KQL Search

Query Details

Identify Endpoints Where Mitigationstatus Is Isolated

Query

# Identify endpoints where MitigationStatus is Isolated

## Description

The following query will leverage the DeviceInfo table and identify endpoints where MitigationStatus Isolation equals true. It will also the logged on UsernName and Domain.

### Microsoft Defender XDR
```
let Timeframe = 1h; // Choose the best timeframe for your investigation
DeviceInfo
| where TimeGenerated > ago(Timeframe)
| extend DeviceUser = parse_json(LoggedOnUsers)
| mv-expand DeviceUser
| extend LoggedOnUsername = tostring(DeviceUser.UserName)
| extend LoggedOnDomainName = tostring(DeviceUser.DomainName)
| extend MitigationStatusObject = parse_json(MitigationStatus)
| mv-expand MitigationStatusObject
| extend IsolationStatus = MitigationStatusObject.Isolated
| where IsolationStatus == "true"
| distinct DeviceId, DeviceName, OSPlatform, LoggedOnUsername, LoggedOnDomainName, Isolation = "Yes"
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 27/04/2024    | Initial publish                        |

Explanation

This query looks for endpoints in the DeviceInfo table where the MitigationStatus is set to Isolated. It retrieves information such as DeviceId, DeviceName, OSPlatform, LoggedOnUsername, LoggedOnDomainName, and sets Isolation to "Yes" for those endpoints.

Details

Michalis Michalos

Released: April 27, 2024

Tables

DeviceInfo

Keywords

DeviceInfo,MitigationStatus,Isolation,LoggedOnUsers,UserName,DomainName,TimeGenerated,DeviceId,DeviceName,OSPlatform,IsolationStatus

Operators

whereextendmv-expandparse_jsondistinct

KQL Search

Identify Endpoints Where Mitigationstatus Is Isolated

Query

Explanation

Details

Actions