incidentTaskResponseAction resource type

Namespace: microsoft.graph.security

Represents the base type for all incident task response actions in Microsoft Defender XDR. This is an abstract type that cannot be instantiated directly but serves as the parent type for the following specific response actions that can be executed on incident tasks.

• stopAndQuarantineFileIncidentTaskResponseAction - Used to stop and quarantine a file.
• collectInvestigationPackageIncidentTaskResponseAction - Used to collect device logs for investigation.
• disableUserIncidentTaskResponseAction - Used to temporarily disable a user account.
• enableUserIncidentTaskResponseAction - Used to re-enable a previously disabled user account.
• forceUserPasswordResetIncidentTaskResponseAction - Used to force a user to reset their password.
• hardDeleteEmailIncidentTaskResponseAction - Used to permanently delete an email message.
• isolateDeviceIncidentTaskResponseAction - Used to isolate a device from the network.
• markUserAsCompromisedIncidentTaskResponseAction - Used to mark a user account as compromised.
• requireSignInIncidentTaskResponseAction - Used to require a user to sign in again.
• restrictAppExecutionIncidentTaskResponseAction - Used to restrict application execution on a device.
• runAntivirusScanIncidentTaskResponseAction - Used to initiate an antivirus scan on a device.
• softDeleteIncidentTaskResponseAction - Used to move an email message to the deleted items folder.
• unIsolateDeviceIncidentTaskResponseAction - Used to remove network isolation from a device.
• unRestrictAppExecutionIncidentTaskResponseAction - Used to remove application execution restrictions from a device.

Inherits from responseAction.

Properties

Relationships

None.

JSON representation

The following is a JSON representation of the resource.

{
  "@odata.type": "#microsoft.graph.security.incidentTaskResponseAction",
  "identifierValue": "String"
}