Query Details
Identify Endpoints Removed From Isolation
Query
# Identify endpoints removed from isolation ## Description The following query will return endpoints which have been removed from isolation by looking into relevant registry modifications. ### Microsoft Defender XDR ``` DeviceRegistryEvents | where ActionType == "RegistryValueDeleted" | where PreviousRegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection" | where RegistryValueType == "None" | where PreviousRegistryValueData == "1" | where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation" | project Timestamp, DeviceId, DeviceName ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 24/02/2024 | Initial publish | | 1.1 | 29/02/2024 | Change contain to isolate, thanks to Alex Verboon |
Explanation
This query looks for endpoints that have been removed from isolation by checking registry modifications related to Microsoft Defender XDR. It specifically looks for registry values that have been deleted in a certain key and with specific data. The results include the timestamp, device ID, and device name of the endpoints.
Details
Michalis Michalos
Released: February 29, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEvents,ActionType,PreviousRegistryKey,RegistryValueType,PreviousRegistryValueData,PreviousRegistryValueName,Timestamp,DeviceId,DeviceName
Operators
where|==@""project