Query Details
Device ASR Summary
Query
//Provides a summary of Attack Surface Reduction rules, which ASR rules are being hit and by which processes //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceEvents | where TimeGenerated > ago(30d) | where ActionType startswith "Asr" | where isnotempty(InitiatingProcessCommandLine) | summarize ['ASR Hit Count']=count()by ActionType, InitiatingProcessCommandLine | sort by ['ASR Hit Count'] desc //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceEvents | where TimeGenerated > ago(30d) | where ActionType startswith "Asr" | where isnotempty(InitiatingProcessCommandLine) | summarize ['ASR Hit Count']=count()by ActionType, InitiatingProcessCommandLine | sort by ['ASR Hit Count'] desc
Explanation
This query provides a summary of Attack Surface Reduction (ASR) rules that have been triggered and the processes that triggered them. It counts the number of times each ASR rule was hit and groups them by the type of action and the command line of the initiating process. The results are sorted in descending order based on the hit count.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,TimeGenerated,ActionType,InitiatingProcessCommandLine,ASRHitCount
Operators
where>agostartswithisnotemptysummarizecountbysortdesc