Query Details

Defender For Endpoint Offboarding Package Downloaded

Offboarding Package Downloaded

Query

CloudAppEvents
| where ActionType == "DownloadOffboardingPkg"
| extend UserId = tostring(parse_json(RawEventData).UserId), ClientIP = tostring(parse_json(RawEventData).ClientIP)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
| project-reorder Timestamp, InitiatedByAccountName, UserId, ClientIP, ActionType

About this query

Explanation

This query is designed to track when a Defender for Endpoint offboarding package is downloaded. Here's a simple breakdown:

  1. Purpose: The query identifies instances where a package used to remove Defender for Endpoint security tools from devices is downloaded. This is important because such actions can reduce the security visibility on those devices.

  2. Security Concern: If an unauthorized user gains access to an account that can download these offboarding packages, they could potentially disable security measures, which poses a significant risk.

  3. Technical Details:

    • The query looks for events where the action type is "DownloadOffboardingPkg".
    • It extracts and displays relevant information such as the user ID, client IP address, and the account name that initiated the download.
    • The query is structured to show this information in a clear order, making it easier to review and analyze.
  4. Tools: The query can be run in both Defender XDR and Sentinel environments, with slight differences in the field names used for timestamps.

Overall, this query helps security teams monitor and respond to potential security risks associated with the downloading of offboarding packages.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

DefenderEndpointDevicesAccountUserIPTimestamp

Operators

whereextendtostringparse_jsonproject-renameproject-reorder

MITRE Techniques

Actions

GitHub