KQL Search

Query Details

HomeAI ToolsDevice Query

Device ASR Lsass Audit

Query

//Summarize which processes are triggering Lsass credential theft audit alerts in your attack surface reduction rules

//Data connector required for this query - M365 Defender - Device* tables

//Summarize each device by which processes are triggering the audit alert
DeviceEvents
| where TimeGenerated > ago (7d)
| where ActionType == "AsrLsassCredentialTheftAudited"
| extend isAudit = tostring(AdditionalFields.IsAudit)
| where isAudit = true
| summarize LsassAudit=make_set(InitiatingProcessCommandLine) by DeviceName
| extend ['Count of Processes']=array_length(LsassAudit)
| sort by ['Count of Processes'] desc 

//Change the query to summarize each process by which devices are triggering the audit alert
DeviceEvents
| where TimeGenerated > ago (7d)
| where ActionType == "AsrLsassCredentialTheftAudited"
| extend isAudit = tostring(AdditionalFields.IsAudit)
| where isAudit = true
| summarize LsassAudit=make_set(DeviceName) by InitiatingProcessCommandLine
| extend ['Count of Devices']=array_length(LsassAudit)
| sort by ['Count of Devices'] desc

Explanation

This query summarizes the processes that trigger Lsass credential theft audit alerts in your attack surface reduction rules. It uses the M365 Defender - Device* tables as the data connector.

The original query summarizes each device by the processes that trigger the audit alert. It filters the DeviceEvents table for events generated in the last 7 days with ActionType "AsrLsassCredentialTheftAudited". It then checks if the IsAudit field is true, extends it as a string, and filters for true values. The query then summarizes the unique InitiatingProcessCommandLine values for each DeviceName and calculates the count of processes triggering the audit alert. Finally, it sorts the results by the count of processes in descending order.

The modified query summarizes each process by the devices that trigger the audit alert. It follows the same filtering and checking steps as the original query. However, it summarizes the unique DeviceName values for each InitiatingProcessCommandLine and calculates the count of devices triggering the audit alert. The results are then sorted by the count of devices in descending order.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceEvents

Keywords

DeviceEvents,TimeGenerated,ActionType,AsrLsassCredentialTheftAudited,isAudit,AdditionalFields,InitiatingProcessCommandLine,DeviceName,['CountofProcesses'],['CountofDevices']

Operators

DeviceEventswhereTimeGeneratedagoActionTypeextendtostringAdditionalFields.IsAuditsummarizemake_setbyDeviceNamearray_lengthsortdescInitiatingProcessCommandLine['Count of Processes']['Count of Devices']

Actions