Query Details
Asr Untrusted Usb Process Audited Detection Rule
Query
## Rule: Detection of untrusted processe running for USB by ASR ### Description This query detects events where an untrusted USB process has been audited by the Advanced Security Audit Policy (ASR). - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings) ### Detection Logic Monitors `DeviceEvents` for occurrences where the `ActionType` is `"AsrUntrustedUsbProcessAudited"`. ### Tags - ASR - USB - Auditing ### Search Query ```kql DeviceEvents | where ActionType == "AsrUntrustedUsbProcessAudited" ```
Explanation
Summary
This query is designed to detect instances where an untrusted process related to a USB device has been flagged by the Advanced Security Audit Policy (ASR). It specifically looks for events in the DeviceEvents table where the ActionType is "AsrUntrustedUsbProcessAudited". This helps in identifying potentially malicious activities involving USB devices.
Key Points
- Purpose: Detect untrusted USB processes audited by ASR.
- Data Source:
DeviceEventstable. - Condition:
ActionTypemust be"AsrUntrustedUsbProcessAudited".
Tags
- ASR (Advanced Security Audit Policy)
- USB
- Auditing
Search Query
DeviceEvents
| where ActionType == "AsrUntrustedUsbProcessAudited"
Details
Ali Hussein
Released: July 15, 2024
Tables
DeviceEvents
Keywords
DeviceEventsASRUSBAuditing
Operators
|where==