Query Details

Defender - Block Unwanted Applications

MDE PUA Detections

Query

DeviceEvents
| where ActionType == "AntivirusDetection"
| extend x = parse_json(AdditionalFields)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated)
| where ThreatName startswith_cs 'PUA:'

About this query

Defender - Block Unwanted Applications

Query Information

Description

Use the below query to identify Defender PUA detections (Potentially unwanted applications)

References

Microsoft 365 Defender

Explanation

This query is used to identify potentially unwanted applications (PUA) detections in Microsoft Defender. It retrieves information about the timestamp, device name, folder path, file name, SHA256 hash, threat name, whether the application was executing while detected, and whether it was remediated. The query filters the results to only include detections with threat names starting with 'PUA:'.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DeviceEventsActionTypeAntivirusDetectionAdditionalFieldsTimestampDeviceNameFolderPathFileNameSHA256ThreatNameWasExecutingWhileDetectedWasRemediatedPUA

Operators

whereextendparse_jsonprojecttostringstartswith_cs

Actions

GitHub