KQL Search

Query Details

Identify Isolated Endpoints

Query

# Identify isolated endpoints

## Description

The following query will return endpoints which have been isolated by looking into relevant registry modifications.

### Microsoft Defender XDR
```
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceName
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 24/02/2024    | Initial publish                        |
| 1.1           | 29/02/2024    | Change contain to isolate, thanks to Alex Verboon |

Explanation

This query looks for endpoints that have been isolated by checking specific registry modifications related to Microsoft Defender XDR. It filters for registry events where a certain registry key has been set to a specific value, and then projects the timestamp, device ID, and device name of those endpoints.

Details

Michalis Michalos

Released: February 29, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents,ActionType,RegistryValueSet,RegistryKey,RegistryValueType,Dword,RegistryValueName,DisableEnterpriseAuthProxyValueToRestoreAfterIsolation,RegistryValueData,PreviousRegistryValueName,Timestamp,DeviceId,DeviceName

Operators

whereis==@""project

KQL Search

Identify Isolated Endpoints

Query

Explanation

Details

Actions