ASR Top Rules
Query
// top categories with audit hits
DeviceEvents
| where ActionType startswith 'Asr'
or ActionType startswith 'ControlledFolderAccessViolation'
and ActionType endswith 'Audited'
| summarize Count = count() by ActionType
| sort by CountExplanation
This query is looking for the top categories of events that have audit hits. It filters the DeviceEvents table to include only actions that start with 'Asr' or 'ControlledFolderAccessViolation' and end with 'Audited'. Then it summarizes the count of each ActionType and sorts the results by the count in ascending order.
Details

C.J. May
Released: October 13, 2022
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeAsrControlledFolderAccessViolationAuditedCount
Operators
|wherestartswithorendswithsummarizecountbysort