Query Details
ASR Single Rule Audits
Query
// uncomment one line at a time to look at hits within a specific category DeviceEvents //| where ActionType =~ "AsrAdobeReaderChildProcessAudited" //| where ActionType =~ "AsrExecutableEmailContentAudited" //| where ActionType =~ "AsrExecutableOfficeContentAudited" //| where ActionType =~ "AsrLsassCredentialTheftAudited" //| where ActionType =~ "AsrObfuscatedScriptAudited" //| where ActionType =~ "AsrOfficeChildProcessAudited" //| where ActionType =~ "AsrOfficeCommAppChildProcessAudited" //| where ActionType =~ "AsrOfficeMacroWin32ApiCallsAudited" //| where ActionType =~ "AsrOfficeProcessInjectionAudited" //| where ActionType =~ "AsrPersistenceThroughWmiAudited" //| where ActionType =~ "AsrPsexecWmiChildProcessAudited" //| where ActionType =~ "AsrRansomwareAudited" //| where ActionType =~ "AsrScriptExecutableDownloadAudited" //| where ActionType =~ "AsrUntrustedExecutableAudited" //| where ActionType =~ "AsrUntrustedUsbProcessAudited" //| where ActionType =~ "AsrVulnerableSignedDriverAudited" //| where ActionType =~ "ControlledFolderAccessViolationAudited" | project DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine
Explanation
The query is looking at DeviceEvents and filtering the results based on different ActionType values. Each commented line represents a different ActionType value that is being filtered. The final projection includes specific fields such as DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath, and ProcessCommandLine.
Details
C.J. May
Released: October 13, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,DeviceName,FileName,FolderPath,InitiatingProcessFileName,InitiatingProcessFolderPath,ProcessCommandLine
Operators
where=~|project