Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, use a server closer to your geolocation:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
- aea.api.security.microsoft.com
- For more information, see Response Actions.
- If you're using Defender for Business, see Review remediation actions for available actions.
| Method | Return Type | Description |
|---|---|---|
| List MachineActions | Machine Action | List Machine Action entities. |
| Get MachineAction | Machine Action | Get a single Machine Action entity. |
| Collect investigation package | Machine Action | Collect investigation package from a machine. |
| Get investigation package SAS URI | Machine Action | Get URI for downloading the investigation package. |
| Isolate machine | Machine Action | Isolate machine from network. |
| Release machine from isolation | Machine Action | Release machine from Isolation. |
| Restrict app execution | Machine Action | Restrict application execution. |
| Remove app restriction | Machine Action | Remove application execution restriction. |
| Run antivirus scan | Machine Action | Run an AV scan using Windows Defender (when applicable). |
| Offboard machine | Machine Action | Offboard machine from Microsoft Defender for Endpoint. |
| Stop and quarantine file | Machine Action | Stop execution of a file on a machine and delete it. |
| Run live response | Machine Action | Runs a sequence of live response commands on a device |
| Get live response result | URL entity | Retrieves specific live response command result download link by its index. |
| Cancel machine action | Machine Action | Cancel an active machine action. |
Properties
| Property | Type | Description |
|---|---|---|
| ID | Guid | Identity of the Machine Action entity. |
| type | Enum | Type of the action. Possible values are: RunAntiVirusScan, Offboard, LiveResponse, CollectInvestigationPackage, Isolate, Unisolate, StopAndQuarantineFile, RestrictCodeExecution, and UnrestrictCodeExecution. |
| scope | string | Scope of the action. Full or Selective for Isolation, Quick or Full for antivirus scan. |
| requestor | String | Identity of the person that executed the action. |
| externalID | String | Id the customer can submit in the request for custom correlation. |
| requestSource | string | The name of the user/application that submitted the action. |
| commands | array | Commands to run. Allowed values are PutFile, RunScript, GetFile. |
| cancellationRequestor | String | Identity of the person that canceled the action. |
| requestorComment | String | Comment that was written when issuing the action. |
| cancellationComment | String | Comment that was written when canceling the action. |
| status | Enum | Current status of the command. Possible values are: Pending, InProgress, Succeeded, Failed, TimeOut, and Cancelled. |
| machineId | String | ID of the machine on which the action was executed. |
| computerDnsName | String | Name of the machine on which the action was executed. |
| creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. |
| cancellationDateTimeUtc | DateTimeOffset | The date and time when the action was canceled. |
| lastUpdateDateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. |
| title | String | Machine action title. |
| relatedFileInfo | Class | Contains two Properties. string fileIdentifier, Enum fileIdentifierType with the possible values: Sha1, Sha256, and Md5. |
Json representation
{
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
"type": "Isolate",
"scope": "Selective",
"requestor": "[email protected]",
"requestorComment": "test for docs",
"status": "Succeeded",
"machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
"computerDnsName": "desktop-test",
"creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.