Query Details

Advanced Feature Disabled

Query

CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend WorkLoad = tostring(parse_json(RawEventData).Workload),
    SettingsNewValue = tobool(parse_json(RawEventData).SettingsNewValue),
    SettingName = tostring(parse_json(RawEventData).SettingName),
    UserId = tostring(parse_json(RawEventData).UserId)
| where SettingsNewValue == 0
| project-reorder Timestamp, WorkLoad, SettingName, SettingsNewValue, UserId

About this query

Explanation

This query is designed to identify instances where advanced security features in Microsoft Defender for Endpoint have been disabled. Disabling these features can make your system more vulnerable to attacks.

Here's a simple breakdown of what the query does:

  1. Data Source: It looks at events from cloud applications, specifically those related to changes in advanced security settings (ActionType == "SetAdvancedFeatures").

  2. Extract Information: It extracts details from the event data, such as:

    • WorkLoad: The specific workload or service where the change occurred.
    • SettingsNewValue: The new value of the setting, which is checked to see if it has been set to 0 (indicating the feature is disabled).
    • SettingName: The name of the setting that was changed.
    • UserId: The ID of the user who made the change.
  3. Filter: It filters the results to only show events where the advanced feature was disabled (SettingsNewValue == 0).

  4. Output: The query then organizes the output to display the timestamp of the event, the workload, the setting name, the new value, and the user ID.

This query is useful for monitoring and auditing security configurations to ensure that critical security features remain enabled, thereby reducing the risk of potential security breaches.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: July 19, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsActionTypeWorkLoadSettingNameUserIdTimestamp

Operators

whereextendtostringparse_jsontoboolproject-reorder

MITRE Techniques

Actions

GitHub