MDR Response Actions

Complete

Overview

The MDR (Managed Detection & Response) Actions module enables SOC analysts and automated playbooks to execute response actions directly from the ThreatOps platform. When an incident is confirmed, analysts need to act immediately -- isolating compromised endpoints, blocking malicious IPs, disabling compromised user accounts, and quarantining phishing emails.

This module integrates with Microsoft Defender for Endpoint (MDE), Microsoft Graph API, Azure NSGs, and AWS Security Groups to execute containment actions in real-time. All actions are logged in an audit trail for compliance and post-incident review.

What Was Proposed

4 core response action types: endpoint isolation, IP blocking, user disablement, email quarantine
Microsoft Defender for Endpoint integration for endpoint containment
Microsoft Graph API integration for user account and email actions
Multi-firewall support (Azure NSG, AWS SG, Defender indicators)
Action audit log for compliance tracking
Service health monitoring (MDE + Graph API connectivity)
Frontend with action execution forms and recent actions table
Response metrics dashboard (24-hour activity summary)

What's Built

Isolate Endpoint (MDE integration)	✓ Complete
Block IP (Azure NSG, AWS SG, Defender)	✓ Complete
Disable User (Graph API)	✓ Complete
Quarantine Email (M365)	✓ Complete
Action audit log	✓ Complete
MDR service health endpoint	✓ Complete
Defender XDR client module	✓ Complete
Frontend action cards with forms	✓ Complete
Recent actions table	✓ Complete
Service health sidebar	✓ Complete
Response metrics (24h)	✓ Complete

Isolate Endpoint

■

POST /api/v1/mdr/isolate

Sends an isolation command to a device via Microsoft Defender for Endpoint. Supports Full, Selective, and Network Only isolation types.

Request fields: hostname (required), reason, isolation_type (Full/Selective), tenant_id

Backend: Calls response_actions.isolate_endpoint() which delegates to the defender_xdr_client.

Block IP

■

POST /api/v1/mdr/block-ip

Blocks an IP address at the network perimeter. Supports multiple firewall backends.

Request fields: ip (required), firewall_type (azure_nsg / aws_sg / defender), reason, priority (NSG only), duration_hours (default 24), tenant_id

Backend: Routes to the appropriate firewall handler based on firewall_type.

Disable User

■

POST /api/v1/mdr/disable-user

Disables a user account and revokes all active sessions via Microsoft Graph API.

Request fields: upn (required, e.g., user@contoso.com), reason, tenant_id

Backend: Calls response_actions.disable_user() to disable via Graph API.

Quarantine Email

■

POST /api/v1/mdr/quarantine-email

Quarantines or deletes a suspicious email message via Microsoft 365.

Request fields: message_id (required), user_principal_name, action (softDelete / hardDelete / moveToJunk), reason, tenant_id

Backend: Calls response_actions.quarantine_email() for M365 integration.

Architecture

API Router

File: app/routers/mdr.py — Prefix: /api/v1/mdr

POST   /api/v1/mdr/isolate            # Isolate endpoint via MDE
POST   /api/v1/mdr/block-ip           # Block IP at firewall perimeter
POST   /api/v1/mdr/disable-user       # Disable user account via Graph API
POST   /api/v1/mdr/quarantine-email   # Quarantine email via M365
GET    /api/v1/mdr/actions            # List recent response actions (audit log)
GET    /api/v1/mdr/status             # MDR service health (MDE + Graph API connectivity)

Backend Service Layer

Located at app/services/mdr/:

__init__.py — Package init
response_actions.py — Core action dispatcher with functions: isolate_endpoint(), block_ip(), disable_user(), quarantine_email(), get_recent_actions(). Maintains an in-memory audit log (_action_audit_log).
defender_xdr.py — Microsoft Defender XDR client for MDE and Graph API integration. Provides health_check() for connectivity monitoring.

Health Check Response

The GET /api/v1/mdr/status endpoint returns overall health status based on MDE and Graph API connectivity:

"healthy" — Both MDE and Graph API connected
"degraded" — Credentials configured but one or both services have connectivity issues
"not_configured" — Defender credentials not set

Routing

Layer	Path
/mdr	Frontend MDR actions page (Next.js App Router)
/api/v1/mdr	API prefix (FastAPI router)

Prerequisites

Microsoft Defender for Endpoint — Azure AD app registration with MDE API permissions for endpoint isolation
Microsoft Graph API — Permissions for user management (User.ReadWrite.All) and mail actions (Mail.ReadWrite)
Azure NSG — Azure subscription credentials for NSG rule management (IP blocking)
AWS Security Groups — AWS IAM credentials for SG rule management (optional)
API Client — src/lib/api-client.ts for authenticated frontend requests

UI Layout

MDR Actions Page (`/mdr`)

The page uses a two-column layout: main content area (flex-1) and a sticky service health sidebar (w-72).

Header — Shield icon, "MDR Response Actions" title, description text, and a Refresh button that reloads all data.
Quick Actions Panel — 2x2 grid of action cards:
- Isolate Endpoint (red accent) — Hostname, reason, isolation type fields
- Block IP (orange accent) — IP address, firewall type, reason fields
- Disable User (yellow accent) — UPN, reason fields
- Quarantine Email (blue accent) — Message ID, user, action type fields
Each card expands to reveal a form. On submit, the action is sent to the corresponding API endpoint. Success/failure banners appear inline.
Recent Actions Log — Table with columns: Time, Action, Target (monospace), Reason, Status (green/red/amber badge), Actor. Data from GET /api/v1/mdr/actions.
Response Metrics (24h) — 4-column stat cards: Total Actions, Endpoints Isolated, IPs Blocked, Users Disabled.
Service Health Sidebar — Sticky panel showing Microsoft Defender and Graph API connection status with latency, green/red indicator dots, and last-checked timestamp.