Contact sales
Details

This atomic belongs to the Microsoft Defender for Endpoint atomic group.

Submits an IOC to Microsoft Defender for Endpoint to be blocked, alerted, or allowed. This atomic requires the following API permission: Ti.ReadWrite.All.

Target: Microsoft Defender for Endpoint (Commercial or GCC) integration target or HTTP Endpoint for "api.securitycenter.microsoft.com" with no path

Account Key: None if using an integration-provided target, access token if using an HTTP Endpoint target

Steps:
[]> Update the "Descrption" and "Title" variables
[]> Build authorization headers
[]> Request to update the Indicator list with provided parameters
[]> Check if request was successful
[]> If it didn't, output an error
[]> Extract isolation status from the body response
[]> Check if extraction was successful
[]> If it didn't, output an error
[]> If it did, update the status to the output variable

More information about this API: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/post-ti-indicator?view=o365-worldwide

About
Integration
Authorship
Cisco Managed