Query Details

Identify Endpoints Removed From Containment

Query

DeviceRegistryEvents
| where ActionType == "RegistryValueDeleted"
| where PreviousRegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "None"
| where PreviousRegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceName

About this query

Identify endpoints removed from containment

Description

The following query will return endpoints which have been removed from containment by looking into relevant registry modifications.

Microsoft Defender XDR

Versioning

VersionDateComments
1.024/02/2024Initial publish

Explanation

This query looks for endpoints that have been removed from containment by checking registry modifications related to Microsoft Defender XDR. It specifically looks for registry value deletions in a certain key with specific values and then projects the timestamp, device ID, and device name of the affected endpoints.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: February 24, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsActionTypePreviousRegistryKeyRegistryValueTypePreviousRegistryValueDataPreviousRegistryValueNameTimestampDeviceIdDeviceName

Operators

where|==@""project

Actions

GitHub