Jul 29 2020 08:53 AM
How would you write the Hunting query to identify machiens that have been isolated via MDATP?
Thanks,
Andrew
Jul 31 2020 10:20 AM
Good morning @agattsek ,
I can validate that isolate and unisolate are listed on the timeline, but I was unable to find those specific events within advanced hunting today.
I tried to find something in the timeline that corresponded with the isolation event (i.e. a process launch or whatnot), but was unable to find a reliable indicator.
Jul 31 2020 10:37 AM
Is this something that would better be suited for say Sentinel or MCAS regarding the ability to perform a query such as this?
Jul 31 2020 10:59 AM
Aug 05 2020 08:12 AM
@agattsek We had a blog that posted recently that shows how you can see the isolation actions in the Action Center. It's not a query, but might solve the need another way: https://techcommunity.microsoft.com/t5/microsoft-threat-protection/the-action-center-in-microsoft-th...
Thanks,
Jake Mowrer
Aug 06 2020 07:34 AM
Aug 06 2020 07:56 AM
Please provide an update should the query language be identified, tested, and proven to produce the desired results. Thank you! @Tali Ash
Apr 27 2024 04:35 AM
@Tali Ash Hello, was this implemented? I checked the DeviceInfo and DeviceEvents tables (thinking these would have info on whether a device is isolated or not), but could not see anything to do with isolation. I suggest adding a bool column/attribute in the DeviceInfo table with the name 'IsIsolated', or adding isolation info in the existing 'MitigationStatus' or 'AdditionalFields' attributes.
Alternatively, where can I submit a feature request for this if needed?
Thanks :)
Apr 29 2024 06:32 AM
@nfmiringu hello,
yes, this has been implemented. Once you isolate an endpoint, you can find under the DeviceInfo table, the MitigationStatus operator. I've built a query about this, you may find it here:
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like