KQL Search

Query Details

Identify Contained Endpoints

Query

# Identify contained endpoints

## Description

The following query will return endpoints which have been contained by looking into relevant registry modifications.

### Microsoft Defender XDR
```
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceName
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 24/02/2024    | Initial publish                        |

Explanation

This query looks for endpoints that have been contained by checking specific registry modifications related to Microsoft Defender XDR. It filters for registry events where a certain key, value, and data match specific criteria, and then projects the timestamp, device ID, and device name of the affected endpoints.

Details

Michalis Michalos

Released: February 24, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents,ActionType,RegistryValueSet,RegistryKey,RegistryValueType,Dword,RegistryValueName,DisableEnterpriseAuthProxyValueToRestoreAfterIsolation,RegistryValueData,PreviousRegistryValueName,Timestamp,DeviceId,DeviceName

Operators

whereis==@""project

KQL Search

Identify Contained Endpoints

Query

Explanation

Details

Actions