KQL Search

Query Details

HomeAI ToolsDevice Query

Device Find Devices Most ASR

Query

//Summarize the machines in your environment that are triggering the most total ASR and distinct ASR rule events

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType startswith "Asr"
| summarize
    ['Total ASR hit count']=count(),
    ['Distinct ASR rules count']=dcount(ActionType),
    ['List of ASR rules triggered']=make_set(ActionType),
    ['List of processess triggering ASR']=make_set(InitiatingProcessCommandLine)
    by DeviceName
| sort by ['Total ASR hit count'] desc 

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceEvents
| where Timestamp > ago (30d)
| where ActionType startswith "Asr"
| summarize
    ['Total ASR hit count']=count(),
    ['Distinct ASR rules count']=dcount(ActionType),
    ['List of ASR rules triggered']=make_set(ActionType),
    ['List of processess triggering ASR']=make_set(InitiatingProcessCommandLine)
    by DeviceName
| sort by ['Total ASR hit count'] desc

Explanation

This query retrieves information about machines in your environment that are triggering the most total ASR (Attack Surface Reduction) events and distinct ASR rule events. It uses the DeviceEvents table from the M365 Defender data connector or the Advanced Hunting license data connector. The query filters events that occurred within the last 30 days and have an ActionType starting with "Asr". It then summarizes the data by DeviceName, counting the total ASR hit count, the distinct ASR rules count, and creating sets of the ASR rules triggered and the processes triggering ASR. The results are sorted in descending order based on the total ASR hit count.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceEvents

Keywords

Devices,Intune,User,ASR,M365Defender,DeviceEvents,TimeGenerated,ActionType,TotalASRhitcount,DistinctASRrulescount,ListofASRrulestriggered,ListofprocessestriggeringASR,DeviceName,sortby.

Operators

whereagostartswithsummarizecountdcountmake_setbysortdesc

Actions