Solved: How to block outgoing traffic with the SOAR app fo...

1var · ‎05-07-2025

We're looking to block outgoing traffic from a specific client or group, using the Microsoft Defender for Endpoint-app.

If we were to implement this ourselves using the MS api, it would be something like:

POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/restrict
Authorization: Bearer {your_access_token}
Content-Type: application/json
{
"action": "Block",
"destination": "IP_ADDRESS_OR_DOMAIN",
"protocol": "TCP",
"port": "443"
}

However, I haven't been able to find a corresponding call in the app source code. Am I missing something, or isn't this currently supported?

1var · ‎05-07-2025

It looks as if the app-functions "Submit indicator" will be able to solve this for us:

{
  "indicatorValue": "9.9.9.9",
  "indicatorType": "IpAddress",
  "action": "Block",
  "title": "Block outbound traffic to 9.9.9.9",
  "description": "Referanse: JIRA-XYZ",
  "generateAlert": true
}

View solution in original post

1var · ‎05-07-2025

It looks as if the app-functions "Submit indicator" will be able to solve this for us:

{
  "indicatorValue": "9.9.9.9",
  "indicatorType": "IpAddress",
  "action": "Block",
  "title": "Block outbound traffic to 9.9.9.9",
  "description": "Referanse: JIRA-XYZ",
  "generateAlert": true
}

How to block outgoing traffic with the SOAR app for Microsoft Defender for Endpoint

using SOAR ⁄ Phantom

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

How to block outgoing traffic with the SOAR app for Microsoft Defender for Endpoint

using SOAR ⁄ Phantom

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!