Identify Isolated Endpoints
Query
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceNameAbout this query
Identify isolated endpoints
Description
The following query will return endpoints which have been isolated by looking into relevant registry modifications.
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 24/02/2024 | Initial publish |
| 1.1 | 29/02/2024 | Change contain to isolate, thanks to Alex Verboon |
Explanation
This query looks for endpoints that have been isolated by checking specific registry modifications related to Microsoft Defender XDR. It filters for registry events where a certain registry key has been set to a specific value, and then projects the timestamp, device ID, and device name of those endpoints.
Details

Michalis Michalos
Released: February 29, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsActionTypeRegistryValueSetRegistryKeyRegistryValueTypeDwordRegistryValueNameDisableEnterpriseAuthProxyValueToRestoreAfterIsolationRegistryValueDataPreviousRegistryValueNameTimestampDeviceIdDeviceName
Operators
whereis==@""project