Microsoft Defender for Endpoint - Unblock IOC
Details
This workflow appears in the pivot menu and allows a user to unblock an indicator of compromise (IOC) in Microsoft Defender for Endpoint.
Description
This workflow appears in the pivot menu and allows a user to unblock an indicator of compromise (IOC) in Microsoft Defender for Endpoint. Supported observables include: domain, IP address, MD5, SHA-1, SHA-256, URL
Target: Microsoft Defender for Endpoint
Steps:
- Check which observable type was provided:
- If the observable type is supported, set the matching local variable
- If not supported, return an error
- Loop while there are IOCs to process
- Get this page of IOCs
- Convert the list of IOCs to a table
- For each IOC:
- Check if this is the IOC we want to unblock:
- If it is, set the local indicator ID and end the loop
- Check if this is the IOC we want to unblock:
- Check if there is another page of results (if not, end the loop)
- Check if an indicator ID was found:
- If it was, unblock it
Required targets
This workflow requires the following targets to be available before it can be run.
Integration targets
- Microsoft Defender for Endpoint
About
Author
Cisco
Version
v1.1
Intent
Pivot Menu
Integration
Average rating
No ratings yet
Authorship
Cisco Managed
Contact and support information
External links
Related workflows
Cisco Managed
This workflow appears in the pivot menu and allows a user to block an indicator of compromise (IOC) in Microsoft Defender for Endpoint.
Cisco Managed
This workflow appears in the pivot menu and allows a user to unisolate a machine in Microsoft Defender for Endpoint.
Cisco Managed
This workflow appears in the pivot menu and allows a user to release a machine from isolation in Microsoft Defender for Endpoint.
Cisco Managed
This workflow appears in the pivot menu and allows a user to unblock an indicator of compromise (IOC) in Microsoft Defender for Endpoint.