Detection Searches
Defender
Defender Detected malware
index="<defender index>"
(EventCode=1116 OR EventCode=1160 OR EventCode=1117 OR EventCode=1118)
| rex field=_raw "Name:\s*(?<ThreatName>[^\r\n]+)"
| rex field=_raw "ID:\s*(?<ThreatID>\d+)"
| rex field=_raw "Severity:\s*(?<Severity>\w+)"
| rex field=_raw "Category:\s*(?<Category>[^\r\n]+)"
| rex field=_raw "Path:\s*file:(?<FilePath>[^\r\n]+)"
| rex field=_raw "Detection Origin:\s*(?<DetectionOrigin>[^\r\n]+)"
| rex field=_raw "Detection Type:\s*(?<DetectionType>[^\r\n]+)"
| rex field=_raw "Detection Source:\s*(?<DetectionSource>[^\r\n]+)"
| rex field=_raw "User:\s*(?<DetectedUser>[^\r\n]+)"
| rex field=_raw "Process Name:\s*(?<ProcessName>[^\r\n]+)"
| table _time, DetectedUser, ComputerName, ThreatName, ThreatID, Severity, Category, FilePath, DetectionOrigin, DetectionType, DetectionSource, DetectedUser, ProcessNameDetect Defender Tampering
index="<defender index>"
(EventCode=5001 OR EventCode=5010 OR EventCode=5012 OR EventCode=5014 OR EventCode=5017 OR EventCode=5019)
| table _time, ComputerName, EventCode, Message, User
| sort -_timeMachine
Bad Power-shell commands ran endpoint
MSI installed on endpoint
Azure
Excessive Failed Logins
Login out of US - Failed
Last updated