Isolating a machine upon new malware detection
Before we begin, you will need the following:
- You need to have access to Microsoft Sentinel with appropriate permissions (Microsoft Sentinel Contributor, Logic App Contributor, and permission to assign RBAC controls – Owner or User Access Administrator)
- Global Administrator or Security Administrator role permissions in Azure AD
Creating a playbook
- Gain access to Microsoft Defender for Endpoint (MDE).
- Connect MDE to Microsoft Sentinel for incident synchronization.
- Create a test alert using MDE.
- Create a playbook to isolate a machine in MDE and assign permissions.