Query Details

Defender - Detection - Removal and Quarantine actions

MDE Detection Removal And Quarantine Actions

Query

DeviceEvents
| where ActionType == @"OtherAlertRelatedActivity"
| project Timestamp, DeviceName, AdditionalFields, FileName, FolderPath, SHA1
| extend event = parse_json(AdditionalFields).Description
| where event contains "removed" and event contains "download scan"
| extend Threat = split(split(event,"removed")[1]," ")[1]
| extend URL = split(event,"from")[1]
| invoke FileProfile(SHA1) 
| project Timestamp, DeviceName, Threat, URL,GlobalPrevalence, FileName, FolderPath, SHA1, event

About this query

Explanation

The first query is used to find malicious files that were detected and removed during a file download scan by Windows Defender. It retrieves information such as the timestamp, device name, file name, folder path, SHA1 hash, and the threat name. It also includes the URL from which the file was downloaded and the global prevalence of the threat.

The second query is used to find malicious files that were detected and quarantined by Windows Defender. It retrieves similar information as the first query but does not include the URL from which the file was detected.

The third query is used to find all Defender detections. It retrieves information such as the timestamp, device name, threat name, whether the threat was remediated, the action taken, the source of the report, and the file name.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DevicesIntuneUser

Operators

whereprojectextendsplitcontainsinvokeTimestampDeviceNameAdditionalFieldsFileNameFolderPathSHA1eventThreatURLGlobalPrevalenceWasRemediatedActionReportSource

Actions

GitHub