Defense Evasion Alerts Generated by Defender For Endpoint
Defense Evasion Alerts
Query
CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
AlertUri = parse_json(RawEventData).AlertUri,
AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverityAbout this query
Defense Evasion Alerts Generated by Defender For Endpoint
Query Information
Description
This query lists the Defense Evasion Alerts Generated by Defender For Endpoint.
Defender XDR
Sentinel
CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
AlertUri = parse_json(RawEventData).AlertUri,
AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverity
Explanation
This query is designed to identify and list alerts related to "Defense Evasion" activities that are detected by Microsoft Defender for Endpoint. The query is executed on a dataset called CloudAppEvents. Here's a simple breakdown of what it does:
-
Filter Events: It looks for events where the
ActionTypeis 'DefenseEvasion'. This means it focuses specifically on activities that might indicate attempts to bypass security measures. -
Extract Alert Details: For each of these events, it extracts specific details from the raw event data:
AlertUri: The unique identifier or link to the alert.AlertDisplayName: The name or title of the alert.AlertSeverity: The severity level of the alert, indicating how critical the alert is.
-
Display Results: Finally, it presents these extracted details (
AlertUri,AlertDisplayName, andAlertSeverity) in a simplified format for further analysis or review.
The same query is used in both Defender XDR and Sentinel environments, indicating that it is applicable across different security monitoring platforms within Microsoft's ecosystem.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators