KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Visualizing AS Rrule Detections

Query

name : MDE - Visualizing ASR Rule Detections with KQL
source : https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-worldwide
description : The KQL hunting queries will provide a summary of all devices based on ASR rule detection, including the filename and timeline.
query: |
 DeviceEvents
 | where Timestamp > ago(7d)
 | where ActionType startswith "asr"
 | extend Parsed = parse_json(AdditionalFields)
 | where Parsed.IsAudit == "false" 
 | summarize Email = make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName), ActionType in ("AsrExecutableEmailContentBlocked", "AsrOfficeCommAppChildProcessBlocked")),
             Script = make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName),ActionType in ("AsrObfuscatedScriptBlocked", "AsrScriptExecutableDownloadBlocked")),
             WMI = make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName), ActionType in ("AsrPersistenceThroughWmiBlocked", "AsrPsexecWmiChildProcessBlocked")),
             OfficeApp = make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName), ActionType in ("AsrOfficeChildProcessBlocked", "AsrOfficeMacroWin32ApiCallsBlocked", "AsrExecutableOfficeContentBlocked", "AsrOfficeProcessInjectionBlocked")),
             3rdPartyApp = make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName), ActionType == "AsrAdobeReaderChildProcessBlocked"),
             WindowsCredentials = make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName), ActionType == "AsrLsassCredentialTheftBlocked"),
             PolymorphicThreats =make_list_if(strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " : ", ActionType, " : ", FileName), ActionType in ("AsrUntrustedExecutableBlocked", "AsrUntrustedUsbProcessBlocked", "AsrRansomwareBlocked", "AsrVulnerableSignedDriverBlocked")) by DeviceId, DeviceName
 | extend Case = array_length(Email) + array_length(Script) + array_length(WMI) + array_length(OfficeApp) + array_length(3rdPartyApp) + array_length(WindowsCredentials) + array_length(PolymorphicThreats)
 | project DeviceId, DeviceName, Case, Email, Script, WMI, OfficeApp, 3rdPartyApp, WindowsCredentials, PolymorphicThreats
 | order by Case desc  

Explanation

The query retrieves information about devices that have been detected by ASR rules. It includes the filename and timeline of the detections. The query filters the results based on a specific timeframe and specific ASR rule actions. It then groups the results by device and calculates the number of detections for each device. The final result is ordered by the number of detections in descending order.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: August 10, 2023

Tables

DeviceEvents

Keywords

Devices,ASRRuleDetections,KQL

Operators

toscalar()arg_max()count()mv-expandwhereextendparse_json()summarizemake_list_if()format_datetime()strcat()in==array_length()projectorder by

Actions