When ransomware manages to execute on a workstation within your company, the speed of response is the only factor that separates a minor incident from an industrial disaster. Once implanted, the malware will seek to scan the local network to bounce towards other targets (file servers, domain controllers). This is called thelateral movement.
To stop this rapid spread, the absolute emergency measure is confinement. Learn how the Akuity SOC Orchestrator interfaces with Microsoft Intune and Defender for Endpoint to trigger immediate network isolation of a compromised machine, remotely and with a single click.
The network isolation mechanism (Isolate Device)
What is network isolation in the Microsoft ecosystem? Unlike simply disconnecting Wi-Fi or unplugging an Ethernet cable (which requires physical presence or user action), isolation activates an ultra-restrictive software firewall directly at the Windows Defender kernel.
When the isolation command is received by the machine:
- All network traffic entering and exiting the workstation is instantly cut off.
- The attacker who controlled the machine remotely via a command tool (Reverse Shell) immediately loses access.
- The ransomware can no longer communicate with its C2 server to recover the encryption key, nor scan the company's internal network.
The security exception
Crucially, isolation keeps a single line of communication open: the cryptographically secure connection to Microsoft Defender and Intune cloud servers. This allows your security team to maintain remote control of the machine, analyze processes and conduct the investigation, without the position posing a danger to the rest of the organization.
Executing remediation from the Akuity SOC Cockpit
In a traditional SOC console, isolating a device requires opening the Microsoft Intune admin portal, searching for the machine by its serial number or name, validating several menus and waiting for synchronization. In the midst of a cyber crisis, these manipulations create critical latency.
Akuity SOC's interface eliminates these intermediate steps with direct API integration.
Step 1: Risk Identification
SOC analyst or IT manager navigates the tab“Devices at risk”of the platform. This space centrally brings together all the machines in the workspace (Windows workstations, macOS, servers) managed by Intune which are the subject of active threat or non-compliance alerts. A unified search engine allows you to instantly filter by machine name or operating system with a quick reset system.
Step 2: The MFA obligation (AAL2 Security)
Isolating a user's PC (such as the financial director) is a heavy action that cuts off their work tool. To prevent a hacker from exploiting this functionality, Akuity applies strict security. The action of isolation (isolateDevice) requires two-factor authentication (MFA). The analyst must enter the 6-digit code generated by their Google or Microsoft Authenticator application. Without this elevation to session levelAAL2, the Next.js server rejects the command.
Step 3: The asynchronous API call
Once the MFA code is validated, the Akuity backend sends an asynchronous request to the Microsoft Graph remediation endpoint:/microsoft.graph.isolate. A pop-up notification toast instantly appears at the bottom of the interface to confirm the successful sending of the security command. The machine is confined in a few seconds, and the analyst can then launch, still from the interface, aQuick Antivirus Scanremotely to clean the station.
Conclusion: Win the race against encryption
When it comes to ransomware, operational asymmetry leans in favor of whoever acts the fastest. By centralizing the management of your at-risk devices and enabling up-to-the-second network containment without leaving your monitoring cockpit, you neutralize the spread of threats before they paralyze your business activity.
Stop letting ransomware spread across your network.> Discover the power of ourAgentless Microsoft Security SOAR Orchestratorand test network isolation in a secure environment.