Microsoft Defender for Endpoint v1.0.0 Plugin for Risk Exchange
Microsoft Defender for Endpoint v1.0.0 Plugin for Risk Exchange
This plugin is used to fetch device data from Assets > Devices and users data from Assets > Devices > Select device > Overview > Logged on users page of the Microsoft Defender for Endpoint platform. This plugin supports performing actions such as Isolate device, Undo isolation, Restrict app execution, Remove app restriction, Run antivirus scan, Offboard device and Collect investigation package actions on the devices and doesn’t support any action on the users.
Netskope normalization score calculation = RiskLevel Low: 875, RiskLevel Medium: 625, RiskLevel High: 375. For RiskLevels ‘None’ and ‘Informational’ the normalization score value will be blank.
Prerequisites
To complete this integration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
- Connectivity to Microsoft Defender platform.
- Connectivity to the following hosts:
- https://security.microsoft.com
- https://entra.microsoft.com
CE Version Compatibility
Netskope v5.1.0
Microsoft Defender for Endpoint Plugin Support
This plugin is used to fetch device data from Assets > Devices and users from Assets > Devices > Select device > Overview > Logged on users page of the Microsoft Defender for Endpoint platform. This plugin supports performing actions such as Isolate device, Undo isolation, Restrict app execution, Remove app restriction, Run antivirus scan, Offboard device and Collect investigation package actions on the devices. and doesn’t support any action on the users.
Type of data pulled |
|
Actions Supported |
|
Mappings
Mappings are used to view the pulled Users, Devices, and their respective details. Mapped fields during plugin configuration will be visible on the Records page after the data is pulled. Here are the suggested mapping that should be used while configuring the plugin.
Pull Mapping for Users
Plugin Field Label | Expected Data Type | Suggested Field Label | Aggregate Strategy |
---|---|---|---|
User ID | String | User ID | Unique |
User Name | String | User Name | Overwrite |
User Domain | String | User Domain | Overwrite |
First Seen | Date | First Seen | Overwrite |
Computer Name | Reference | Computer Name | Overwrite |
Pull Mapping for Devices
Plugin Field Label | Expected Data Type | Suggested Field Label | Aggregate Strategy |
---|---|---|---|
Computer Name | String | Computer Name | Unique |
Device ID | String | Device ID | Overwrite |
OS | String | Os Platform | Overwrite |
Last IP Address | String | Last IP Address | Overwrite |
Risk Score | String | Risk Score | Overwrite |
Netskope Normalized Score | Number | Normalized Score | Overwrite |
Note that the Netskope Normalized score will be calculated on the basis of Risk Score value pulled from the platform. The Normalized score will be added for the records only if the Risk Score has values as low, medium, or high.
Score Mapping
Defender Risk Score | Netskope Normalized Score |
---|---|
low | 875 |
medium | 625 |
high | 375 |
Other Risk Score Levels (None, Informational) | None |
Permissions
Here are the required permissions needed for the plugin:
- Machine.CollectForensics
- Machine.Isolate
- Machine.RestrictExecution
- Machine.Scan
- Machine.Offboard
- Machine.Read.All
- User.Read.All
API Details
List of APIs Used
API Endpoint | Method | Use Case |
---|---|---|
/api/machines | GET | Fetch devices and Update records |
/api/machines/{deviceID}/isolate | POST | Isolate machine from network. |
/api/machines/{deviceID}/unisolate | POST | Release machine from Isolation. |
/api/machines/{deviceID}/restrictCodeExecution | POST | Restrict application execution. |
/api/machines/{deviceID}/unrestrictCodeExecution | POST | Remove application execution restrictions. |
/api/machines/{deviceID}/runAntiVirusScan | POST | Run an Antivirus scan using Windows Defender. |
/api/machines/{deviceID}/offboard | POST | Offboard machine from Microsoft Defender for Endpoint. |
/api/machines/{deviceID}/collectInvestigationPackage | POST | Collect an investigation package from a machine. |
/api/machines/{deviceID}/logonusers | GET | Fetch device logon users |
Authentication
This plugin uses the Python library to generate authentication tokens for:
- Library: Microsoft Authentication Library for Python (msal).
- Usage: Microsoft Authentication Library for Python (msal) to get authentication token for Microsoft Defender APIs.
