Overview of quarantined/blocked files from Defender for Endpoint



I want to make a workbook in Sentinel that displays the files that has been quarantined/blocked by defender for endpoint, and the corresponding machines it happened on.

I have enabled the collection of Defender for Endpoint logs through the 'Microsoft 365 Defender' connector, but I am unsure exactly which tables and coloumns to query to make my desired workbook.

Thanks in advance.

1 Reply



There are two parts to the Defender for Endpoint to Sentinel integration, if you enable all the connectors then the telemetry from the devices go into the Device* tables, such as DeviceProcessEvents or DeviceNetworkEvents. If you didn't mean to ingest all those logs you may want to switch it off because it could cost you a lot of money in ingestion.


If you want just actual alerts generated from Defender for Endpoint (say when a file is blocked) then you are after the SecurityAlerts table. This will give you a summary of the time the alert was generated, the name of the alert and the device


| where ProviderName == "MDATP"
| project TimeGenerated, AlertName, CompromisedEntity


If you wanted to retrieve the details of the particular files you need to parse the 'entities' from the alert, take this as an example


| where ProviderName == "MDATP"
| extend x = todynamic(Entities)
| mv-expand x
| parse-where x with * 'Directory":"' FileDirectory '","' *
| parse-where x with * '"Name":"' FileName '","' *
| project TimeGenerated, AlertName, CompromisedEntity, FileDirectory, FileName


Keep in mind that the entities will be different for the different types of alerts, so for an alert where a file was blocked you are interested in the file, but for an alert that say obfuscated PowerShell, you are interested in the command that was run.


If you want to get a summary of the types of alerts you are seeing you can start with 


| where ProviderName == "MDATP"
| summarize count()by AlertName