Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

MDATP KQL Query isolated machines

Copper Contributor

How would you write the Hunting query to identify machiens that have been isolated via MDATP?

 

Thanks,

 

Andrew

 

8 Replies

Good morning @agattsek ,

I can validate that isolate and unisolate are listed on the timeline, but I was unable to find those specific events within advanced hunting today.

MichaelJMelone_0-1596215704445.png

I tried to find something in the timeline that corresponded with the isolation event (i.e. a process launch or whatnot), but was unable to find a reliable indicator.

@MichaelJMelone

Is this something that would better be suited for say Sentinel or MCAS regarding the ability to perform a query such as this? 

@agattsek Defender ATP \ MTP is definitely the right place to show isolation information in my opinion. This may be an example of whitespace - an area where we need to improve. @Tali Ash for visibility \ comment.

@agattsek We had a blog that posted recently that shows how you can see the isolation actions in the Action Center.  It's not a query, but might solve the need another way: https://techcommunity.microsoft.com/t5/microsoft-threat-protection/the-action-center-in-microsoft-th... 


Thanks,

Jake Mowrer

We are looking at ingesting this data into advanced hunting as well.

Please provide an update should the query language be identified, tested, and proven to produce the desired results. Thank you! @Tali Ash 

@Tali Ash Hello, was this implemented? I checked the DeviceInfo and DeviceEvents tables (thinking these would have info on whether a device is isolated or not), but could not see anything to do with isolation. I suggest adding a bool column/attribute in the DeviceInfo table with the name 'IsIsolated', or adding isolation info in the existing 'MitigationStatus' or 'AdditionalFields' attributes.

 

Alternatively, where can I submit a feature request for this if needed?

 

Thanks :) 

@nfmiringu hello,

 

yes, this has been implemented. Once you isolate an endpoint, you can find under the DeviceInfo table, the MitigationStatus operator. I've built a query about this, you may find it here:

 

https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/03.SecOps/identify-endpoints-where...

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like