Query Details
MDE Troubleshooting Mode
Query
# Microsoft Defender for Endpoint - Troubleshooting Mode ## Query Information ### Description Run the below queries to retrieve information about MDE Troublshooting mode states #### References - [Get started with troubleshooting mode in Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode?view=o365-worldwide) ### Microsoft 365 Defender Search by deviceId or deviceName by commenting out the respective lines. ```kql //let deviceName = "<deviceName>"; // update with device name let deviceId = "<deviceID>"; // update with device id DeviceEvents | where DeviceId == deviceId //| where DeviceName == deviceName | where ActionType == "AntivirusTroubleshootModeEvent" | extend _tsmodeproperties = parse_json(AdditionalFields) | project Timestamp,DeviceId, DeviceName, _tsmodeproperties, _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime, _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes, _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource ``` Devices currently in troubleshooting mode ```kql DeviceEvents | where Timestamp > ago(3h) // troubleshooting mode automatically disables after 3 hours | where ActionType == "AntivirusTroubleshootModeEvent" | extend _tsmodeproperties = parse_json(AdditionalFields) | where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" |summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId | order by Timestamp desc ``` Count of troubleshooting mode instances by device ```kql DeviceEvents | where ActionType == "AntivirusTroubleshootModeEvent" | extend _tsmodeproperties = parse_json(AdditionalFields) | where Timestamp > ago(30d) // choose the date range you want | where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" | summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId | sort by count_ ``` Total count ```kql DeviceEvents | where ActionType == "AntivirusTroubleshootModeEvent" | extend _tsmodeproperties = parse_json(AdditionalFields) | where Timestamp > ago(2d) //beginning of time range | where Timestamp < ago(1d) //end of time range | where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" | summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() | where count_ > 5 // choose your max # of TS mode instances for your time range ```
Explanation
The queries provided retrieve information about Microsoft Defender for Endpoint Troubleshooting mode states.
The first query retrieves information about the troubleshooting mode states for a specific device. You can search by either device ID or device name by commenting out the respective lines.
The second query identifies devices that are currently in troubleshooting mode. It filters for events that occurred within the last 3 hours and have a troubleshooting state change reason of "started". It then summarizes the data by device ID and orders the results by the most recent timestamp.
The third query provides a count of troubleshooting mode instances by device. It filters for events with a troubleshooting state change reason of "started" within the last 30 days. It then summarizes the data by device ID and sorts the results by the count of instances.
The fourth query provides a total count of troubleshooting mode instances within a specified time range. It filters for events with a troubleshooting state change reason of "started" between 2 days ago and 1 day ago. It then summarizes the data and filters for instances with a count greater than 5.
Details
Alex Verboon
Released: June 4, 2023
Tables
Keywords
Operators