Defender - Detection - Removal and Quarantine actions
MDE Detection Removal And Quarantine Actions
Query
DeviceEvents
| where ActionType == @"OtherAlertRelatedActivity"
| project Timestamp, DeviceName, AdditionalFields, FileName, FolderPath, SHA1
| extend event = parse_json(AdditionalFields).Description
| where event contains "removed" and event contains "download scan"
| extend Threat = split(split(event,"removed")[1]," ")[1]
| extend URL = split(event,"from")[1]
| invoke FileProfile(SHA1)
| project Timestamp, DeviceName, Threat, URL,GlobalPrevalence, FileName, FolderPath, SHA1, eventAbout this query
Explanation
The first query is used to find malicious files that were detected and removed during a file download scan by Windows Defender. It retrieves information such as the timestamp, device name, file name, folder path, SHA1 hash, and the threat name. It also includes the URL from which the file was downloaded and the global prevalence of the threat.
The second query is used to find malicious files that were detected and quarantined by Windows Defender. It retrieves similar information as the first query but does not include the URL from which the file was detected.
The third query is used to find all Defender detections. It retrieves information such as the timestamp, device name, threat name, whether the threat was remediated, the action taken, the source of the report, and the file name.
Details

Alex Verboon
Released: June 4, 2023
Tables
Keywords
Operators