This query returns results when a Defender For Identity Sensor has been deleted. This sensor would have been installed on your Domain Controller, ADCS, ADFS or Entra Connect server.
CloudAppEvents
| where ActionType == "SensorDeleted"
| extend Sensor = tostring(parse_json(RawEventData).ResultDescription), InitiatorUpn = tostring(parse_json(RawEventData).UserId)
| project-reorder Timestamp, Sensor, InitiatorUpnCloudAppEvents
| where ActionType == "SensorDeleted"
| extend Sensor = tostring(parse_json(RawEventData).ResultDescription), InitiatorUpn = tostring(parse_json(RawEventData).UserId)
| project-reorder TimeGenerated, Sensor, InitiatorUpn