Defender For Endpoint Offboarding Package Downloaded
Offboarding Package Downloaded
Query
CloudAppEvents
| where ActionType == "DownloadOffboardingPkg"
| extend UserId = tostring(parse_json(RawEventData).UserId), ClientIP = tostring(parse_json(RawEventData).ClientIP)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
| project-reorder Timestamp, InitiatedByAccountName, UserId, ClientIP, ActionTypeAbout this query
Explanation
This query is designed to track when a Defender for Endpoint offboarding package is downloaded. Here's a simple breakdown:
-
Purpose: The query identifies instances where a package used to remove Defender for Endpoint security tools from devices is downloaded. This is important because such actions can reduce the security visibility on those devices.
-
Security Concern: If an unauthorized user gains access to an account that can download these offboarding packages, they could potentially disable security measures, which poses a significant risk.
-
Technical Details:
- The query looks for events where the action type is "DownloadOffboardingPkg".
- It extracts and displays relevant information such as the user ID, client IP address, and the account name that initiated the download.
- The query is structured to show this information in a clear order, making it easier to review and analyze.
-
Tools: The query can be run in both Defender XDR and Sentinel environments, with slight differences in the field names used for timestamps.
Overall, this query helps security teams monitor and respond to potential security risks associated with the downloading of offboarding packages.
