KQL Search

Query Details

MDI Audit Health Issue

Query

# Defender for Identity - Health Status updates

## Query Information

### Description

Use the below query to get information about Defender for Identity Health Status updates initiated by a user. 


#### References

- [Microsoft Defender for Identity health issues](https://learn.microsoft.com/en-us/defender-for-identity/health-alerts)


### Microsoft Sentinel



```kql
CloudAppEvents
| extend WorkLoad = tostring(parse_json(RawEventData).Workload)
| where WorkLoad == "MicrosoftDefenderForIdentity"
| where ActionType == "MonitoringAlertUpdated"
| extend ResultDescription = tostring(RawEventData.ResultDescription)
| extend UserId = tostring(RawEventData.UserId)
| project TimeGenerated, WorkLoad, ActionType,UserId, ResultDescription

```

Explanation

This query retrieves information about updates to the health status of Microsoft Defender for Identity initiated by a user. It filters CloudAppEvents data for Microsoft Defender for Identity workload and MonitoringAlertUpdated action type, then projects TimeGenerated, WorkLoad, ActionType, UserId, and ResultDescription fields.

Details

Alex Verboon

Released: May 31, 2024

Tables

CloudAppEvents

Keywords

CloudAppEvents,MicrosoftDefenderForIdentity,MonitoringAlertUpdated,ResultDescription,UserId,TimeGenerated,WorkLoad,ActionType

Operators

extendwhereproject

KQL Search

MDI Audit Health Issue

Query

Explanation

Details

Actions