KQL Search

Query Details

Pivot ASR Triggers

Query

# List the triggered ASR events for each device in a pivot table

## Query Information

#### Description
This query returns a row for each device with a count for each Attack Surface Reduction trigger type. This can be used to find devices that trigger a lot of ASR rules. The reference can be used to find more information on each specific ASR rule. 

#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

## Defender For Endpoint
```
DeviceEvents
| where ActionType startswith 'ASR'
| project DeviceName, ActionType
| evaluate pivot(ActionType)
```

Explanation

The query lists the triggered ASR events for each device in a pivot table. It returns a row for each device with a count for each Attack Surface Reduction trigger type. This can help identify devices that trigger a lot of ASR rules. The reference provided can be used to find more information on each specific ASR rule.

Details

Bert-Jan Pals

Released: March 8, 2023

Tables

DeviceEvents

Keywords

DeviceEvents,ActionType,DeviceName

Operators

whereprojectevaluatepivot

KQL Search

Pivot ASR Triggers

Query

Explanation

Details

Actions