Query Details

Identify Isolated Endpoints

Query

DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceName

About this query

Identify isolated endpoints

Description

The following query will return endpoints which have been isolated by looking into relevant registry modifications.

Microsoft Defender XDR

Versioning

VersionDateComments
1.024/02/2024Initial publish
1.129/02/2024Change contain to isolate, thanks to Alex Verboon

Explanation

This query looks for endpoints that have been isolated by checking specific registry modifications related to Microsoft Defender XDR. It filters for registry events where a certain registry key has been set to a specific value, and then projects the timestamp, device ID, and device name of those endpoints.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: February 29, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsActionTypeRegistryValueSetRegistryKeyRegistryValueTypeDwordRegistryValueNameDisableEnterpriseAuthProxyValueToRestoreAfterIsolationRegistryValueDataPreviousRegistryValueNameTimestampDeviceIdDeviceName

Operators

whereis==@""project

Actions

GitHub