Advanced Feature Disabled
Query
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend WorkLoad = tostring(parse_json(RawEventData).Workload),
SettingsNewValue = tobool(parse_json(RawEventData).SettingsNewValue),
SettingName = tostring(parse_json(RawEventData).SettingName),
UserId = tostring(parse_json(RawEventData).UserId)
| where SettingsNewValue == 0
| project-reorder Timestamp, WorkLoad, SettingName, SettingsNewValue, UserIdAbout this query
Explanation
This query is designed to identify instances where advanced security features in Microsoft Defender for Endpoint have been disabled. Disabling these features can make your system more vulnerable to attacks.
Here's a simple breakdown of what the query does:
-
Data Source: It looks at events from cloud applications, specifically those related to changes in advanced security settings (
ActionType == "SetAdvancedFeatures"). -
Extract Information: It extracts details from the event data, such as:
WorkLoad: The specific workload or service where the change occurred.SettingsNewValue: The new value of the setting, which is checked to see if it has been set to0(indicating the feature is disabled).SettingName: The name of the setting that was changed.UserId: The ID of the user who made the change.
-
Filter: It filters the results to only show events where the advanced feature was disabled (
SettingsNewValue == 0). -
Output: The query then organizes the output to display the timestamp of the event, the workload, the setting name, the new value, and the user ID.
This query is useful for monitoring and auditing security configurations to ensure that critical security features remain enabled, thereby reducing the risk of potential security breaches.
