ASR Configuration State Device Overview
Query
DeviceTvmInfoGathering
| extend ASR = parse_json(AdditionalFields.AsrConfigurationStates)
| join kind=leftouter (
DeviceInfo
| summarize arg_max(Timestamp, MachineGroup, JoinType) by DeviceName
| extend MachineGroup = iff(isempty(MachineGroup), "Unknown", MachineGroup),
JoinType = iff(isempty(JoinType), "Unknown", JoinType)
| project DeviceName,
DI_MachineGroup = MachineGroup,
DI_JoinType = JoinType
) on DeviceName
| project
DeviceName,
LastSeenTime,
OSPlatform,
MachineGroup = DI_MachineGroup,
JoinType = DI_JoinType,
ASR
| evaluate bag_unpack(ASR)About this query
Explanation
This query is designed to give you a clear picture of the Attack Surface Reduction (ASR) settings on various devices. Here's a simple breakdown of what it does:
-
Data Collection: It starts by gathering ASR configuration data from a source called
DeviceTvmInfoGathering. -
Data Parsing: It takes a specific part of this data, which is in JSON format, and breaks it down into understandable pieces.
-
Data Enrichment: The query then combines this ASR data with additional information from another source called
DeviceInfo. This adds context like which group a device belongs to and how it connects to the network. -
Handling Missing Data: If any of the additional information is missing, it fills in the gaps with the word "Unknown".
-
Data Presentation: The query organizes the data into a neat table, showing important details like the device name, when it was last seen, its operating system, and its ASR settings.
-
Usefulness: This is particularly useful for checking if ASR policies are correctly applied across devices, spotting any inconsistencies, and helping with security reporting.
The final output is a detailed list of devices with their ASR configurations clearly laid out, making it easier to manage and report on security settings.
Details

Effie Antoniadi
Released: April 17, 2026
Tables
Keywords
Operators