Device Find Deviceswithno ASR

//Find devices in your environment that have never triggered an ASR rule, you can likely turn on ASR for these devices without causing issues for the users. //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query //First find devices that have triggered an Attack Surface Reduction rule, either block or in audit mode. let asrdevices= DeviceEvents | where TimeGenerated > ago (30d) | where ActionType startswith "Asr" | distinct DeviceName; //Find all devices and exclude those that have previously triggered a rule DeviceInfo | where TimeGenerated > ago (30d) | where OSPlatform startswith "Windows" | summarize arg_max(TimeGenerated, *) by DeviceName | where DeviceName !in (asrdevices) | project ['Time Last Seen']=TimeGenerated, DeviceId, DeviceName, OSPlatform, OSVersion, LoggedOnUsers //Advanced Hunting query //Data connector required for this query - Advanced Hunting license //First find devices that have triggered an Attack Surface Reduction rule, either block or in audit mode. let asrdevices= DeviceEvents | where Timestamp > ago (30d) | where ActionType startswith "Asr" | distinct DeviceName; //Find all devices and exclude those that have previously triggered a rule DeviceInfo | where Timestamp > ago (30d) | where OSPlatform startswith "Windows" | summarize arg_max(Timestamp, *) by DeviceName | where DeviceName !in (asrdevices) | project ['Time Last Seen']=Timestamp, DeviceId, DeviceName, OSPlatform, OSVersion, LoggedOnUsers

Explanation

This query is used to find devices in your environment that have never triggered an Attack Surface Reduction (ASR) rule. ASR rules help protect against various types of attacks. By identifying devices that have never triggered an ASR rule, you can potentially enable ASR for these devices without causing any issues for the users. The query uses data from the M365 Defender - Device* tables and requires a data connector. It first identifies devices that have triggered an ASR rule in the past 30 days, either in block or audit mode. Then, it retrieves information about all devices and excludes those that have previously triggered a rule. The final result includes the last seen time, device ID, device name, operating system platform, operating system version, and logged-on users for the devices that have never triggered an ASR rule.

Details

Matt Zorich

Released: June 17, 2022

Tables

DeviceEventsDeviceInfo

Keywords

Devices,Intune,User,ASR,M365Defender,DeviceEvents,ActionType,DeviceName,TimeGenerated,OSPlatform,Windows,summarize,arg_max,DeviceId,OSVersion,LoggedOnUsers,AdvancedHunting,Timestamp

Operators

whereagostartswithdistinctsummarizebyinproject

KQL Search