KQL Search

Query Details

HomeAI ToolsDevice Query

Custom Detection Disabled

Query

# Custom Detection Disabled

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1070 | Indicator Removal | https://attack.mitre.org/techniques/T1070/ |

### Description
This query lists all the custom detections that have been disabled in Defender For XDR. The information is available in the *CloudAppEvents* table. This allows you to audit custom detection rule status changed and alert on disable activities (from unknown users).

### Risk
An actor has gotten access to an account that is able to disabled custom detections. By disabling custom detections they are able to stay undetected.

### References
- https://learn.microsoft.com/en-us/defender-xdr/custom-detections-overview
- https://kqlquery.com/posts/audit-defender-xdr/

## Defender XDR
```KQL
CloudAppEvents
| where ActionType == "ChangeCustomDetectionRuleStatus"
| where RawEventData.IsEnabled == "false"
| extend RuleName = tostring(parse_json(RawEventData.RuleName)), Query = tostring(parse_json(RawEventData.Query)), Actor = tostring(parse_json(RawEventData.UserId)), IsEnabled = RawEventData.IsEnabled
| project-reorder Timestamp, Actor, IsEnabled, RuleName, Query
```

## Sentinel
```KQL
CloudAppEvents
| where ActionType == "ChangeCustomDetectionRuleStatus"
| where RawEventData.IsEnabled == "false"
| extend RuleName = tostring(parse_json(RawEventData.RuleName)), Query = tostring(parse_json(RawEventData.Query)), Actor = tostring(parse_json(RawEventData.UserId)), IsEnabled = RawEventData.IsEnabled
| project-reorder TimeGenerated, Actor, IsEnabled, RuleName, Query
```

Explanation

This query is designed to identify and list all custom detection rules that have been disabled in Microsoft Defender for XDR (Extended Detection and Response). It focuses on events where the status of these rules has been changed to "disabled." The query retrieves this information from the CloudAppEvents table.

Here's a simple breakdown of what the query does:

  1. Filter Events: It looks for events where the action type is "ChangeCustomDetectionRuleStatus," indicating a change in the status of a custom detection rule.

  2. Check Disabled Status: It further filters these events to only include those where the rule has been disabled (IsEnabled is "false").

  3. Extract Details: The query extracts specific details from the event data, such as the rule name, the query associated with the rule, the user who performed the action (referred to as the "Actor"), and the status of the rule.

  4. Organize Output: The results are organized to display the timestamp of the event, the actor who disabled the rule, the rule's name, and the query associated with it.

The purpose of this query is to audit and monitor changes to custom detection rules, particularly focusing on unauthorized or suspicious disablement activities. This is important because if an attacker gains access to an account with the ability to disable these rules, they could potentially avoid detection by the security system.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 28, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsActorRuleNameQueryTimestampTimeGenerated

Operators

whereextendtostringparse_jsonproject-reorder

Actions