Query Details

Identify Contained Endpoints

Query

DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceName

About this query

Identify contained endpoints

Description

The following query will return endpoints which have been contained by looking into relevant registry modifications.

Microsoft Defender XDR

Versioning

VersionDateComments
1.024/02/2024Initial publish

Explanation

This query looks for endpoints that have been contained by checking specific registry modifications related to Microsoft Defender XDR. It filters for registry events where a certain key, value, and data match specific criteria, and then projects the timestamp, device ID, and device name of the affected endpoints.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: February 24, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsActionTypeRegistryValueSetRegistryKeyRegistryValueTypeDwordRegistryValueNameDisableEnterpriseAuthProxyValueToRestoreAfterIsolationRegistryValueDataPreviousRegistryValueNameTimestampDeviceIdDeviceName

Operators

whereis==@""project

Actions

GitHub