Skip to main content
Skip table of contents

Microsoft Defender Actions

Actions for Microsoft Defender

  • Isolate Machine. Disconnects one or more devices from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

  • Unisolate Machine. Reconnects one or more devices to the network.

Devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. Microsoft recommends using a split-tunneling VPN for Microsoft Defender for Endpoint traffic.

Use Cases

Below are the possible use cases for these actions:

  • You can isolate endpoints that are actively involved in a security incident (such as malware infections or cyber-attacks) and unisolate the endpoints when the incident is remediated.


Before you can execute the actions for Microsoft Defender, you must first create an application to access Microsoft Defender. To do this, see The application requires WindowsDefenderATP Write permission.


To create an action in Lucidum, follow these steps:

  1. Choose Action Center from the left pane.

  2. In the Action Center, choose from the action types in the Channels pane.

  3. To create a configuration for the action, click the Manage Configuration button. A configuration provides the connection and authorization information to communicate with the external solution.

  4. Save the configuration.

  5. To create an action, click the Create a new action button. An action specifies the task to execute, the data to include in the action, and how frequently to execute the action.

  6. Save the action.

  7. Lucidum automatically executes the action at the time and recurrence you defined in the action.

You can apply an existing configuration to more than one action. If a configuration already exists, you might be able to re-use the existing configuration and might not need to create a new one.

Microsoft Defender Configuration

  • Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

  • URL. The base URL for Microsoft Defender API

  • Tenant ID. Before configuring the Microsoft Defender Advanced Threat Protection connector in Lucidum, you must first create an application that has read and write access to Microsoft Defender Advanced Threat Protection. For details, see the documentation for Microsoft Defender. The application requires WindowsDefenderATP Write permission. In this field, specify the tenant ID of the application.

  • Client ID. The client ID of the application.

  • Client Secret. The client secret associated with the client ID.

Create a new action/View Action

  • Action Type. Select an action from the pulldown options.

  • Configuration Name. Select an action configuration from the pulldown options.

  • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

  • Description. Description of the action.

  • Filters. For new actions, the Add Filter button leads to the New Query page, where you can query for the assets or users that the action will act upon. For existing actions, this field displays the query for this action. The Edit Filter button leads to the New Query page, with the current query already loaded for editing. For details on creating and editing queries in Lucidum, the section on Building Queries.

  • Schedule Settings. Define the schedule for the action. Choices are setting a Recurrence by date and time or After Data Ingestion, which happens at least once every 24 hours and can also be triggered manually.

  • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

  • Output Fields. The fields selected for the Filters. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

  • Machine Action. Specify the type of action to perform. Choices are ISOLATE_MACHINE or UNISOLATE_MACHINE. When an attack has been detected, you can ISOLATE_MACHINE to isolate the device from the network. When the attack has been remediated, you can UNISOLATE_MACHINE to allow the device on the network.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.