If you are part of a big organization, you might need to reach out to some colleagues and teams, in case you isolate an endpoint. An end user will probably reach out to your help desk in order to identify if there is an issue with her/his endpoint. Hence, you may want to spare some time of back and forth of emails or direct messages.
On the other hand, if you are part of a team, and most importantly if you are working remotely, you might want to have direct access to which of your endpoints are isolated. In this case, a tag which can also be used for filtering, could do the job.
Following, we will deploy a Logic App, which runs a KQL query identifying which endpoints have been isolated, and will automatically add a tag and send a notification email to your help desk.
Before building the Logic App, first step is to define the KQL query, which will identify which endpoints have been isolated. Following thorough investigation, once you isolate an endpoint the registry changes below take place and hence, provide us with a detection opportunity.
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "Dword"
| where RegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| where RegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceNameNow that we know the KQL query, we can build the Logic App.
Once the Deployment is complete, click at Go to resource and from the Logic App page, choose the Logic app designer from the left pane. Click on Add a trigger, search for Recurrence, click on it and select how often you would like to check for isolated endpoints and also, choose your Time zone.
Then, under Recurrence step, click on the + sign and then click Add an action.
Then search for “run query” and from the results below, choose Run query and list results. Insert Subscription, Resource Group, Resource Type (Log Analytics Workspace) and Resource Name, just as your Sentinel. Then insert the query mentioned above.
Now add a new action, search for “tag machine” and under Microsoft Defender ATP, choose Machines – Tag machine. Follow the steps below and choose the proper tag for your environment.
Add a new action, search for “send an email” and choose Send an email (V2). Now here, based on your operations, choose the Recipients, a suitable Subject, any Advanced parameters and also the Importance.
Since I have already build Logic Apps, I already have a connection with my mailbox to send notifications. You can choose Change connection to select any mailbox from your environment you want to send notifications from.
Click at Save and your Logic App, is ready.
Now, let’s test our Logic App. Isolate an endpoint and wait a few minutes, KQL query will take a few minutes to return results. Then trigger the Logic App by clicking at Run at the Logic App options ribbon.
If everything has worked as expected, you should be able to filter at your Devices in Defender XDR by “Isolated” as tag and also, you should have received a relevant email notification.
You can also automate reversing tag adding, and sending a relevant notification that an endpoint has been removed from isolation by building a similar Logic App and choosing Remove instead of Add in the Machine – Tag machine step, and changing the wording at the notification email. Most importantly, you will need to replace the KQL query as well, with the following.
DeviceRegistryEvents
| where ActionType == "RegistryValueDeleted"
| where PreviousRegistryKey == @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
| where RegistryValueType == "None"
| where PreviousRegistryValueData == "1"
| where PreviousRegistryValueName == "DisableEnterpriseAuthProxyValueToRestoreAfterIsolation"
| project Timestamp, DeviceId, DeviceNameI hope you enjoyed this blog!
EDIT 29/2/2024: Big shout out to Alex Verboon for his constructive feedback.
Leave a Reply