Query Details

Defender for Endpoint - Audit Logs

MDE Audit

Query

CloudAppEvents
| extend WorkLoad = tostring(parse_json(RawEventData).Workload)
| where WorkLoad == "MicrosoftDefenderForEndpoint"
| where ActionType == "LogsCollection"
| extend ActionComment = tostring(RawEventData.ActionComment)
| extend DeviceName = tostring(RawEventData.DeviceName)
| extend UserId = tostring(RawEventData.UserId)
| extend ClientIP = tostring(RawEventData.ClientIP)
| project TimeGenerated, ActionType, UserId, AccountDisplayName, DeviceName, ClientIP, IPAddress,ActionComment

About this query

Explanation

This query collects various audit logs related to Microsoft Defender for Endpoint activities, such as collecting support logs, running antivirus scans, isolating devices, downloading files, and more. It filters and projects specific information like time generated, action type, user ID, device name, client IP, and additional details for each activity.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 17, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsWorkLoadActionTypeLogsCollectionCollectInvestigationPackageRestrictAppExecutionRemoveAppRestrictionsRunAntiVirusScanIsolateDeviceReleaseFromIsolationDownloadFileLiveResponseGetFileDownloadOnboardingPkgDownloadOffboardingPkgAddIndicatorDeleteIndicatorEditIndicatorSetAdvancedFeaturesStopAndQuarantineFileDeleteCustomDetectionMonitoringAlertUpdatedTimeGeneratedUserIdAccountDisplayNameDeviceNameClientIPIPAddressActionCommentFileNameFileSHA256.

Operators

extendwhereprojectparse_jsonagocontainsdistinct

Actions

GitHub