Create a new session with credentials
scope = ["https://api.securitycenter.microsoft.com/.default"] authority = "https://login.microsoftonline.com/{tenantID} app = msal.ConfidentialClientApplication( client_id={clientID}, authority=authority, client_credential={clientSecret}, proxies=proxy ) auth_json = app.acquire_token_for_client(scopes=scope) auth_token = auth_json.get("access_token", "")
Fetch Devices and Update Records
API Endpoint: <Base URL>/api/machines
Method: GET
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Parameters
Key | Value |
---|---|
$top | 1 |
$skip | 1 |
Sample API Response
{ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Machines", "value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10" "Windows11", "version": "1709", "osProcessor": "x64", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", "exposureLevel": "Medium", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] } ... ] }
Isolate a Machine
API Endpoint: <Base URL>/api/machines/{deviceID}/isolate
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", "IsolationType": 'Full' or 'Selective' }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "Isolate", "scope": "Selective", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Release a Machine from Isolation
API Endpoint: <Base URL>/api/machines/{deviceID}/unisolate
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "Unisolate", "scope": "Selective", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Restrict an App Execution
API Endpoint: <Base URL>/api/machines/{deviceID}/restrictCodeExecution
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "RestrictCodeExecution", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Remove an App Restriction
API Endpoint: <Base URL>/api/machines/{deviceID}/unrestrictCodeExecution
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "UnrestrictCodeExecution", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Run an Antivirus Scan
API Endpoint: <Base URL>/api/machines/{deviceID}/runAntiVirusScan
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", "ScanType": "Full" or "Quick" }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "RunAntiVirusScan", "scope": "Quick", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Offboard a Machine
API Endpoint: <Base URL>/api/machines/{deviceID}/offboard
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "Offboard", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Collect an Investigation Package
API Endpoint: <Base URL>/api/machines/{deviceID}/collectInvestigationPackage
Method: POST
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Body
{ "Comment": "Comment to associate with the action", }
Sample API Response (Status Code: 201)
{ "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "CollectInvestigationPackage", "requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded", "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", "computerDnsName": "desktop-test", "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }
Fetch Devices Logon Users
API Endpoint: <Base URL>/api/machines/{deviceID}/logonusers
Method: GET
Headers
Key | Value |
---|---|
Authorization | Bearer <auth_token> |
Content-Type | application/json |
Accept | */* |
Sample API Response
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ { "id": "contoso\\user1", "accountName": "user1, "accountDomain": "contoso", "firstSeen": "2019-12-18T08:02:54Z", "lastSeen": "2020-01-06T08:01:48Z", "logonTypes": "Interactive", "isDomainAdmin": true, "isOnlyNetworkUser": false }, ... ] }
Performance Matrix
Below performance readings are conducted on a Large CE Stack with below-mentioned VM specifications by pulling 500K Devices and Users record each from Microsoft Defender Endpoint plugin.
Stack details | Size: Large
RAM: 32 GB CPU: 16 Cores |
Time take to store the pulled and updated Device records | ~30 mins |
Time take to store the pulled Users records | ~40 mins |
User Agent
netskope-ce-5.1.0-cre-microsoft-defender-for-endpoint-1.0.0
Workflow
- Get your Tenant ID, Application (Client) ID, and Client Secret.
- Add Permissions to the Configuration Parameter.
- Configure the Microsoft Defender for Endpoint plugin
- Add a Business Rule.
- Add Actions.
- Validate the Microsoft Defender for Endpoint plugin.
Click play to watch a video.
Get your Tenant ID and Application (Client) ID
- Go to https://entra.microsoft.com/ and log in with your credentials.
- Expand Applications on the left side and click App registrations.
- Click New Registration.
- Provide the name for the application and click Register.
- Copy the Application (Client ID), which is the Client (Application) ID in Netskope, and the Directory (tenant) ID, which is tenant ID in Netskope. Click Certificates & Secrets.
- Click New client secret. Add a description and click Save.
- Copy the value; it is the Client Secret needed for plugin configuration.
Add Permissions to the Configuration Parameter
- Click API permissions.
- Click Add a permission.
- Click APIs my organization uses, and then click WindowsDefenderATP.
- Click Application permissions.
- Select these permissions, and then click Add permission.
- Machine.CollectForensics
- Machine.Isolate
- Machine.RestrictExecution
- Machine.Scan
- Machine.Offboard
- Machine.Read.All
- User.Read.All
- Click Grant admin consent for Contoso.
