KQL Search

Query Details

ASR Rules Triggered By Device

Query

# Detect the amount of ASR events that have been triggered for each device 

## Query Information

#### Description
This query gives an overview of the amount of ASR triggers for each device. A high amount of triggers can indicate that suspicious activities are performed on a device. Both audited and blocked events are listed. 

#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

## Defender For Endpoint
```
DeviceEvents
| where ActionType startswith "Asr"
| summarize count() by DeviceName
| sort by count_
```
## Sentinel
```
DeviceEvents
| where ActionType startswith "Asr"
| summarize count() by DeviceName
| sort by count_
```

Explanation

This query detects the number of ASR events triggered for each device. It provides an overview of the amount of ASR triggers, which can indicate suspicious activities on a device. The query includes both audited and blocked events. The results are sorted by the count of ASR events.

Details

Bert-Jan Pals

Released: March 8, 2023

Tables

DeviceEvents

Keywords

Devices,ASR,Events

Operators

|wherestartswithsummarizecountbysort

KQL Search

ASR Rules Triggered By Device

Query

Explanation

Details

Actions