### Configure Azure AD App Registration for Microsoft Defender API Access Source: https://github.com/accelerynt-security/as-mde-isolate-machine/blob/main/README.md This snippet outlines the steps to create an Azure Active Directory app registration and grant it the necessary 'Machine.Isolate' application permission for the 'WindowsDefenderATP' API. This registration is essential for authenticating and authorizing calls to the Microsoft Defender for Endpoint API to isolate machines. The client ID and secret generated are used for authentication. ```APIDOC Azure AD App Registration Setup for Microsoft Defender API: 1. **Navigate to App Registrations**: Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade. 2. **Create New Registration**: Click "New registration". 3. **Name Application**: Enter "AS-MDE-Isolate-Machine" for the name and click "Register". 4. **Record Application (client) ID**: From the "Overview" page, note the "Application (client) ID". 5. **Add API Permissions**: Navigate to "API permissions" under "Manage". Click "Add a permission". 6. **Select API**: Under "APIs my organization uses", search for and select "WindowsDefenderATP". 7. **Choose Permission Type**: Select "Application permissions". 8. **Select Permission**: Search for "Machine.Isolate" and select it. Click "Add permissions". 9. **Grant Admin Consent**: Click "Grant admin consent for (your tenant name)". 10. **Generate Client Secret**: Navigate to "Certificates & secrets" under "Manage". Click "New client secret". 11. **Add Secret**: Enter a description, select expiration, and click "Add". 12. **Copy Client Secret Value**: Immediately copy the generated secret value, as it will not be visible again. ``` -------------------------------- ### Microsoft Defender for Endpoint - Isolate Machine API Reference Source: https://github.com/accelerynt-security/as-mde-isolate-machine/blob/main/README.md Reference for the Microsoft Defender for Endpoint API endpoint used to isolate machines. This API is part of the WindowsDefenderATP service and requires specific application permissions for successful execution. It is typically called by automated systems like Azure Logic Apps or PowerShell scripts. ```APIDOC Microsoft Defender for Endpoint - Isolate Machine API: **Endpoint**: https://api.securitycenter.microsoft.com/api/machines/{id}/isolate (Example, actual URL might vary based on region/version) **Method**: POST **Purpose**: To isolate a machine identified by its ID within Microsoft Defender for Endpoint, restricting its network connectivity to prevent further compromise. **Required API**: WindowsDefenderATP **Required Permission**: Machine.Isolate (Application permission) **Authentication**: OAuth 2.0 Client Credentials Flow (using Azure AD App Registration Client ID and Secret) **Request Body (Example)**: { \"Comment\": \"Machine isolated due to Sentinel incident [Incident ID]\" } **Response**: Typically a 200 OK on success, with details of the isolation action. **Reference**: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/isolate-machine ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.