Defender for endpoint - Qualification Query

Copper Contributor

I'm a security and forensic consultant for my entity.
I'm looking to create a standard qualification query which contains multiple Source.

In fact,

I simply want to get a result containing all the events based on my targeted ActionType, with only specific fields.


This query would allow me to contextualize a machine, optimizing the visibility of relevant elements.


I've tried all conditional structures (iif, case, Structural objects...) without success.

I worked with AIs trying to refine my code, without success.


this would result in a set of events filtered on the desired actiontypes, with only the relevant fields properly displayed
1 Reply


One of my tries :


let Nom_machine = "ComputerX";
let DetectionTime = datetime(yyyy-MM-dd HH:mm:ss);
let TimeRangeStart = DetectionTime-5m;
let TimeRangeEnd = DetectionTime+5m;
union withsource=SourceTable DeviceProcessEvents, DeviceFileEvents
| where DeviceName == Nom_machine
    and Timestamp between (TimeRangeStart .. TimeRangeEnd)
        and ActionType == "ProcessCreated"
        | project Timestamp,FileName, FolderPath
| limit 50"
then consider adding "or" clause with other Actiontype , projected with its own fields