Jul 29 2020 08:53 AM
How would you write the Hunting query to identify machiens that have been isolated via MDATP?
Thanks,
Andrew
Jul 31 2020 10:20 AM
Good morning @agattsek ,
I can validate that isolate and unisolate are listed on the timeline, but I was unable to find those specific events within advanced hunting today.
I tried to find something in the timeline that corresponded with the isolation event (i.e. a process launch or whatnot), but was unable to find a reliable indicator.
Jul 31 2020 10:37 AM
Is this something that would better be suited for say Sentinel or MCAS regarding the ability to perform a query such as this?
Jul 31 2020 10:59 AM
Aug 05 2020 08:12 AM
@agattsek We had a blog that posted recently that shows how you can see the isolation actions in the Action Center. It's not a query, but might solve the need another way: https://techcommunity.microsoft.com/t5/microsoft-threat-protection/the-action-center-in-microsoft-th...
Thanks,
Jake Mowrer
Aug 06 2020 07:34 AM
Aug 06 2020 07:56 AM
Please provide an update should the query language be identified, tested, and proven to produce the desired results. Thank you! @Tali Ash