Query Details
Identify Endpoints Removed From Containment
Query
# Identify endpoints removed from containment ## Description The following query will return endpoints which have been removed from containment by looking into relevant registry modifications. ### Microsoft Defender XDR ``` DeviceRegistryEvents | where ActionType == "RegistryValueDeleted" | where PreviousRegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection" | where RegistryValueType == "None" | where PreviousRegistryValueData == "1" | where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation" | project Timestamp, DeviceId, DeviceName ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 24/02/2024 | Initial publish |
Explanation
This query looks for endpoints that have been removed from containment by checking registry modifications related to Microsoft Defender XDR. It specifically looks for registry value deletions in a certain key with specific values and then projects the timestamp, device ID, and device name of the affected endpoints.
Details
Michalis Michalos
Released: February 24, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEvents,ActionType,PreviousRegistryKey,RegistryValueType,PreviousRegistryValueData,PreviousRegistryValueName,Timestamp,DeviceId,DeviceName
Operators
where|==@""project