Forum Discussion
MDATP KQL Query isolated machines
How would you write the Hunting query to identify machiens that have been isolated via MDATP? Thanks, Andrew
We are looking at ingesting this data into advanced hunting as well.
Tali Ash Hello, was this implemented? I checked the DeviceInfo and DeviceEvents tables (thinking these would have info on whether a device is isolated or not), but could not see anything to do with isolation. I suggest adding a bool column/attribute in the DeviceInfo table with the name 'IsIsolated', or adding isolation info in the existing 'MitigationStatus' or 'AdditionalFields' attributes.
Alternatively, where can I submit a feature request for this if needed?
Thanks 🙂