MDATP KQL Query isolated machines

%3CLINGO-SUB%20id%3D%22lingo-sub-1553543%22%20slang%3D%22en-US%22%3EMDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553543%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20would%20you%20write%20the%20Hunting%20query%20to%20identify%20machiens%20that%20have%20been%20isolated%20via%20MDATP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndrew%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559010%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559010%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F743791%22%20target%3D%22_blank%22%3E%40agattsek%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EI%20can%20validate%20that%20isolate%20and%20unisolate%20are%20listed%20on%20the%20timeline%2C%20but%20I%20was%20unable%20to%20find%20those%20specific%20events%20within%20advanced%20hunting%20today.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MichaelJMelone_0-1596215704445.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F209371i715E6F624F8F2A39%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22MichaelJMelone_0-1596215704445.png%22%20alt%3D%22MichaelJMelone_0-1596215704445.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EI%20tried%20to%20find%20something%20in%20the%20timeline%20that%20corresponded%20with%20the%20isolation%20event%20(i.e.%20a%20process%20launch%20or%20whatnot)%2C%20but%20was%20unable%20to%20find%20a%20reliable%20indicator.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559073%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559073%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%3C%2FP%3E%3CP%3EIs%20this%20something%20that%20would%20better%20be%20suited%20for%20say%20Sentinel%20or%20MCAS%20regarding%20the%20ability%20to%20perform%20a%20query%20such%20as%20this%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559145%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559145%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F743791%22%20target%3D%22_blank%22%3E%40agattsek%3C%2FA%3E%26nbsp%3BDefender%20ATP%20%5C%20MTP%20is%20definitely%20the%20right%20place%20to%20show%20isolation%20information%20in%20my%20opinion.%20This%20may%20be%20an%20example%20of%20whitespace%20-%20an%20area%20where%20we%20need%20to%20improve.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3Bfor%20visibility%20%5C%20comment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1567517%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567517%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F743791%22%20target%3D%22_blank%22%3E%40agattsek%3C%2FA%3E%26nbsp%3BWe%20had%20a%20blog%20that%20posted%20recently%20that%20shows%20how%20you%20can%20see%20the%20isolation%20actions%20in%20the%20Action%20Center.%26nbsp%3B%20It's%20not%20a%20query%2C%20but%20might%20solve%20the%20need%20another%20way%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-threat-protection%2Fthe-action-center-in-microsoft-threat-protection-your-one-stop%2Fba-p%2F1550178%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-threat-protection%2Fthe-action-center-in-microsoft-threat-protection-your-one-stop%2Fba-p%2F1550178%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThanks%2C%3C%2FP%3E%0A%3CP%3EJake%20Mowrer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570759%22%20slang%3D%22en-US%22%3ERE%3A%20MDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570759%22%20slang%3D%22en-US%22%3EWe%20are%20looking%20at%20ingesting%20this%20data%20into%20advanced%20hunting%20as%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570796%22%20slang%3D%22en-US%22%3ERE%3A%20MDATP%20KQL%20Query%20isolated%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570796%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20provide%20an%20update%20should%20the%20query%20language%20be%20identified%2C%20tested%2C%20and%20proven%20to%20produce%20the%20desired%20results.%20Thank%20you!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

How would you write the Hunting query to identify machiens that have been isolated via MDATP?

 

Thanks,

 

Andrew

 

6 Replies
Highlighted

Good morning @agattsek ,

I can validate that isolate and unisolate are listed on the timeline, but I was unable to find those specific events within advanced hunting today.

MichaelJMelone_0-1596215704445.png

I tried to find something in the timeline that corresponded with the isolation event (i.e. a process launch or whatnot), but was unable to find a reliable indicator.

Highlighted

@MichaelJMelone

Is this something that would better be suited for say Sentinel or MCAS regarding the ability to perform a query such as this? 

Highlighted

@agattsek Defender ATP \ MTP is definitely the right place to show isolation information in my opinion. This may be an example of whitespace - an area where we need to improve. @Tali Ash for visibility \ comment.

Highlighted

@agattsek We had a blog that posted recently that shows how you can see the isolation actions in the Action Center.  It's not a query, but might solve the need another way: https://techcommunity.microsoft.com/t5/microsoft-threat-protection/the-action-center-in-microsoft-th... 


Thanks,

Jake Mowrer

Highlighted
We are looking at ingesting this data into advanced hunting as well.
Highlighted

Please provide an update should the query language be identified, tested, and proven to produce the desired results. Thank you! @Tali Ash