KQL Search

Query Details

ATP Detection Events

Query

# ATP Detection events triggered

### Defender For Endpoint

```
CloudAppEvents
| where ActionType == "AtpDetection"
| extend
     DetectionMethod = parse_json(RawEventData).DetectionMethod,
     EventDeepLink = parse_json(RawEventData).EventDeepLink,
     FileData = parse_json(RawEventData).FileData
| project-reorder
     Timestamp,
     ActionType,
     Application,
     AccountId,
     DetectionMethod,
     FileData,
     EventDeepLink
```
### Sentinel
```
CloudAppEvents
| where ActionType == "AtpDetection"
| extend
     DetectionMethod = parse_json(RawEventData).DetectionMethod,
     EventDeepLink = parse_json(RawEventData).EventDeepLink,
     FileData = parse_json(RawEventData).FileData
| project-reorder
     TimeGenerated,
     ActionType,
     Application,
     AccountId,
     DetectionMethod,
     FileData,
     EventDeepLink
```

Explanation

This query retrieves ATP detection events triggered in both Defender for Endpoint and Sentinel. It filters the events where the ActionType is "AtpDetection" and extracts additional information such as DetectionMethod, EventDeepLink, and FileData from the RawEventData. The final result includes the Timestamp/TimeGenerated, ActionType, Application, AccountId, DetectionMethod, FileData, and EventDeepLink fields.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

CloudAppEvents,ActionType,AtpDetection,DetectionMethod,EventDeepLink,FileData,Timestamp,Application,AccountId,TimeGenerated

Operators

whereextendparse_jsonproject-reorder

KQL Search

ATP Detection Events

Query

Explanation

Details

Actions