Disabled Account Attack Disruption
Query
CloudAppEvents
| where ActionType == "Disable account."
// Disabled by Microsoft Defender for Identity
| where AccountId == "60ca1954-583c-4d1f-86de-39d835f3e452"
| extend DisabledAccount = tostring(RawEventData.ObjectId)
| project Timestamp, ActionType, DisabledAccountAbout this query
Disabled Account Attack Disruption
Query Information
Description
Attack disruption disabled a cloud/hybrid account due to suspicious activities. The query lists the accounts that have been disabled by MDI.
Risk
The account has been disabled due to suspicious activities.
References
- https://learn.microsoft.com/en-us/defender-cloud-apps/protect-azure
- https://learn.microsoft.com/en-us/defender-xdr/automatic-attack-disruption
Defender XDR
Sentinel
CloudAppEvents
| where ActionType == "Disable account."
// Disabled by Microsoft Defender for Identity
| where AccountId == "60ca1954-583c-4d1f-86de-39d835f3e452"
| extend DisabledAccount = tostring(RawEventData.ObjectId)
| project TimeGenerated, ActionType, DisabledAccount
Explanation
This query is designed to identify and list cloud or hybrid accounts that have been disabled by Microsoft Defender for Identity due to suspicious activities. The query is executed in two environments: Defender XDR and Sentinel. Here's a simplified breakdown:
-
Purpose: The query aims to detect accounts that have been automatically disabled because they were involved in suspicious activities, which could indicate a security threat.
-
Data Source: It examines events from
CloudAppEvents, which logs various actions related to cloud applications. -
Filter Criteria:
- The action type must be "Disable account," indicating that the account was disabled.
- The disabling action must be performed by Microsoft Defender for Identity, as identified by a specific
AccountId("60ca1954-583c-4d1f-86de-39d835f3e452").
-
Output:
- The query extracts and displays the timestamp of the event, the action type, and the ID of the disabled account.
- In Defender XDR, the timestamp is labeled as
Timestamp, while in Sentinel, it is labeled asTimeGenerated.
-
Risk: The accounts listed by this query are considered at risk because they were disabled due to potentially malicious activities.
This query helps security teams quickly identify and respond to accounts that have been flagged and disabled for security reasons.
Details

Bert-Jan Pals
Released: June 8, 2025
Tables
Keywords
Operators