Query Details

Identify Endpoints Where Mitigationstatus Is Isolated

Query

let Timeframe = 4h; // Choose the best timeframe for your investigation
DeviceInfo
| where Timestamp > ago(Timeframe)
| summarize arg_max(Timestamp, *) by DeviceId //only look at the most recent entry
| extend DeviceUser = parse_json(LoggedOnUsers)
| mv-expand DeviceUser
| extend LoggedOnUsername = tostring(DeviceUser.UserName)
| extend LoggedOnDomainName = tostring(DeviceUser.DomainName)
| extend MitigationStatusObject = parse_json(MitigationStatus)
| mv-expand MitigationStatusObject
| extend IsolationStatus = tostring(MitigationStatusObject.Isolated)
| where IsolationStatus == "true"
| project Timestamp, DeviceId, DeviceName, OSPlatform, LoggedOnUsername, LoggedOnDomainName, IsolationStatus

About this query

Identify endpoints where MitigationStatus is Isolated

Description

The following query will leverage the DeviceInfo table and identify endpoints where MitigationStatus Isolation equals true. It will also the logged on UserName and Domain.

Microsoft Defender XDR

Versioning

VersionDateComments
1.027/04/2024Initial publish
1.101/05/2024Only show Devices where the most recent entry of the Table hast the isolated status

Explanation

This query is designed to identify devices (endpoints) that are currently isolated based on their mitigation status. Here's a simple breakdown of what the query does:

  1. Timeframe Selection: It looks at data from the last 4 hours, but this can be adjusted to fit the needs of the investigation.

  2. Data Source: The query uses the DeviceInfo table, which contains information about devices.

  3. Filtering Recent Entries: It selects only the most recent entry for each device by using the arg_max function, which helps in focusing on the latest status of each device.

  4. User Information: It extracts and expands the logged-on user information, specifically the username and domain name.

  5. Mitigation Status: It parses the mitigation status to check if the device is isolated. It does this by expanding the MitigationStatus field and checking if the Isolated status is true.

  6. Result Projection: Finally, it displays a list of devices with their timestamp, device ID, device name, operating system platform, logged-on username, domain name, and isolation status.

In summary, this query helps security teams quickly identify and review devices that are currently isolated, along with relevant user and device information, to aid in further investigation or response actions.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: May 2, 2024

Tables

DeviceInfo

Keywords

DeviceInfoDevicesUserNameDomainMitigationStatusIsolationStatusTimestampDeviceIdDeviceNameOSPlatform

Operators

letagosummarizearg_maxbyextendparse_jsonmv-expandtostringwhereproject

Actions

GitHub