List Tampering Attempts
Query
DeviceEvents
| where ActionType == "TamperingAttempt"
| extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target)
| summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceNameAbout this query
List Tampering Attempts
Query Information
Description
This query lists all the tampering attempts that have been observed by each device. This means that tampering protection acted and blocked the action. The action may be suspicious itself. The rule will generate false positives, which need filtering based on your environment.
Risk
An adversary tries to disable security logging / monitoring to perform malicious activities undetected.
References
Defender XDR
Sentinel
DeviceEvents
| where ActionType == "TamperingAttempt"
| extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target)
| summarize TotalActions = count(), Actions = make_set(TamperingAction), Targets = make_set(Target), RegistryNames = make_set(RegistryValueName), InitatingCommandLine = make_set(InitiatingProcessCommandLine) by DeviceName
Explanation
This query is designed to identify and list any attempts to tamper with security settings on devices. It focuses on actions that have been blocked by tamper protection, which is a security feature intended to prevent unauthorized changes to security settings. The query provides a summary of these tampering attempts for each device, including:
- The total number of tampering actions observed.
- The types of tampering actions attempted.
- The specific targets of these actions.
- The registry names involved.
- The command lines that initiated these actions.
The query is run on data from Microsoft Defender XDR and Microsoft Sentinel, and it may generate false positives that need to be filtered based on the specific environment. The purpose is to detect potential adversaries trying to disable security measures to carry out malicious activities without being detected.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators