KQL Search

Query Details

HomeAI ToolsDevice Query

MDE ASR State

Query

# MDE Attack Surface Reduction Rule State

## Query Information

### Description

Use the below query to retrieve information about the state of the individual Attack Surface Reduction rules by using the [DeviceTvmInfoGathering](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicetvminfogathering-table?view=o365-worldwide) table from Microsoft Defender Threat and Vulnerability Management. 

#### References



### Microsoft 365 Defender

ASR Rule state overview

```Kusto
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceName
| where OSPlatform startswith "Windows"
| project DeviceName, OSPlatform
| join kind=leftouter (
    DeviceTvmInfoGathering
    | extend AF = parse_json(AdditionalFields)
    | extend ASR1 = parse_json(AdditionalFields.AsrConfigurationStates)
    | project DeviceName, ASR1
    | evaluate bag_unpack(ASR1)
    )
    on $left.DeviceName == $right.DeviceName
    | project-away DeviceName1

```

ASR Rule state overview - another approach showing the ASR policy names 

```Kusto
let asrkb = materialize (DeviceTvmInfoGatheringKB
| where Categories has "asr"
| extend AsrRuleName = replace_regex(FieldName,"Asr","")
| project AsrRuleName, Description
);
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| where isnotempty( OSPlatform)
| summarize arg_max(Timestamp,*) by DeviceName
| where OSPlatform startswith "Windows"
| project DeviceName, OSPlatform
| join kind=leftouter (DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| extend ASR1 = parse_json(AdditionalFields.AsrConfigurationStates)
| project DeviceName, ASR1
| mv-expand parse_json(ASR1)
| extend ASRRule = tostring(bag_keys(ASR1)[0])
| extend AsrRuleSetting = extract(@':"(.*?)"',1,tostring(ASR1))
)
on $left.DeviceName == $right.DeviceName
| join kind=leftouter (asrkb)
on $left. ASRRule == $right. AsrRuleName
| project DeviceName, OSPlatform, Description, AsrRuleName, AsrRuleSetting
| summarize AsrRuleSet = parse_json(make_set(AsrRuleSetting)[0]) by DeviceName, Description
| evaluate pivot(Description,make_set(AsrRuleSet), DeviceName)
```Kusto

Explanation

The first query retrieves information about the state of individual Attack Surface Reduction (ASR) rules for Windows devices. It uses the DeviceTvmInfoGathering table from Microsoft Defender Threat and Vulnerability Management. The query joins the DeviceInfo table with the DeviceTvmInfoGathering table to get the ASR rule state for each device. The result includes the DeviceName, OSPlatform, and ASR rule state.

The second query is similar to the first one but also includes the ASR policy names. It joins the DeviceInfo table with the DeviceTvmInfoGathering table and the DeviceTvmInfoGatheringKB table to get the ASR rule state and policy names for each device. The result includes the DeviceName, OSPlatform, ASR rule name, ASR rule setting, and ASR policy name. The ASR rule settings are summarized by DeviceName and ASR policy name.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceTvmInfoGathering

Keywords

Devices,Intune,User

Operators

whereisnotemptysummarizearg_maxwherestartswithprojectjoinextendparse_jsonevaluatebag_unpackproject-awayletmaterializereplace_regexmv-expandextendtostringbag_keysextractonmake_setpivot

Actions