Forum Discussion

schroray1255's avatar
schroray1255
Copper Contributor
Jul 12, 2022

Microsoft 365 Defender - How to find isolated endpoints using KQL, a Workbook, reporting

How to find devices in current isolation? Where are isolation actions logged?

  • Such activities are logged in the "Action Center" with "Isolate device" and "Stop isolation". I did not find a report, that summarizes it - but I might be just not seeing it. Can you try to use ActionType from DeviceEvents in your KQL query?
    • schroray's avatar
      schroray
      Copper Contributor
      In KQL I was not able to find the respective events in DeviceEvents - as it is not listing ActionType with such a related naming to isolation...

      In the Action center of the M365 Defender portal the actions have been recorded. It seems that these are platform events and are not available in any of the tables as such.

      To find such events:
      1) M365 Defender portal > Actions & submissions > Action center > History Tab > Filters: ActionType = Isolate device, Stop isolation

      2) M365 Defender portal > Endpoints > API explorer. Run Query: GET | <mtp>/wdatpApi/machineactions?$filter=type eq 'Isolate'
      (Sample query "Get all isolation actions by User"... remove "User" parameter)

Resources