Query Details
Device ASR Audit
Query
//Summarize attack surface reduction audit hits for each device
//Data connector required for this query - M365 Defender - Device* tables
DeviceEvents
| where TimeGenerated > ago (1d)
| where ActionType startswith "Asr"
| extend isAudit = tostring(AdditionalFields.IsAudit)
| where isAudit = true
| project
TimeGenerated,
ActionType,
DeviceName,
FileName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
InitiatingProcessParentFileName,
ProcessTokenElevation
| summarize
['Total ASR audit hits']=count(),
['Distinct ASR audit rule hits']=dcount(ActionType),
['List of processes']=make_set(InitiatingProcessCommandLine)
by DeviceName
| sort by ['Total ASR audit hits'] desc Explanation
This query summarizes the number of attack surface reduction (ASR) audit hits for each device. It filters the DeviceEvents table for events that occurred within the past day and have an ActionType starting with "Asr". It then extends a column called isAudit to check if the event is an audit, and filters for events that are audits. The query projects specific columns related to the event, such as TimeGenerated, ActionType, DeviceName, FileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, and ProcessTokenElevation.
The query then summarizes the data by DeviceName, counting the total ASR audit hits, finding the distinct ASR audit rule hits, and creating a list of processes involved in the ASR audit hits. Finally, it sorts the results by the total ASR audit hits in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators