Microsoft Defender for Endpoint - Tamper Protection
MDE Tampering
Query
DeviceEvents
| where Timestamp > ago (30d)
| where ActionType == @"TamperingAttempt"
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF,columnsConflict='keep_source') : (DeviceName:string,TimeGenerated:datetime,ActionType:string,Status:string, TamperingAction:long,Target:string)About this query
Explanation
This query is designed to identify attempts to tamper with Microsoft Defender for Endpoint security settings. It focuses on detecting actions that could disable or modify security tools, which is a technique recognized by MITRE ATT&CK as T1562.001. Here's a simplified breakdown of the query:
-
Data Source: The query looks at
DeviceEvents, which logs various events related to devices. -
Time Frame: It filters events from the last 30 days.
-
Event Type: It specifically searches for events where the
ActionTypeis "TamperingAttempt", indicating an attempt to interfere with security settings. -
Additional Information: The query extracts additional details from the
AdditionalFieldscolumn, which contains more context about the tampering attempt. This is done usingparse_jsonandbag_unpackfunctions to handle the data structure. -
Output: The query returns several fields, including the device name, the time the event was generated, the type of action, the status of the action, details about the tampering action, and the target of the tampering attempt.
This query can be run in both Microsoft 365 Defender and Microsoft Sentinel environments to monitor and respond to potential security threats related to tampering with Defender settings.
