Query Details
MDI Sensor Deleted
Query
# MDI Sensor Deleted ## Query Information #### Description This query returns results when a Defender For Identity Sensor has been deleted. This sensor would have been installed on your Domain Controller, ADCS, ADFS or Entra Connect server. #### References - https://learn.microsoft.com/en-us/defender-for-identity/uninstall-sensor ## Defender XDR ```KQL CloudAppEvents | where ActionType == "SensorDeleted" | extend Sensor = tostring(parse_json(RawEventData).ResultDescription), InitiatorUpn = tostring(parse_json(RawEventData).UserId) | project-reorder Timestamp, Sensor, InitiatorUpn ``` ## Sentinel ```KQL CloudAppEvents | where ActionType == "SensorDeleted" | extend Sensor = tostring(parse_json(RawEventData).ResultDescription), InitiatorUpn = tostring(parse_json(RawEventData).UserId) | project-reorder TimeGenerated, Sensor, InitiatorUpn ```
Explanation
This query is designed to identify when a Defender for Identity Sensor has been removed from a system. These sensors are typically installed on critical infrastructure components like Domain Controllers, ADCS, ADFS, or Entra Connect servers. The query works by searching through cloud application events to find instances where the action type is "SensorDeleted." It then extracts and displays the name of the sensor that was deleted and the user who initiated the deletion. The results are organized to show the timestamp of the event, the sensor's name, and the user responsible for the action. There are two versions of the query: one for Defender XDR and another for Sentinel, with a slight difference in the timestamp field used.
Details
Bert-Jan Pals
Released: June 29, 2025
Tables
Keywords
Operators