (using Defender or XDR)Optional

Playbook Outputs#

MicrosoftATP.MachineAction.IDThe machine action ID.string
MicrosoftATP.NonUnisolateListThe machine IDs that will not be released from isolation.string
MicrosoftATP.UnisolateListThe machine IDs that were released from isolation.string
MicrosoftATP.IncorrectIDsIncorrect device IDs entered.string
MicrosoftATP.IncorrectHostnamesIncorrect device host names entered.string
MicrosoftATP.IncorrectIPsIncorrect device IPs entered.string

Playbook Image#

Unisolate Endpoint - Generic