KQL Search

Query Details

HomeAI ToolsDevice Query

MDO Tenant Allow Block List

Query

# Microsoft Defender for Office 365 - Tenant Allow/Block List changes.

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Stable](https://img.shields.io/badge/status-stable-brightgreen.svg)

## Query Information

### Description

This query identifies recent Tenant Allow/Block List add, update, and removal actions in Microsoft Defender for Office 365, and surfaces the actor, action type, and key entry details (such as list type, block state, notes, and expiration).

#### References

- [Manage allows and blocks in the Tenant Allow/Block List](https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about)

### Author

- **Alex Verboon**

## Defender XDR

```kql
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType has_any (
    "New-TenantAllowBlockListItems",
    "Remove-TenantAllowBlockListItems",
    "Set-TenantAllowBlockListItems"
)
| extend Data = parse_json(RawEventData)
| mv-expand Parameter = Data.Parameters
| extend 
    ParamName = tostring(Parameter.Name),
    ParamValue = tostring(Parameter.Value)
| summarize 
    Entries = take_anyif(ParamValue, ParamName == "Entries"),
    ListType = take_anyif(ParamValue, ParamName == "ListType"),
    Block = take_anyif(ParamValue, ParamName == "Block"),
    Allow = take_anyif(ParamValue, ParamName == "Allow"),
    Notes = take_anyif(ParamValue, ParamName == "Notes"),
    ExpirationDate = take_anyif(ParamValue, ParamName == "ExpirationDate")
    by Timestamp, ActionType, AccountDisplayName
| order by Timestamp desc
```

Explanation

This KQL query is designed to track changes made to the Tenant Allow/Block List in Microsoft Defender for Office 365 over the past 30 days. It focuses on actions such as adding, updating, or removing entries from the list. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from CloudAppEvents, which logs various activities related to cloud applications.

  2. Time Frame: It filters events to only include those that occurred within the last 30 days.

  3. Action Types: The query specifically looks for three types of actions:

    • Adding new items to the Tenant Allow/Block List (New-TenantAllowBlockListItems).
    • Removing items from the list (Remove-TenantAllowBlockListItems).
    • Updating existing items on the list (Set-TenantAllowBlockListItems).

  4. Data Parsing: It extracts detailed information from the raw event data, focusing on parameters like:

    • Entries: The specific items being added, updated, or removed.
    • ListType: Indicates whether the action pertains to an allow list or a block list.
    • Block and Allow: Flags indicating the nature of the list entry.
    • Notes: Any additional notes associated with the action.
    • ExpirationDate: When the entry is set to expire, if applicable.

  5. Summarization: The query summarizes these details by the timestamp of the action, the type of action performed, and the name of the account that performed the action.

  6. Ordering: Finally, it orders the results by the timestamp in descending order, so the most recent changes appear first.

In essence, this query helps administrators monitor and review who made changes to the Tenant Allow/Block List, what changes were made, and any relevant details about those changes.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 1, 2026

Tables

CloudAppEvents

Keywords

MicrosoftDefenderOfficeTenantAllowBlockListCloudAppEventsActionTypeActorActionKeyEntryDetailsListTypeBlockStateNotesExpiration

Operators

CloudAppEventswhereagohas_anyextendparse_jsonmv-expandtostringsummarizetake_anyiforder bydesc

Actions