Query Details

Asr Untrusted Usb Process Audited Detection Rule

Query

DeviceEvents
| where ActionType == "AsrUntrustedUsbProcessAudited"

About this query

Rule: Detection of untrusted processe running for USB by ASR

Description

This query detects events where an untrusted USB process has been audited by the Advanced Security Audit Policy (ASR).

Detection Logic

Monitors DeviceEvents for occurrences where the ActionType is "AsrUntrustedUsbProcessAudited".

Tags

  • ASR
  • USB
  • Auditing

Search Query

Explanation

Summary

This query is designed to detect instances where an untrusted process related to a USB device has been flagged by the Advanced Security Audit Policy (ASR). It specifically looks for events in the DeviceEvents table where the ActionType is "AsrUntrustedUsbProcessAudited". This helps in identifying potentially malicious activities involving USB devices.

Key Points

  • Purpose: Detect untrusted USB processes audited by ASR.
  • Data Source: DeviceEvents table.
  • Condition: ActionType must be "AsrUntrustedUsbProcessAudited".

Tags

  • ASR (Advanced Security Audit Policy)
  • USB
  • Auditing

Search Query

DeviceEvents
| where ActionType == "AsrUntrustedUsbProcessAudited"

Details

Ali Hussein profile picture

Ali Hussein

Released: July 15, 2024

Tables

DeviceEvents

Keywords

DeviceEventsASRUSBAuditing

Operators

|where==

Actions

GitHub