Query Details
MDE PUA Detections
Query
# Defender - Block Unwanted Applications ## Query Information ### Description Use the below query to identify Defender PUA detections (Potentially unwanted applications) #### References - [Detect and block potentially unwanted applications](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide) ### Microsoft 365 Defender ```kql DeviceEvents | where ActionType == "AntivirusDetection" | extend x = parse_json(AdditionalFields) | project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated) | where ThreatName startswith_cs 'PUA:' ```
Explanation
This query is used to identify potentially unwanted applications (PUA) detections in Microsoft Defender. It retrieves information about the timestamp, device name, folder path, file name, SHA256 hash, threat name, whether the application was executing while detected, and whether it was remediated. The query filters the results to only include detections with threat names starting with 'PUA:'.
Details
Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,AntivirusDetection,AdditionalFields,Timestamp,DeviceName,FolderPath,FileName,SHA256,ThreatName,WasExecutingWhileDetected,WasRemediated,PUA
Operators
whereextendparse_jsonprojecttostringstartswith_cs