Query Details
Defender XDR Custom Detection Modifications
Query
CloudAppEvents | where ActionType == @"DeleteCustomDetection" or ActionType == @"CreateCustomDetection" or ActionType == @"EditCustomDetection"
Explanation
This query is searching through a dataset called CloudAppEvents to find records where the action taken is either deleting, creating, or editing a custom detection. Essentially, it's filtering the data to show only those specific types of actions related to custom detections.
Details
Jay Kerai
Released: February 5, 2025
Tables
CloudAppEvents
Keywords
CloudAppEventsActionTypeDeleteCustomDetectionCreateCustomDetectionEditCustomDetection
Operators
==or|where