KQL Search

Query Details

MDE Device Isolationstate

Query

# MDE - Device - Isolation Status

## Query Information


### Description

DESCRIPTION


#### References



### Microsoft 365 Defender




```kql
DeviceInfo
| extend MitigationStatusObject = parse_json(MitigationStatus)
| extend IsolationStatus = MitigationStatusObject.Isolated
| where IsolationStatus == "true"
```

Explanation

This query checks the isolation status of devices in Microsoft 365 Defender. It looks at the MitigationStatus of each device and filters for devices that are currently isolated.

Details

Alex Verboon

Released: June 24, 2024

Tables

DeviceInfo

Keywords

DeviceInfo,MitigationStatusObject,IsolationStatus

Operators

extendparse_jsonwhere

KQL Search

MDE Device Isolationstate

Query

Explanation

Details

Actions