Response Actions for Microsoft Defender for Endpoint

  • Updated on Mar 11, 2026
  • Published on Mar 10, 2026
  • 1 minute(s) read
Prev Next

Red Canary Automation provides the following response actions for Microsoft Defender for Endpoint (MDE):

Ban File Hashes (IOC)
Ban file hashes across your organization that are marked as indicators of compromise (IOCs).

Isolate the Endpoint (Full)
Isolate the endpoint by preventing all network activity.

Isolate the Endpoint (Selective)
Isolate the endpoint by limiting network activity while honoring actively configured Isolation Exclusion Rules in Microsoft Defender for Endpoint (falls back to full isolation if no rules exist).

Deisolate the Endpoint
Deisolate the endpoint by reallowing network activity.

Quarantine Files (IOC)
Stop and locally isolate files on an endpoint that were marked as indicators of compromise (IOC).

Restrict App Execution (Endpoint)
Restrict execution of applications on the endpoint to OS-approved signed binaries.

Allow App Execution (Endpoint)
Unrestrict application execution on the endpoint by allowing unsigned apps to execute.

Collect Forensics
Collect a forensic package on an endpoint.

Ban IP Addresses (IOC)
Ban IP addresses across your organization that are marked as indicators of compromise (IOCs).

Ban Domains (IOC)
Ban domains across your organization that are marked as indicators of compromise (IOCs).

Prerequisites

Adding a Microsoft Defender for Endpoint Response Action to a Playbook

The steps below demonstrate how to add the Isolate an Endpoint (Selective) response action.

  1. From the Red Canary portal navigation menu, select Automation > Playbooks.

  2. In the Playbooks section, open an existing playbook or create a new one by clicking +Create New Playbook.

  3. Name the playbook (if applicable), then click +Add Action.

  4. Click Isolate the Endpoint (Selective).

  5. Check the I acknowledge… box.

  6. [OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically triggered executions.

  7. Click Save.

Manually Executing the Response Action

To execute a response action manually:

  1. Open the playbook and click Run.

  2. Select a Threat or Endpoint to execute against, then click Run.

  3. Click Follow along with the progress here.

  4. If you checked the Require Approval option, you’ll need to click Approve and Continue.

  5. Click History in the playbook settings menu to review the execution details. These details are also displayed on the threat timeline, endpoint activity timeline, and in audit logs.

Automatically Executing the Response Action

To execute the response action automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.