Query Details

List Live Response Unsigned Script Setting Changes

Live Response Unsigned Power Shell Changes

Query

CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
| where SettingName == "Live Response unsigned script execution"
| project-reorder Timestamp, AccountId, ActionType, SettingName, SettingsNewValue

About this query

List Live Response Unsigned Script Setting Changes

Query Information

Description

This query lists all changes to the Live Response Unsigned Script settings in the Advanced Features in Defender For Endpoint. You want to monitor this because allowing the use of unsigned scripts may increase your exposure to threats.

References

Defender XDR

Sentinel

CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
| where SettingName == "Live Response unsigned script execution"
| project-reorder TimeGenerated, AccountId, ActionType, SettingName, SettingsNewValue

Explanation

This query is designed to track changes to a specific security setting in Microsoft Defender for Endpoint, specifically the "Live Response Unsigned Script" setting. The query is important because allowing unsigned scripts can increase security risks. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from CloudAppEvents, which logs various actions and events related to cloud applications.

  2. Filter by Action: It looks for events where the action type is "SetAdvancedFeatures", indicating changes to advanced security settings.

  3. Extract Details: It extracts the specific setting name and its new value from the raw event data. This is done using JSON parsing to get the SettingName and SettingsNewValue.

  4. Focus on Specific Setting: It filters the results to only include changes to the "Live Response unsigned script execution" setting.

  5. Output: The query organizes the output to show the timestamp (or time generated), account ID, action type, setting name, and the new value of the setting.

This query is useful for security monitoring, as it helps identify when and by whom the setting for executing unsigned scripts in Live Response was changed, allowing for quick response to potential security threats.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsActionTypeSettingNameSettingsNewValueTimestampAccountIdTimeGeneratedRawEventDataLiveResponseUnsignedScriptExecutionAdvancedFeaturesDefenderForEndpoint

Operators

whereextendtostringparse_jsonproject-reorder

Actions

GitHub