Query Details
Alerts Related To Deception In Microsoft Defender Xdr
Query
# Alerts related to Deception in Microsoft Defender XDR ## Description The following query will identify alerts in Microsoft Sentinel, related to the Deception capability of Microsoft Defender XDR. ### Microsoft Sentinel ``` let Timeframe = 7d; // Choose proper timeframe AlertEvidence | where TimeGenerated > ago(Timeframe) | mv-expand AdditionalFields | extend AlertTags = parse_json(AdditionalFields.Tags) | mv-expand AlertTags | extend DeceptionTags = parse_json(AlertTags.TagName) | where DeceptionTags == "Deception" | project TimeGenerated, DeceptionTags, AlertId, Title, Categories, AttackTechniques, ServiceSource, DetectionSource, EntityType, EvidenceRole, DeviceId, DeviceName, LocalIP | sort by TimeGenerated desc ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 13/07/2024 | Initial publish |
Explanation
This query identifies alerts in Microsoft Sentinel related to the Deception capability of Microsoft Defender XDR within a specified timeframe. It extracts specific information about the alerts such as time generated, alert ID, title, categories, attack techniques, and more, and sorts them by the time they were generated.
Details
Michalis Michalos
Released: July 13, 2024
Tables
AlertEvidence
Keywords
Alerts,Deception,MicrosoftSentinel,DefenderXDR,TimeGenerated,AdditionalFields,AlertTags,DeceptionTags,TagName,AlertId,Title,Categories,AttackTechniques,ServiceSource,DetectionSource,EntityType,EvidenceRole,DeviceId,DeviceName,LocalIP,Timeframe
Operators
letwheremv-expandextendparse_jsonprojectsort by