cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft 365 Defender - How to find isolated endpoints using KQL, a Workbook, reporting

schroray1255
Copper Contributor

‎Jul 12 2022 04:15 AM

‎Jul 12 2022 04:15 AM

Microsoft 365 Defender - How to find isolated endpoints using KQL, a Workbook, reporting

How to find devices in current isolation? Where are isolation actions logged?

4,779 Views
0 Likes
2 Replies
Reply
2 Replies
Heike Ritter

‎Jul 12 2022 01:59 PM

‎Jul 12 2022 01:59 PM

Re: Microsoft 365 Defender - How to find isolated endpoints using KQL, a Workbook, reporting

Such activities are logged in the "Action Center" with "Isolate device" and "Stop isolation". I did not find a report, that summarizes it - but I might be just not seeing it. Can you try to use ActionType from DeviceEvents in your KQL query?
1 Like
Reply
schroray

‎Jul 14 2022 03:59 AM

‎Jul 14 2022 03:59 AM

Re: Microsoft 365 Defender - How to find isolated endpoints using KQL, a Workbook, reporting

In KQL I was not able to find the respective events in DeviceEvents - as it is not listing ActionType with such a related naming to isolation...

In the Action center of the M365 Defender portal the actions have been recorded. It seems that these are platform events and are not available in any of the tables as such.

To find such events:
1) M365 Defender portal > Actions & submissions > Action center > History Tab > Filters: ActionType = Isolate device, Stop isolation

2) M365 Defender portal > Endpoints > API explorer. Run Query: GET | <mtp>/wdatpApi/machineactions?$filter=type eq 'Isolate'
(Sample query "Get all isolation actions by User"... remove "User" parameter)
1 Like
Reply