Query Details
Advanced Feature Disabled
Query
# Advanced Feature Disabled
## Query Information
### Description
Defender For Endpoint Advanced Features are very powerful, some examples are:
- Enable/Disable EDR in block mode
- Enable/Disable Live Response
- Enable/Disable Live Response unsigned script execution
- Enable/Disable Tamper protection
The query below returns results if an Advanced Feature has been disabled in your tenant, disabling an advanced feature can increase your attack surface significantly.
### References
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-features
- https://kqlquery.com/posts/audit-defender-xdr/
## Defender XDR
```KQL
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend WorkLoad = tostring(parse_json(RawEventData).Workload),
SettingsNewValue = tobool(parse_json(RawEventData).SettingsNewValue),
SettingName = tostring(parse_json(RawEventData).SettingName),
UserId = tostring(parse_json(RawEventData).UserId)
| where SettingsNewValue == 0
| project-reorder Timestamp, WorkLoad, SettingName, SettingsNewValue, UserId
```
## Sentinel
```KQL
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend WorkLoad = tostring(parse_json(RawEventData).Workload),
SettingsNewValue = tobool(parse_json(RawEventData).SettingsNewValue),
SettingName = tostring(parse_json(RawEventData).SettingName),
UserId = tostring(parse_json(RawEventData).UserId)
| where SettingsNewValue == 0
| project-reorder Timestamp, WorkLoad, SettingName, SettingsNewValue, UserId
```
Explanation
This query is designed to identify instances where advanced security features in Microsoft Defender for Endpoint have been disabled. Disabling these features can make your system more vulnerable to attacks. The query looks for events where advanced features are set, specifically checking if any feature has been turned off (indicated by SettingsNewValue == 0). It extracts and organizes relevant information such as the timestamp, workload, feature name, new setting value, and user ID responsible for the change. The query is applicable to both Defender XDR and Sentinel environments.
Details
Bert-Jan Pals
Released: November 7, 2024
Tables
CloudAppEvents
Keywords
CloudAppEventsActionTypeWorkLoadSettingsNewValueSettingNameUserIdTimestamp
Operators
whereextendtostringparse_jsontoboolproject-reorder