Forum Discussion
MDATP KQL Query isolated machines
How would you write the Hunting query to identify machiens that have been isolated via MDATP?
Thanks,
Andrew
- MichaelJMeloneMicrosoft
Good morning agattsek ,
I can validate that isolate and unisolate are listed on the timeline, but I was unable to find those specific events within advanced hunting today.
I tried to find something in the timeline that corresponded with the isolation event (i.e. a process launch or whatnot), but was unable to find a reliable indicator.
- agattsekCopper Contributor
Is this something that would better be suited for say Sentinel or MCAS regarding the ability to perform a query such as this?
- MichaelJMeloneMicrosoft
- Jake_MowrerMicrosoft
agattsek We had a blog that posted recently that shows how you can see the isolation actions in the Action Center. It's not a query, but might solve the need another way: https://techcommunity.microsoft.com/t5/microsoft-threat-protection/the-action-center-in-microsoft-threat-protection-your-one-stop/ba-p/1550178
Thanks,Jake Mowrer
- Tali AshMicrosoftWe are looking at ingesting this data into advanced hunting as well.
- nfmiringuCopper Contributor
Tali Ash Hello, was this implemented? I checked the DeviceInfo and DeviceEvents tables (thinking these would have info on whether a device is isolated or not), but could not see anything to do with isolation. I suggest adding a bool column/attribute in the DeviceInfo table with the name 'IsIsolated', or adding isolation info in the existing 'MitigationStatus' or 'AdditionalFields' attributes.
Alternatively, where can I submit a feature request for this if needed?
Thanks 🙂
- cyb3rmik3Iron Contributor
nfmiringu hello,
yes, this has been implemented. Once you isolate an endpoint, you can find under the DeviceInfo table, the MitigationStatus operator. I've built a query about this, you may find it here:
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like