EXPLORE
Sign In
← Back to Explore
kqlHunting

Defense Evasion Alerts Generated by Defender For Endpoint

This query lists the Defense Evasion Alerts Generated by Defender For Endpoint.

Detection Query

CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
     AlertUri = parse_json(RawEventData).AlertUri,
     AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
     AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverity

Data Sources

CloudAppEvents

Platforms

azure-sentinelmicrosoft-defender

Tags

defender-for-cloud-apps
Raw Content
# Defense Evasion Alerts Generated by Defender For Endpoint

## Query Information

#### Description
This query lists the Defense Evasion Alerts Generated by Defender For Endpoint.

## Defender XDR
```KQL
CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
     AlertUri = parse_json(RawEventData).AlertUri,
     AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
     AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverity
```
## Sentinel
```KQL
CloudAppEvents
| where ActionType == 'DefenseEvasion'
| extend
     AlertUri = parse_json(RawEventData).AlertUri,
     AlertDisplayName = parse_json(RawEventData).AlertDisplayName,
     AlertSeverity = parse_json(RawEventData).AlertSeverity
| project AlertUri, AlertDisplayName, AlertSeverity
```