Identify Contained Endpoints
Query
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceNameAbout this query
Identify contained endpoints
Description
The following query will return endpoints which have been contained by looking into relevant registry modifications.
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 24/02/2024 | Initial publish |
Explanation
This query looks for endpoints that have been contained by checking specific registry modifications related to Microsoft Defender XDR. It filters for registry events where a certain key, value, and data match specific criteria, and then projects the timestamp, device ID, and device name of the affected endpoints.
Details

Michalis Michalos
Released: February 24, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsActionTypeRegistryValueSetRegistryKeyRegistryValueTypeDwordRegistryValueNameDisableEnterpriseAuthProxyValueToRestoreAfterIsolationRegistryValueDataPreviousRegistryValueNameTimestampDeviceIdDeviceName
Operators
whereis==@""project