Forum Discussion
schroray1255
Jul 12, 2022Copper Contributor
Microsoft 365 Defender - How to find isolated endpoints using KQL, a Workbook, reporting
How to find devices in current isolation? Where are isolation actions logged?
- HeikeRitterMicrosoftSuch activities are logged in the "Action Center" with "Isolate device" and "Stop isolation". I did not find a report, that summarizes it - but I might be just not seeing it. Can you try to use ActionType from DeviceEvents in your KQL query?
- schrorayCopper ContributorIn KQL I was not able to find the respective events in DeviceEvents - as it is not listing ActionType with such a related naming to isolation...
In the Action center of the M365 Defender portal the actions have been recorded. It seems that these are platform events and are not available in any of the tables as such.
To find such events:
1) M365 Defender portal > Actions & submissions > Action center > History Tab > Filters: ActionType = Isolate device, Stop isolation
2) M365 Defender portal > Endpoints > API explorer. Run Query: GET | <mtp>/wdatpApi/machineactions?$filter=type eq 'Isolate'
(Sample query "Get all isolation actions by User"... remove "User" parameter)