Configure Simple Response for Microsoft Defender for Endpoint: Isolate Host
Configure a Microsoft Defender for Endpoint: Isolate Host simple response to isolate the endpoint of a user that is the victim of an incident automatically.
Typical use cases for this response include:
- Preventing a compromised laptop or server from further compromising your network
- Allowing your security team to review endpoint detection and response (EDR) findings before response
Complete the following steps to successfully configure this simple response:
- (Optional) Create an exclusion list
- Choose the response
- Connect to Microsoft Azure AD
- (Optional) Apply exclusions
- Choose when to respond
(Optional) Create an exclusion list
If you want your automation to exclude specific hosts, the hosts must be defined in one or more exclusion lists. For example, you can create a list of computers for your security team to prevent them from being locked out. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.
Choose the response
In the Alert Logic console, click the navigation menu icon (), click Respond, click Automated Response, and then click Simple Responses. Click the add icon (), and then, under Microsoft Defender for Endpoint: Isolate Host, click START.
Connect to Microsoft Azure AD
This response requires a Microsoft Azure connection that grants Alert Logic access to Microsoft Defender for Endpoint. In the Connect step, name your response and connect to Azure as follows.
To connect to Azure AD:
- In Response Name, enter a descriptive name for your simple response (example: "Isolate Compromised Host").
- If you already have a connection to Microsoft Azure, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
- If you do not have a Microsoft Azure connection, click Create a connection, and then complete the instructions in Create a Microsoft Azure connection to set it up.
- In Response Comment, enter the reason for isolating the host. "Alert Logic Response"is the default comment.
- In Expiration in Seconds, enter the number of seconds before you want Alert Logic to release the host from isolation, or keep the default value of 0 if you do not want the response to expire.
- Click TEST to perform a dry run that checks the configuration without performing the response. After a few moments, results appear in a message.
- If the result is Succeeded, continue to the next step in this procedure.
- If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click Edit connection above Microsoft Azure Connection, and then use the information in Create a Microsoft Azure connection to check and fix the connection. For further assistance with troubleshooting, see Troubleshooting tips.
- If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
- Click NEXT to continue to the (Optional) Apply exclusions step.
Create a Microsoft Azure connection
A Microsoft Azure connection securely stores reusable authentication credential information for integrations with Microsoft Azure. To create the connection, Alert Logic requires the following information from the Azure AD console:
- Directory (Tenant) ID—Identifies your account in Azure
- Application (Client) ID—Identifies the specific app registration that you create in Azure for Alert Logic
- Client Secret Value—Allows Alert Logic to access the app registration
Alert Logic provides the following steps to help you get the information. For further questions about the steps performed in the Azure console, or if your interface looks different, contact Microsoft Azure support
- Create an app registration in Azure
- Grant permission to access Microsoft Defender for Endpoint
- Create a client secret in Azure
- Create the connection in the Alert Logic console
Create an app registration in Azure
Create an app registration in Azure AD to hold the permissions and credentials granted to Alert Logic.
To create an app registration:
- Log into the Azure AD console.
- On the left panel of the Azure AD console, under Manage, click App registrations.
- Click + New registration.
- Enter a name for your connection to Alert Logic automated response. Leave the other items as is.
- Click Register.
- Copy the Application (client) ID to a text editor for later.
- Copy the Directory (tenant) ID to a text editor for later.
Grant permission to access Microsoft Defender for Endpoint
The next step in the Azure AD console is to grant Alert Logic permissions to access Microsoft Defender for Endpoint.
To grant permissions to access Microsoft Defender for Endpoint:
- On the left panel of the app registration for your new app, under Manage, click API permissions.
- Click + Add a permission.
- On the Request API permissions page, select APIs my organization uses.
- In the text box, type "WindowsDefenderATP", and then select WindowsDefenderATP.
- On the Request API permissions page, in response to the question about the type of permissions your application requires, click Application permissions.
- In the list, select the following permissions:
- Click User to see permissions in this category, and then select User.Read.All.
- Click Machine to see permissions in this category, and then select Machine.Isolate and Machine.ReadWrite.All.
- Click Add permissions.
- From the page listing active permissions, click Grant admin consent to, next to Add a permission.
- Click Yes to confirm.
The status of the User.Read.All permission, Machine.Isolate permission, and Machine.ReadWrite.All permission becomes "Granted", and a green check mark icon appears next to the granted permissions.
Create a client secret in Azure
The last step in the Azure AD console is to create a client secret.
To create a client secret:
- On the left panel of the app registration for your new app, under Manage, click Certificates & secrets.
- Select Client secrets if it is not active.
- Click + New client secret.
- Enter a description (example: Alert Logic Automated Response).
- Select an expiration, and note the expiration date for future renewal.
- Click Add.
- Copy the Value to a text editor for later.
Create the connection in the Alert Logic console
Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to manage users in Azure AD.
To create the Microsoft Azure connection in the Alert Logic console:
- In Connection Name, type a descriptive name for the connection—for example, "Microsoft Azure Connection".
- In Directory (Tenant) ID, paste the Directory (tenant) ID that you noted in Create an app registration in Azure.
- In Application (Client) ID, paste the Application (client) ID that you noted in Create an app registration in Azure.
- In Client Secret Value, paste the Value for the client secret that you noted in Create a client secret in Azure.
- Click SAVE.
(Optional) Apply exclusions
If you want to exclude hosts from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.
After you choose one or more lists, or if you want to skip this step, click NEXT.
Choose when to respond
In the last step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.
In this step you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.
To choose when to respond:
- If you do not want to require approval, click Do not require approval.
- If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
- If you want to isolate hosts detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. The recommended analytics for this response include:
- Possible Mimikatz usage detected on {victim_hostname}
- PowerSploit PowerShell framework activity detected on {victim_hostname}
- If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response.To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.
Troubleshooting tips
Here are common errors that can occur when you test the configuration and suggested troubleshooting steps.
401 Client Error: Unauthorized
- Verify that the app registration still exists by reviewing the app registrations in the Azure AD console and looking for the Application (client) ID that is used in the connection. If the application was removed, repeat the process Create an app registration in Azure to generate a new app registration and Application (client) ID.
-
Verify that the credentials created earlier exist and have not expired by reviewing the active credentials in the Certificates & Secrets pane of your app registration. If the credential has expired or been removed, repeat the process Create a client secret in Azure.
Technical reference
Simple Response Name
Microsoft Defender for Endpoint: Isolate Host
Permissions
- User.Read.All user permission in your WindowsDefenderATP application
- Machine.Isolate machine permission in your WindowsDefenderATP application
- Machine.ReadWrite.All machine permission in your WindowsDefenderATP application