Post

Defender ASR log hunting

When enabling ASR rules in Defender for Endpoint it is a good idea to start with audit mode. Microsofts documentation gives a short example on how you can use the Defender portal to search for events generated by your rules.

Here are some more examples to get you started

Show all events for the last 30 days:

1
2
3
4
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| summarize EventCount=count() by ActionType

And if we want to limit that to only audit events:

1
2
3
4
5
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where ActionType  endswith "Audited"
| summarize EventCount=count() by ActionType

To view events for a specific rule:

1
2
3
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "AsrOfficeCommAppChildProcessAudited"

And to get a list of all filenames that triggered the event:

1
2
3
4
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "AsrOfficeCommAppChildProcessAudited"
| summarize EventCount=count() by FileName
This post is licensed under CC BY 4.0 by the author.