KQL Search

Query Details

HomeAI ToolsDevice Query

Asr Vulnerable Signed Driver Audited Query

Query

## Rule: Detect loading for Vulnerable devices using ASR

### Description
This query detects events where a vulnerable signed driver has been audited by the Advanced Security Audit Policy (ASR), excluding specific processes such as "HP Touchpoint Analytics Client" and "ASUSTeK Computer Inc.".

- [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings)

### Detection Logic
Monitors `DeviceEvents` for occurrences where:
- `ActionType` is `"AsrVulnerableSignedDriverAudited"`
- Excludes entries where `InitiatingProcessVersionInfoFileDescription` is `"HP Touchpoint Analytics Client"`
- Excludes entries where `InitiatingProcessVersionInfoCompanyName` is `"ASUSTeK Computer Inc."`

### Tags
- ASR
- Driver Security
- Auditing

### Search Query
```kql
DeviceEvents
| where ActionType == "AsrVulnerableSignedDriverAudited"
| where InitiatingProcessVersionInfoFileDescription != "HP Touchpoint Analytics Client"
| where InitiatingProcessVersionInfoCompanyName != "ASUSTeK Computer Inc."

Explanation

Summary of the Query

This query is designed to detect events where a vulnerable signed driver has been flagged by the Advanced Security Audit Policy (ASR). It specifically looks for such events in device logs but excludes certain processes from the results to avoid false positives.

Key Points:

  1. Event Type: The query focuses on events where the ActionType is "AsrVulnerableSignedDriverAudited".
  2. Exclusions: It filters out events related to:
    • "HP Touchpoint Analytics Client"
    • "ASUSTeK Computer Inc."

Purpose:

The goal is to identify potential security risks from vulnerable drivers while ignoring known safe processes from HP and ASUS to reduce noise in the results.

Tags:

  • ASR (Advanced Security Audit Policy)
  • Driver Security
  • Auditing

Search Query in KQL:

DeviceEvents
| where ActionType == "AsrVulnerableSignedDriverAudited"
| where InitiatingProcessVersionInfoFileDescription != "HP Touchpoint Analytics Client"
| where InitiatingProcessVersionInfoCompanyName != "ASUSTeK Computer Inc."

This query helps in monitoring and auditing device security by focusing on potentially harmful drivers while excluding known benign processes.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 15, 2024

Tables

DeviceEvents

Keywords

Devices

Operators

==!=| where

Actions