Identify Endpoints Removed From Containment
Query
DeviceRegistryEvents
| where ActionType == "RegistryValueDeleted"
| where PreviousRegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "None"
| where PreviousRegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceNameAbout this query
Identify endpoints removed from containment
Description
The following query will return endpoints which have been removed from containment by looking into relevant registry modifications.
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 24/02/2024 | Initial publish |
Explanation
This query looks for endpoints that have been removed from containment by checking registry modifications related to Microsoft Defender XDR. It specifically looks for registry value deletions in a certain key with specific values and then projects the timestamp, device ID, and device name of the affected endpoints.
Details

Michalis Michalos
Released: February 24, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsActionTypePreviousRegistryKeyRegistryValueTypePreviousRegistryValueDataPreviousRegistryValueNameTimestampDeviceIdDeviceName
Operators
where|==@""project