Defender - Block Unwanted Applications
MDE PUA Detections
Query
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend x = parse_json(AdditionalFields)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated)
| where ThreatName startswith_cs 'PUA:'About this query
Defender - Block Unwanted Applications
Query Information
Description
Use the below query to identify Defender PUA detections (Potentially unwanted applications)
References
Microsoft 365 Defender
Explanation
This query is used to identify potentially unwanted applications (PUA) detections in Microsoft Defender. It retrieves information about the timestamp, device name, folder path, file name, SHA256 hash, threat name, whether the application was executing while detected, and whether it was remediated. The query filters the results to only include detections with threat names starting with 'PUA:'.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeAntivirusDetectionAdditionalFieldsTimestampDeviceNameFolderPathFileNameSHA256ThreatNameWasExecutingWhileDetectedWasRemediatedPUA
Operators
whereextendparse_jsonprojecttostringstartswith_cs