Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Isolate-MDEMachine-incident-trigger failed

Open vi-lgtm opened this issue 2 months ago • 1 comments

Hello,

I have deployed "Isolate-MDEMachine-incident-trigger" playbook. Incident was triggered by rule "Microsoft Defender Antivirus Detection - Malware Found on Endpoint". Entities is shown in incident: Host: vm-apps02.domain.net File: file hash Malware: Misleading:Win32/Lodi

Playbook shows that run was successful but it only added comment in incident: <p>vm-apps02.domain.net does not have MDEDeviceID in the Entities list. &nbsp;It was not isolated.&nbsp;</p> In playbook history I see thin in Conditions:

{
  "message": "<p>vm-apps02.domain.net  does not have MDEDeviceID in the Entities list. &nbsp;It was not isolated.&nbsp;</p>",
  "createdTimeUtc": "2025-11-18T17:58:21.8654863Z",
  "author": {
    "objectId": null,
    "email": null,
    "name": "Comment created from playbook - Isolate-MDEMachine",
    "userPrincipalName": null
  }
}

vm-apps02.domain.net is Onboarded and has DeviceID. Can someone explain why this playbook can't get DeviceID from devices?

vi-lgtm avatar Nov 18 '25 20:11 vi-lgtm

Hello @vi-lgtm, thanks for flagging this issue. We will investigate this issue and get back to you with some updates. Thanks!

v-utpalkumar avatar Nov 19 '25 04:11 v-utpalkumar