Defender for Endpoint - Audit Logs
MDE Audit
Query
CloudAppEvents
| extend WorkLoad = tostring(parse_json(RawEventData).Workload)
| where WorkLoad == "MicrosoftDefenderForEndpoint"
| where ActionType == "LogsCollection"
| extend ActionComment = tostring(RawEventData.ActionComment)
| extend DeviceName = tostring(RawEventData.DeviceName)
| extend UserId = tostring(RawEventData.UserId)
| extend ClientIP = tostring(RawEventData.ClientIP)
| project TimeGenerated, ActionType, UserId, AccountDisplayName, DeviceName, ClientIP, IPAddress,ActionCommentAbout this query
Explanation
This query collects various audit logs related to Microsoft Defender for Endpoint activities, such as collecting support logs, running antivirus scans, isolating devices, downloading files, and more. It filters and projects specific information like time generated, action type, user ID, device name, client IP, and additional details for each activity.
Details

Alex Verboon
Released: June 17, 2024
Tables
CloudAppEvents
Keywords
CloudAppEventsWorkLoadActionTypeLogsCollectionCollectInvestigationPackageRestrictAppExecutionRemoveAppRestrictionsRunAntiVirusScanIsolateDeviceReleaseFromIsolationDownloadFileLiveResponseGetFileDownloadOnboardingPkgDownloadOffboardingPkgAddIndicatorDeleteIndicatorEditIndicatorSetAdvancedFeaturesStopAndQuarantineFileDeleteCustomDetectionMonitoringAlertUpdatedTimeGeneratedUserIdAccountDisplayNameDeviceNameClientIPIPAddressActionCommentFileNameFileSHA256.
Operators
extendwhereprojectparse_jsonagocontainsdistinct