Forum Discussion
MDATP KQL Query isolated machines
How would you write the Hunting query to identify machiens that have been isolated via MDATP? Thanks, Andrew
Tali Ash Hello, was this implemented? I checked the DeviceInfo and DeviceEvents tables (thinking these would have info on whether a device is isolated or not), but could not see anything to do with isolation. I suggest adding a bool column/attribute in the DeviceInfo table with the name 'IsIsolated', or adding isolation info in the existing 'MitigationStatus' or 'AdditionalFields' attributes.
Alternatively, where can I submit a feature request for this if needed?
Thanks 🙂
nfmiringu hello,
yes, this has been implemented. Once you isolate an endpoint, you can find under the DeviceInfo table, the MitigationStatus operator. I've built a query about this, you may find it here:
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like