Automating Device Isolation with Microsoft Sentinel and Defender for Endpoint, A Step-by-Step Guide
In today's threat landscape, speed is critical when responding to security incidents. This guide will walk you through automating device isolation in Microsoft Defender for Endpoint (MDE) using Microsoft Sentinel playbooks.
Why Automate Device Isolation?
When ransomware or malware is detected, isolating affected machines quickly can prevent lateral movement and limit damage. By automating this process, you can:
- Reduce response time from hours to seconds
- Ensure consistent response to threats
- Free up security analysts for more complex tasks
Prerequisites
Before getting started, ensure you have:
- Microsoft Sentinel deployed
- Microsoft Defender for Endpoint configured
- Appropriate permissions to create and configure playbooks
Step-by-Step Implementation
1. Create the Isolation Playbook
First, navigate to Microsoft Sentinel Content Hub and add either:
Isolate-MDEMachine - Alert TriggeredorIsolate-MDEMachine - Incident Triggered
Choose based on whether you want to trigger isolation from alerts or incidents.
2. Configure Permissions
Make sure your playbook has the necessary Sentinel Responder role permissions.
3. Install Required PowerShell Modules
Open PowerShell and run:
Install-Module Microsoft.Graph.Entra -AllowPrerelease -Repository PSGallery -Force
Connect-Entra -Devicecode
Enable-EntraAzureADAlias
4. Assign MDE Machine Isolation Permissions
Run the following PowerShell commands, replacing the placeholder with your managed identity GUID:
$MIGuid = '<Enter your managed identity guid here>'
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
$PermissionName = 'Machine.Isolate'
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
5. Configure the Logic App
Create a new Logic App and paste the JSON provided in the template. This Logic App will:
- Trigger when a Microsoft Sentinel incident is created
- Extract host entities from the incident
- For each host with a valid MDE device ID:
- Isolate the machine in MDE with selective isolation
- Add a comment to the incident with the isolation status
- For hosts without an MDE device ID:
- Add a comment noting that isolation wasn't possible
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"path": "/incident-creation"
}
}
},
"actions": {
"Entities_-_Get_Hosts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"path": "/entities/host"
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
"Condition": {
"actions": {
"Actions_-_Isolate_machine": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['wdatp']['connectionId']"
}
},
"method": "post",
"body": {
"Comment": "Isolated from playbook for Microsoft Sentinel Incident: @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}",
"IsolationType": "Selective"
},
"path": "/api/machines/@{encodeURIComponent(items('For_each')?['additionalData']?['MdatpDeviceId'])}/isolate"
}
},
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Actions_-_Isolate_machine": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{items('For_each')?['HostName']} was isolated in MDE and the status was @{body('Actions_-_Isolate_machine')?['status']}</p>"
},
"path": "/Incidents/Comment"
}
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{items('For_each')?['HostName']} does not have MDEDeviceID in the Entities list. It was not isolated. </p>"
},
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['additionalData']?['MdatpDeviceId']",
"@null"
]
}
}
]
},
"type": "If"
}
},
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"parameters": {
"$connections": {
"type": "Object",
"defaultValue": {}
}
}
},
"parameters": {
"$connections": {
"type": "Object",
"value": {
"azuresentinel": {
"id": "/subscriptions/<YourSubscriptionId>/providers/Microsoft.Web/locations/<YourLocationId>/managedApis/azuresentinel",
"connectionId": "/subscriptions/<YourSubscriptionId>/resourceGroups/<YourRGId>/providers/Microsoft.Web/connections/azuresentinel-Isolate-MDEMachine-Incident",
"connectionName": "azuresentinel-Isolate-MDEMachine-Incident",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"wdatp": {
"id": "/subscriptions/<YourSubscriptionId>/providers/Microsoft.Web/locations/<YourLocationId>/managedApis/wdatp",
"connectionId": "/subscriptions/<YourSubscriptionId>/resourceGroups/<YourRGId>/providers/Microsoft.Web/connections/wdatp-Isolate-MDEMachine-Incident",
"connectionName": "wdatp-Isolate-MDEMachine-Incident",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
Note: Ensure you update the ids and connectionIds above for your environment.
6. Create the Automation Rule
Navigate to Sentinel Automations and create a new automation:
- Name:
Isolate machines with Incidents for Ransomware or Malware - Trigger: Choose either
When Incident is CreatedorWhen Alert is Created - Conditions: Set
TitleContainsransomwareormalware - Actions: Select
Run Playbookand choose your newly created playbook - Status: Set to
Enabled
Testing Your Automation
To test your setup, you can trigger a test event on a test device using:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
Note: Ensure you run this only on test devices in a controlled environment.
Benefits of This Solution
With this automation in place, your security operations team will benefit from:
- Rapid response: Immediate isolation of compromised machines
- Consistency: Standard response procedures applied every time
- Documentation: Automatic incident comments showing isolation actions
- Focus: Security analysts can concentrate on threat investigation rather than repetitive containment tasks
Conclusion
Automating device isolation for malware and ransomware incidents is a powerful way to enhance your security posture. By implementing this playbook, you're taking a significant step toward more efficient and effective incident response.
Remember to regularly test your automation and adjust conditions as needed to match your organization's security requirements.
Comments
Post a Comment