Query Details
MDE Device Registry Events Tampering To Device Tag
Query
//Modifications to this registry key could move a device into a different MDE Device Group DeviceRegistryEvents | where TimeGenerated > ago(90d) | where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection\\DeviceTagging" | where RegistryValueName == "Group" | where InitiatingProcessAccountDomain <> "nt authority" and InitiatingProcessAccountName <> "system"
Explanation
This query is designed to identify changes made to a specific registry key on devices within the last 90 days. The registry key in question is related to Microsoft Defender for Endpoint (MDE) and is used for device tagging, which can affect the device's group assignment within MDE.
Here's a breakdown of what the query does:
- Time Frame: It looks at events from the last 90 days.
- Registry Key: It focuses on modifications to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging. - Registry Value: It specifically checks changes to the "Group" value within that key.
- Exclusions: It excludes changes made by processes running under the "nt authority" or "system" accounts, which are typically system-level processes. This means it is looking for changes made by user accounts or other non-system processes.
In simple terms, the query is searching for user-initiated changes to a specific registry setting that could alter which group a device belongs to in Microsoft Defender for Endpoint, excluding changes made by system processes.
Details
Jay Kerai
Released: July 3, 2025
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsTimeGeneratedRegistryKeyRegistryValueNameInitiatingProcessAccountDomainInitiatingProcessAccountName
Operators
ago()>==<>and