Query Details
MDE Triggered ASR Events From Compromised Device
Query
# Find all the ASR events that have triggered from a compromised device
### Defender For Endpoint
```
let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
Timestamp,
ActionType,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessCommandLine,
AccountDomain,
AccountName
```
### Sentinel
```
let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
TimeGenerated,
ActionType,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessCommandLine,
AccountDomain,
AccountName
```
Explanation
The query is searching for ASR (Attack Surface Reduction) events that have been triggered from a specific compromised device. It retrieves information such as the timestamp, action type, file name, folder path, process command line, initiating process command line, account domain, and account name associated with these events. The query can be executed in either Defender for Endpoint or Sentinel.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceEvents
Keywords
ASR,DeviceEvents,Timestamp,ActionType,FileName,FolderPath,ProcessCommandLine,InitiatingProcessCommandLine,AccountDomain,AccountName,TimeGenerated
Operators
letwhereproject