Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Overview of quarantined/blocked files from Defender for Endpoint

Brass Contributor

Hi,

I want to make a workbook in Sentinel that displays the files that has been quarantined/blocked by defender for endpoint, and the corresponding machines it happened on.

I have enabled the collection of Defender for Endpoint logs through the 'Microsoft 365 Defender' connector, but I am unsure exactly which tables and coloumns to query to make my desired workbook.


Thanks in advance.

1 Reply

@Larssen92 

 

There are two parts to the Defender for Endpoint to Sentinel integration, if you enable all the connectors then the telemetry from the devices go into the Device* tables, such as DeviceProcessEvents or DeviceNetworkEvents. If you didn't mean to ingest all those logs you may want to switch it off because it could cost you a lot of money in ingestion.

 

If you want just actual alerts generated from Defender for Endpoint (say when a file is blocked) then you are after the SecurityAlerts table. This will give you a summary of the time the alert was generated, the name of the alert and the device

 

SecurityAlert
| where ProviderName == "MDATP"
| project TimeGenerated, AlertName, CompromisedEntity

 

If you wanted to retrieve the details of the particular files you need to parse the 'entities' from the alert, take this as an example

 

SecurityAlert
| where ProviderName == "MDATP"
| extend x = todynamic(Entities)
| mv-expand x
| parse-where x with * 'Directory":"' FileDirectory '","' *
| parse-where x with * '"Name":"' FileName '","' *
| project TimeGenerated, AlertName, CompromisedEntity, FileDirectory, FileName

 

Keep in mind that the entities will be different for the different types of alerts, so for an alert where a file was blocked you are interested in the file, but for an alert that say obfuscated PowerShell, you are interested in the command that was run.

 

If you want to get a summary of the types of alerts you are seeing you can start with 

 

SecurityAlert
| where ProviderName == "MDATP"
| summarize count()by AlertName