Query Details

Microsoft Defender for Endpoint - Tamper Protection

MDE Tampering

Query

DeviceEvents
| where Timestamp > ago (30d)
| where ActionType == @"TamperingAttempt"
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF,columnsConflict='keep_source') : (DeviceName:string,TimeGenerated:datetime,ActionType:string,Status:string, TamperingAction:long,Target:string)

About this query

Explanation

This query is designed to identify attempts to tamper with Microsoft Defender for Endpoint security settings. It focuses on detecting actions that could disable or modify security tools, which is a technique recognized by MITRE ATT&CK as T1562.001. Here's a simplified breakdown of the query:

  1. Data Source: The query looks at DeviceEvents, which logs various events related to devices.

  2. Time Frame: It filters events from the last 30 days.

  3. Event Type: It specifically searches for events where the ActionType is "TamperingAttempt", indicating an attempt to interfere with security settings.

  4. Additional Information: The query extracts additional details from the AdditionalFields column, which contains more context about the tampering attempt. This is done using parse_json and bag_unpack functions to handle the data structure.

  5. Output: The query returns several fields, including the device name, the time the event was generated, the type of action, the status of the action, details about the tampering action, and the target of the tampering attempt.

This query can be run in both Microsoft 365 Defender and Microsoft Sentinel environments to monitor and respond to potential security threats related to tampering with Defender settings.

Details

Alex Verboon profile picture

Alex Verboon

Released: October 5, 2023

Tables

DeviceEvents

Keywords

MicrosoftDefenderEndpointTamperProtectionDeviceEventsActionTypeAdditionalFieldsNameTimeGeneratedStatusTamperingTarget

Operators

where>ago==extendparse_jsonevaluatebag_unpack:

MITRE Techniques

Actions

GitHub