Identify Endpoints Where Mitigationstatus Is Isolated
Query
let Timeframe = 4h; // Choose the best timeframe for your investigation
DeviceInfo
| where Timestamp > ago(Timeframe)
| summarize arg_max(Timestamp, *) by DeviceId //only look at the most recent entry
| extend DeviceUser = parse_json(LoggedOnUsers)
| mv-expand DeviceUser
| extend LoggedOnUsername = tostring(DeviceUser.UserName)
| extend LoggedOnDomainName = tostring(DeviceUser.DomainName)
| extend MitigationStatusObject = parse_json(MitigationStatus)
| mv-expand MitigationStatusObject
| extend IsolationStatus = tostring(MitigationStatusObject.Isolated)
| where IsolationStatus == "true"
| project Timestamp, DeviceId, DeviceName, OSPlatform, LoggedOnUsername, LoggedOnDomainName, IsolationStatusAbout this query
Identify endpoints where MitigationStatus is Isolated
Description
The following query will leverage the DeviceInfo table and identify endpoints where MitigationStatus Isolation equals true. It will also the logged on UserName and Domain.
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 27/04/2024 | Initial publish |
| 1.1 | 01/05/2024 | Only show Devices where the most recent entry of the Table hast the isolated status |
Explanation
This query is designed to identify devices (endpoints) that are currently isolated based on their mitigation status. Here's a simple breakdown of what the query does:
-
Timeframe Selection: It looks at data from the last 4 hours, but this can be adjusted to fit the needs of the investigation.
-
Data Source: The query uses the
DeviceInfotable, which contains information about devices. -
Filtering Recent Entries: It selects only the most recent entry for each device by using the
arg_maxfunction, which helps in focusing on the latest status of each device. -
User Information: It extracts and expands the logged-on user information, specifically the username and domain name.
-
Mitigation Status: It parses the mitigation status to check if the device is isolated. It does this by expanding the
MitigationStatusfield and checking if theIsolatedstatus is true. -
Result Projection: Finally, it displays a list of devices with their timestamp, device ID, device name, operating system platform, logged-on username, domain name, and isolation status.
In summary, this query helps security teams quickly identify and review devices that are currently isolated, along with relevant user and device information, to aid in further investigation or response actions.
Details

Michalis Michalos
Released: May 2, 2024
Tables
Keywords
Operators