Query Details

List Device Isolations

Device Isolation

Query

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "IsolateDevice"
| extend IsolatedDevice = tostring(parse_json(RawEventData).DeviceName), IsolationComment = tostring(parse_json(RawEventData).ActionComment), IsolationScope = tostring(parse_json(RawEventData).ActionScope)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
|project-reorder Timestamp, IsolatedDevice, IsolationComment, IsolationScope, InitiatedByAccountName, InitiatedByAccounttId

About this query

List Device Isolations

Query Information

Description

This query lists all the device isolation activities that have been performed by Defender For Endpoint. It is good practice to review those once every x period. The query extracts multiple events from the isolation action, ssuch as which device is isolated, what isolation comment has been used and the type of isolation that has been executed.

References

Defender XDR

Sentinel

CloudAppEvents
| where TimeGenerated > ago(30d)
| where ActionType == "IsolateDevice"
| extend IsolatedDevice = tostring(parse_json(RawEventData).DeviceName), IsolationComment = tostring(parse_json(RawEventData).ActionComment), IsolationScope = tostring(parse_json(RawEventData).ActionScope)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
|project-reorder TimeGenerated, IsolatedDevice, IsolationComment, IsolationScope, InitiatedByAccountName, InitiatedByAccounttId

Explanation

This query is designed to list all device isolation activities performed by Microsoft Defender for Endpoint over the past 30 days. It retrieves events where devices were isolated, extracting details such as the device name, any comments made during the isolation, and the scope of the isolation. Additionally, it identifies who initiated the isolation by displaying the account name and ID. The query is useful for regularly reviewing device isolation actions to ensure they are appropriate and necessary. The query is written for two different systems, Defender XDR and Sentinel, with slight variations in the timestamp field used (Timestamp for Defender XDR and TimeGenerated for Sentinel).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsTimestampActionTypeIsolatedDeviceIsolationCommentIsolationScopeInitiatedByAccountNameInitiatedByAccounttIdRawEventDataDeviceNameActionCommentActionScopeAccountDisplayNameAccountIdTimeGenerated

Operators

whereextendtostringparse_jsonproject-renameproject-reorderago==

Actions

GitHub