cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MDATP KQL Query isolated machines

agattsek
Copper Contributor

‎Jul 29 2020 08:53 AM

‎Jul 29 2020 08:53 AM

MDATP KQL Query isolated machines

How would you write the Hunting query to identify machiens that have been isolated via MDATP?

 

Thanks,

 

Andrew

 

4,635 Views
0 Likes
8 Replies
Reply
8 Replies
MichaelJMelone

‎Jul 31 2020 10:20 AM

‎Jul 31 2020 10:20 AM

Re: MDATP KQL Query isolated machines

Good morning @agattsek ,

I can validate that isolate and unisolate are listed on the timeline, but I was unable to find those specific events within advanced hunting today.

MichaelJMelone_0-1596215704445.png

I tried to find something in the timeline that corresponded with the isolation event (i.e. a process launch or whatnot), but was unable to find a reliable indicator.

0 Likes
Reply
agattsek

‎Jul 31 2020 10:37 AM

‎Jul 31 2020 10:37 AM

Re: MDATP KQL Query isolated machines

@MichaelJMelone

Is this something that would better be suited for say Sentinel or MCAS regarding the ability to perform a query such as this? 

0 Likes
Reply
MichaelJMelone

‎Jul 31 2020 10:59 AM

‎Jul 31 2020 10:59 AM

Re: MDATP KQL Query isolated machines

@agattsek Defender ATP \ MTP is definitely the right place to show isolation information in my opinion. This may be an example of whitespace - an area where we need to improve. @Tali Ash for visibility \ comment.

0 Likes
Reply
Jake_Mowrer

‎Aug 05 2020 08:12 AM

‎Aug 05 2020 08:12 AM

Re: MDATP KQL Query isolated machines

@agattsek We had a blog that posted recently that shows how you can see the isolation actions in the Action Center.  It's not a query, but might solve the need another way: https://techcommunity.microsoft.com/t5/microsoft-threat-protection/the-action-center-in-microsoft-th... 


Thanks,

Jake Mowrer

0 Likes
Reply
Tali Ash

‎Aug 06 2020 07:34 AM

‎Aug 06 2020 07:34 AM

RE: MDATP KQL Query isolated machines

We are looking at ingesting this data into advanced hunting as well.
0 Likes
Reply
agattsek

‎Aug 06 2020 07:56 AM

‎Aug 06 2020 07:56 AM

RE: MDATP KQL Query isolated machines

Please provide an update should the query language be identified, tested, and proven to produce the desired results. Thank you! @Tali Ash 

0 Likes
Reply
nfmiringu

‎Apr 27 2024 04:35 AM

‎Apr 27 2024 04:35 AM

Re: RE: MDATP KQL Query isolated machines

@Tali Ash Hello, was this implemented? I checked the DeviceInfo and DeviceEvents tables (thinking these would have info on whether a device is isolated or not), but could not see anything to do with isolation. I suggest adding a bool column/attribute in the DeviceInfo table with the name 'IsIsolated', or adding isolation info in the existing 'MitigationStatus' or 'AdditionalFields' attributes.

 

Alternatively, where can I submit a feature request for this if needed?

 

Thanks :) 

0 Likes
Reply
cyb3rmik3

‎Apr 29 2024 06:32 AM

‎Apr 29 2024 06:32 AM

Re: RE: MDATP KQL Query isolated machines

@nfmiringu hello,

 

yes, this has been implemented. Once you isolate an endpoint, you can find under the DeviceInfo table, the MitigationStatus operator. I've built a query about this, you may find it here:

 

https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/03.SecOps/identify-endpoints-where...

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

1 Like
Reply