← Back to Explore
kqlHunting
MDE DeviceRegistryEvents Tampering To DeviceTag
Modifications to this registry key could move a device into a different MDE Device Group
Detection Query
//Modifications to this registry key could move a device into a different MDE Device Group
DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection\\DeviceTagging"
| where RegistryValueName == "Group"
| where InitiatingProcessAccountDomain <> "nt authority" and InitiatingProcessAccountName <> "system"Data Sources
DeviceRegistryEvents
Platforms
windows
Tags
defender
Raw Content
//Modifications to this registry key could move a device into a different MDE Device Group
DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection\\DeviceTagging"
| where RegistryValueName == "Group"
| where InitiatingProcessAccountDomain <> "nt authority" and InitiatingProcessAccountName <> "system"