- Click Yes.
Configure the Microsoft Defender for Endpoint Plugin
- Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the Microsoft Defender for Endpoint 1.0.0 (CRE) plugin box.
- Enter the Basic Information:
- Configuration Name: Enter a plugin configuration name.
- Sync Interval: Change the sync interval if needed.
- Click Next. Enter the Configuration Parameters:
- Client (Application) ID: The Application ID for Microsoft Defender.
- Client Secret: The Secret value of Client (Application) ID for Microsoft Defender.
- Tenant ID: The Tenant ID of your Microsoft Account.
- Click Next. Go to the Devices tab in Entity Sources. Select the Entity from the Entity dropdown, and provide the field mappings per your requirements:
- The Computer Name field is required to perform action on the user and to pull devices.
- The Computer Name field in the Users entity should reference the Computer Name field from the Device entity.
- Go to the Users tab in Entity Sources. Select the Entity from the Entity dropdown, and provide the field mapping per your requirements:
- The User ID field is required to pull users.
- The Computer Name field in the Users entity should reference the Computer Name field from the Device entity.
- Click Save.
Add a Risk Exchange Business Rule for Microsoft Defender for Endpoint
- In Risk Exchange go to Business Rules.
- Click Create New Rule in the top right corner.
- Enter the Rule Name. Select the Entity for the Fields that were configured for the Microsoft Defender for Endpoint plugin, and configure the query based on your requirements. This example fetches all the devices fetched from the Microsoft Defender for Endpoint plugin.
- Click Save.
Add Risk Exchange Actions for Microsoft Defender for Endpoint
The Microsoft Defender for Endpoint plugin supports following actions for Devices:
Action | Description | Permission | Comments |
---|---|---|---|
Isolate machine Unisolate |
Isolates a device from accessing an external network. Release machine from isolation. Requirements: – Machine ID – IsolationType |
Machine.Isolate | Selective isolation for
– Full isolation is available in public preview for all supported Microsoft Defender for Endpoint on Linux listed in System requirements. |
Restrict app execution Remove app restriction |
Restrict execution of all applications on the device except a predefined set. Enable execution of any application on the device. Requirements: – Machine ID |
Machine.RestrictExecution | Only
Prerequisites: – available if organization uses Microsoft Defender Antivirus |
Run antivirus scan | Initiate Microsoft Defender Antivirus scan on a device. Requirements: – Machine ID – ScanType (Quick or Full) |
Machine.Scan | Windows devices
|
Offboard a Machine | Offboard device from Defender for Endpoint. Requirements: – Machine ID |
Machine.Offboard | Supported on
– Not supported on macOS or Linux devices |
Collect investigation package | Collect an investigation package from a device. Requirements: – Machine ID |
Machine.CollectForensics | Available for
|
The Microsoft Defender for Endpoint plugin supports following actions for Users:
- “No Action” will not perform any action on Users .
To configure these actions, follow these steps.
Note:
- Users will be able to perform action on the fields mapped with the fields of Microsoft Defender for Endpoint plugin.
- If only No Action is supported for a plugin, Validation will not show the alerts generated on the CTO module.
Isolate a Machine
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Isolate device.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Isolation Type, select the options accordingly.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Undo Isolation
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Undo isolation.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Restrict App Execution
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Restrict App Execution.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Run Antivirus Scan
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Run antivirus scan.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Scan Type, select the options accordingly.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Offboard a Device
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Offboard device.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Remove App Restriction
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Remove app restriction.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Collect Investigation Package
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule and a Configuration (your plugin).
- From the Actions dropdown, select Collect investigation package.
- For the Action Parameters, select the option for Device ID or Computer DNS Name, if users need to filter out devices using business rules or provide a static value.
- For Comment, add a description.
- Enable the Require Approval toggle if approval is needed before performing action on the users.
- Click Save.
Validate the Microsoft Defender for Endpoints Plugin
Validate on CE
In CE to Validate the pulling, follow these steps:
- Go to Risk Exchange and click Records. Select the Entity that was selected while configuring the field mappings for Devices to view the pulled Devices.
- Select the Entity that was selected while configuring the field mapping for Users to view the pulled Users.
- Go to Logging and search for the logs of the plugin.
Example: Message Contains CRE Microsoft Defender for Endpoint. - Verify the Restrict app execution action was performed for a device.
