Query Details
Pivot ASR Config
Query
# ASR Rule Configuration ## Query Information #### Description This query returns a row for each device and states for every rule the configurationstate. This can help to prioritize rules that are not enabled or misconfigurations in the policy. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide ## Defender For Endpoint ``` DeviceTvmInfoGathering | summarize arg_max(Timestamp, DeviceId, DeviceName, AdditionalFields) by DeviceId | extend ASRConfig = AdditionalFields.AsrConfigurationStates | evaluate bag_unpack(ASRConfig) ```
Explanation
This query is designed to help you understand the configuration state of Attack Surface Reduction (ASR) rules on devices managed by Microsoft Defender for Endpoint. Here's a simple summary:
-
Purpose: The query retrieves the latest configuration state of ASR rules for each device. This is useful for identifying devices where ASR rules are not enabled or are misconfigured.
-
Steps:
- Data Collection: It gathers information from the
DeviceTvmInfoGatheringtable. - Latest Data: It selects the most recent entry for each device based on the
Timestamp. - Extract Configuration: It extracts the ASR configuration states from the
AdditionalFieldscolumn. - Unpack Data: It unpacks the ASR configuration states into separate columns for easier analysis.
- Data Collection: It gathers information from the
-
Outcome: The result is a table where each row represents a device, and the columns show the configuration state of various ASR rules for that device. This helps in prioritizing and addressing any ASR rule misconfigurations.
By running this query, you can quickly identify which devices need attention regarding their ASR rule configurations.
Details
Bert-Jan Pals
Released: September 17, 2024
Tables
Keywords
Operators