Custom Detection Deletion
Query
CloudAppEvents
| where TimeGenerated > ago(30d)
| where ActionType == "DeleteCustomDetection"
| extend RuleName = tostring(parse_json(RawEventData).RuleName), Query = tostring(parse_json(RawEventData).Query), AlertDescription = parse_json(RawEventData).AlertDescription
| project-reorder AccountDisplayName, AccountId, RuleName, AlertDescription, QueryAbout this query
Custom Detection Deletion
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1070 | Indicator Removal | https://attack.mitre.org/techniques/T1070/ |
Description
This query lists all the custom detections that have been deleted in Defender For XDR. The information is available in the CloudAppEvents table. This allows you to audit custom detection rule deletions and alert on deletion activities (from unknown users).
Risk
An actor has gotten access to an account that is able to delete custom detections. By deleting custom detections they are able to stay undetected.
References
Defender For Endpoint
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "DeleteCustomDetection"
| extend RuleName = tostring(parse_json(RawEventData).RuleName), Query = tostring(parse_json(RawEventData).Query), AlertDescription = parse_json(RawEventData).AlertDescription
| project-reorder AccountDisplayName, AccountId, RuleName, AlertDescription, Query
Sentinel
Explanation
This query helps to identify any custom detection rules that have been deleted in Defender For XDR. It looks for actions where custom detections have been deleted in the past 30 days and provides information on the account responsible for the deletion, the rule name, and the alert description. This can help in detecting unauthorized deletion of custom detection rules by malicious actors.
