Asr Untrusted Usb Process Audited Detection Rule
Query
DeviceEvents
| where ActionType == "AsrUntrustedUsbProcessAudited"About this query
Rule: Detection of untrusted processe running for USB by ASR
Description
This query detects events where an untrusted USB process has been audited by the Advanced Security Audit Policy (ASR).
Detection Logic
Monitors DeviceEvents for occurrences where the ActionType is "AsrUntrustedUsbProcessAudited".
Tags
- ASR
- USB
- Auditing
Search Query
Explanation
Summary
This query is designed to detect instances where an untrusted process related to a USB device has been flagged by the Advanced Security Audit Policy (ASR). It specifically looks for events in the DeviceEvents table where the ActionType is "AsrUntrustedUsbProcessAudited". This helps in identifying potentially malicious activities involving USB devices.
Key Points
- Purpose: Detect untrusted USB processes audited by ASR.
- Data Source:
DeviceEventstable. - Condition:
ActionTypemust be"AsrUntrustedUsbProcessAudited".
Tags
- ASR (Advanced Security Audit Policy)
- USB
- Auditing
Search Query
DeviceEvents
| where ActionType == "AsrUntrustedUsbProcessAudited"
Details

Ali Hussein
Released: July 15, 2024
Tables
DeviceEvents
Keywords
DeviceEventsASRUSBAuditing
Operators
|where==