KQL Search

This query is designed to analyze and report on specific security warnings related to Microsoft Defender for Endpoint (MDE) and Cloud App Security Broker (CASB) or Microsoft Defender for Cloud Apps (MDA). Here's a simplified breakdown of what the query does:

1. Data Source: It pulls data from the DeviceEvents table, which contains information about various events on devices.

2. Filter Criteria:

   • It looks for events where the ActionType is "SmartScreenUrlWarning". This indicates that the SmartScreen feature has flagged a URL as potentially unsafe.
   • It further filters these events to only include those where the Experience in AdditionalFields is "CasbPolicy". This suggests that the warning is related to a policy set by the CASB/MDA.

3. Optional Join: There is a commented-out line that suggests joining with IdentityInfo to enrich the data with user information if User and Entity Behavior Analytics (UEBA) is enabled. This would match events based on the user's account information.

4. Summarization: The query summarizes the data by counting occurrences of these warnings, grouped by several fields:

   • FileName: The name of the file involved in the event.
   • RemoteUrl: The URL that triggered the warning.
   • DeviceName: The name of the device where the event occurred.
   • InitiatingProcessAccountUpn: The user account that initiated the process.
   • InitiatingProcessFileName: The name of the process that initiated the event.
   • TimeGenerated: The time when the event was generated.
   • InitiatingProcessVersionInfoProductName: The product name of the initiating process.

This query helps in understanding how MDA policies are reflected in MDE indicators by showing the relationship between unsanctioned or monitored tags and the warnings generated.