ASR Rule Configuration
Pivot ASR Config
Query
DeviceTvmInfoGathering
| summarize arg_max(Timestamp, DeviceId, DeviceName, AdditionalFields) by DeviceId
| extend ASRConfig = AdditionalFields.AsrConfigurationStates
| evaluate bag_unpack(ASRConfig)About this query
ASR Rule Configuration
Query Information
Description
This query returns a row for each device and states for every rule the configurationstate. This can help to prioritize rules that are not enabled or misconfigurations in the policy.
References
Defender XDR
Explanation
This query is designed to provide information about the configuration state of Attack Surface Reduction (ASR) rules on devices. Here's a simple breakdown of what it does:
-
Data Source: It uses data from
DeviceTvmInfoGathering, which likely contains information about devices and their security configurations. -
Summarization: The query summarizes the data to get the most recent information (
arg_max) for each device. It selects the latest entry based on theTimestampfor eachDeviceId, along with theDeviceNameandAdditionalFields. -
ASR Configuration Extraction: It extracts the ASR configuration states from the
AdditionalFieldscolumn, which contains details about the ASR rules. -
Unpacking Configuration: The
evaluate bag_unpackfunction is used to unpack the ASR configuration states, making the data more accessible for analysis.
Overall, this query helps identify the current configuration state of ASR rules on each device, which can be useful for identifying rules that are not enabled or any misconfigurations in the security policy.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators