KQL Search

Query Details

MDE Offboarding

Query

# Microsoft Defender for Endpoint - Offboarding

## Query Information

### Description

Use the below queries to identify devices where the MDE offboarding file is saved or executed

#### References

- [Offboard devices from the Microsoft Defender for Endpoint service](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide)

### Defender 365

```kql
// MDE Offboarding script executed
DeviceProcessEvents
| where ProcessCommandLine contains @"MicrosoftDefenderATPOffboarding"
```

```kql
// MDE offboarding script detected on endpoint
DeviceFileEvents
| where FileName contains @"MicrosoftDefenderATPOffboarding"
```

Explanation

This query is used to identify devices where the Microsoft Defender for Endpoint (MDE) offboarding file is saved or executed. It consists of two separate queries: one that looks for the MDE offboarding script being executed in the device's process events, and another that looks for the MDE offboarding script being detected in the device's file events.

Details

Alex Verboon

Released: June 4, 2023

Tables

DeviceProcessEventsDeviceFileEvents

Keywords

Devices,Intune

Operators

|wherecontains

KQL Search

MDE Offboarding

Query

Explanation

Details

Actions