This query lists all the device isolation activities that have been performed by Defender For Endpoint. It is good practice to review those once every x period. The query extracts multiple events from the isolation action, ssuch as which device is isolated, what isolation comment has been used and the type of isolation that has been executed.
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "IsolateDevice"
| extend IsolatedDevice = tostring(parse_json(RawEventData).DeviceName), IsolationComment = tostring(parse_json(RawEventData).ActionComment), IsolationScope = tostring(parse_json(RawEventData).ActionScope)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
|project-reorder Timestamp, IsolatedDevice, IsolationComment, IsolationScope, InitiatedByAccountName, InitiatedByAccounttId
CloudAppEvents
| where TimeGenerated > ago(30d)
| where ActionType == "IsolateDevice"
| extend IsolatedDevice = tostring(parse_json(RawEventData).DeviceName), IsolationComment = tostring(parse_json(RawEventData).ActionComment), IsolationScope = tostring(parse_json(RawEventData).ActionScope)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
|project-reorder TimeGenerated, IsolatedDevice, IsolationComment, IsolationScope, InitiatedByAccountName, InitiatedByAccounttId