- Verify the Isolate device action was performed for a device.
- Verify the Remove app restriction action was performed for a device.
- Verify the Run antivirus scan action was performed for a device.
- Verify the Offboard device action was performed for a device.
- Verify the Collect investigation package action was performed for a device.
- Verify the Undo isolation action was performed for a device.
Validation on Microsoft Defender for Endpoint
The Devices are pulled from the Assets > Devices page from the Defender platform.
The Users are pulled from the Assets > Devices > Select device > Overview > Logged on users page from the Defender platform. To verify the action performed on the devices, click on the dotted icon and go to Action Center.
Here is the log for the Collect Investigation Package, Run Antivirus Scan, and Undo Isolate on Defender actions.
Here is the log for the Restrict App Execution and Remove App Restriction actions.
Here is the log for the Device Isolation action.
Troubleshooting
Unable to configure the CRE Microsoft Defender for Endpoint plugin.
If you are unable to configure the CRE Microsoft Defender for Endpoint plugin, it could be due to one of these reasons:
- Provided Incorrect credentials.
- Provided credentials don’t have sufficient permissions.
To resolve the above mentioned issues, follow these steps:
- To get the Credentials follow the steps mentioned in Obtaining configuration parameter
- To provide proper permissions to the configuration parameter, follow the steps mentioned in Adding Permissions to the configuration parameter
Unable to pull Devices
If you are unable to pull Devices from the CRE Microsoft Defender for Endpoint plugin, it could be due to one of these reasons:
- No Devices present on the Defender platform.
- An error is received while pulling Devices from the platform.
- Mapping is not added while configuring the plugin in the entity source page.
To resolve these issues, follow these steps:
- Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permissions.
- If there is no error in the logs, it might be the case that the Devices are not available on the Platform to pull. Check if the Device is available on Defender and confirm the same.
- Make sure that the mapping is added and the “id”, and “computerDnsName” field is mapped while configuring the plugin.
Unable to pull Users
If you are unable to pull Users from the CRE Microsoft Defender for Endpoint plugin, it could be due to one of these reasons:
- No Users present on the Defender platform.
- An error is received while pulling Users from the platform.
- Mapping is not added while configuring the plugin in the entity source page.
To resolve these issues, follow these steps:.
- Receiving 403 error: The plugin configuration parameter does not have sufficient permissions or the credentials no longer exist. Verify the permission.
- If there is no error in the logs, it might be the case that the Users are not available on the Platform to pull. Check if the Users are available on Defender and confirm the same.
- Make sure that the mapping is added and the “id” field is mapped while configuring the plugin.
Unable to view Devices details on the Record
If you are unable to view Devices details on the record table, it could be due to one of these reasons.
- Mapping for all the Defender fields for devices is not provided while configuring the CRE Defender plugin.
- Pulled Devices are displayed in a row with comma separated values.
To resolve these issues, follow these steps:
- Make sure to provide the needed mapping while configuring the plugin.
- Make sure that the fields created in an entity are according to the Mapping.
Unable to view Users details on the Record
If you are unable to view Users details on the record table, it could be due to one of these reasons:
- Mapping for all the Defender fields for users is not provided while configuring the CRE Defender plugin.
- Pulled Users are displayed in a row with comma-separated values.
To resolve these issues, follow these steps:
- Make sure to provide the needed mapping while configuring the plugin.
- Make sure that the fields created in an entity are according to the Mapping.
Unable to perform action on the Devices
If you are unable to perform action on the Devices, it could be due to one of these reasons:
- Insufficient permission was provided for the action.
- Receiving error while performing an action.
- Require Approval toggle button is enabled while configuring the Action, and the request is not approved.
- Error received while performing the Isolate device action.
- Error received while performing the Undo isolation action.
To resolve these issues, follow these steps:
- Insufficient permission was provided for the action. Verify the permission is provided.
- Go to the Action Logs page, select the logs that you want to approve the requests for and click on the approve icon, or disable the Require Approval toggle button from the configured action and perform the action again.
- If error is received while performing the Isolate device action, make sure any other action related to device isolation is not in progress.
- If error is received while performing the Undo isolation action, make sure any action related to device isolation or unisolation is not in progress.
Note that in order to perform the action successfully on Defender, make sure the device on which the action is to be performed is not in sleep/hibernate mode, and is connected to the internet.