KQL Search

Query Details

Defense Evasion Alerts

Query

# Defense Evasion Alerts Generated by Defender For Endpoint

### Defender For Endpoint

```
CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
     AlertUri = parse_json(RawEventData).AlertUri,
     AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
     AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverity
```
### Sentinel
```
CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
     AlertUri = parse_json(RawEventData).AlertUri,
     AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
     AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverity
```

Explanation

This query retrieves defense evasion alerts generated by Defender for Endpoint and Sentinel. It filters the CloudAppEvents data for alerts with the ActionType 'DefenseEvasion' and extracts the AlertUri, AlertDisplayName, and AlertSeverity from the RawEventData. The final result includes the AlertUri, AlertDisplayName, and AlertSeverity for each alert.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

CloudAppEvents,ActionType,DefenseEvasion,AlertUri,AlertDisplayName,AlertSeverity,RawEventData,project

Operators

whereextendparse_jsonproject

KQL Search

Defense Evasion Alerts

Query

Explanation

Details

Actions