Custom Detection Disabled
Query
CloudAppEvents
| where ActionType == "ChangeCustomDetectionRuleStatus"
| where RawEventData.IsEnabled == "false"
| extend RuleName = tostring(parse_json(RawEventData.RuleName)), Query = tostring(parse_json(RawEventData.Query)), Actor = tostring(parse_json(RawEventData.UserId)), IsEnabled = RawEventData.IsEnabled
| project-reorder Timestamp, Actor, IsEnabled, RuleName, QueryAbout this query
Explanation
This query is designed to identify and list custom detection rules that have been disabled in Microsoft Defender for XDR. It focuses on events where the status of a custom detection rule has been changed to "disabled." The query is executed on the CloudAppEvents table and filters for events where the ActionType is "ChangeCustomDetectionRuleStatus" and the IsEnabled status is "false."
Here's a breakdown of what the query does:
-
Filter Events: It looks for events where the action type indicates a change in the status of custom detection rules.
-
Check Disabled Status: It specifically filters for rules that have been disabled (
IsEnabled == "false"). -
Extract Information: The query extracts relevant details such as the rule name, the query associated with the rule, the actor (user) who performed the action, and the enabled status.
-
Reorder Columns: The results are organized to show the timestamp (or time generated), actor, enabled status, rule name, and query in a specific order for easier analysis.
The purpose of this query is to audit and monitor changes to custom detection rules, particularly focusing on any unauthorized or suspicious disabling of these rules, which could indicate a security risk. By identifying such actions, organizations can take steps to investigate and mitigate potential threats.
