Query Details

List Alert Supression Actions

Alert Supression Added

Query

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "ExclusionConfigurationAdded"
| extend Workload = tostring(parse_json(RawEventData).Workload), ResultStatus = tostring(parse_json(RawEventData).ResultStatus), ResultDescription = tostring(parse_json(RawEventData).ResultDescription)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
| project-reorder Timestamp, Workload, ResultDescription, ResultStatus,  InitiatedByAccountName, InitiatedByAccounttId

About this query

List Alert Supression Actions

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1562Impair Defenseshttps://attack.mitre.org/techniques/T1562/

Description

This query lists all the supressions that have been added to Defender XDR. This gives you an overview of what rules are added, by who and why they have been added.

References

Defender XDR

Sentinel

CloudAppEvents
| where TimeGenerated > ago(30d)
| where ActionType == "ExclusionConfigurationAdded"
| extend Workload = tostring(parse_json(RawEventData).Workload), ResultStatus = tostring(parse_json(RawEventData).ResultStatus), ResultDescription = tostring(parse_json(RawEventData).ResultDescription)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
| project-reorder TimeGenerated, Workload, ResultDescription, ResultStatus,  InitiatedByAccountName, InitiatedByAccounttId

Explanation

This query is designed to provide a list of alert suppression actions that have been added to Microsoft Defender XDR (Extended Detection and Response) within the last 30 days. It helps you understand which suppression rules have been configured, who configured them, and the reasons behind these configurations.

Here's a breakdown of what the query does:

  1. Data Source: It retrieves data from CloudAppEvents, which contains events related to cloud applications.

  2. Time Frame: It filters the events to include only those that occurred in the last 30 days.

  3. Action Type: It specifically looks for events where the action type is "ExclusionConfigurationAdded", indicating that a new alert suppression rule has been added.

  4. Data Extraction: It extracts additional details from the raw event data, such as:

    • Workload: The specific workload or application the suppression rule applies to.
    • ResultStatus: The status of the suppression rule addition.
    • ResultDescription: A description of the result or reason for the suppression.
  5. Renaming and Reordering: The query renames some fields for clarity:

    • AccountDisplayName is renamed to InitiatedByAccountName.
    • AccountId is renamed to InitiatedByAccounttId.
    • The fields are reordered for better readability, focusing on the timestamp, workload, description, status, and the account that initiated the action.

This query is useful for security teams to audit and review the alert suppression configurations in their environment, ensuring that they are aware of any changes and the rationale behind them.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: July 16, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsTimestampActionTypeExclusionConfigurationAddedWorkloadResultStatusResultDescriptionInitiatedByAccountNameInitiatedByAccounttIdTimeGenerated

Operators

ago()parse_json()tostring()extendproject-renameproject-reorderwhere

MITRE Techniques

Actions

GitHub