ASR Rule Activity - File Path Summary
ASR Rule Hits File Path Summary
Query
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where ActionType !startswith "AsrLsassCredentialTheft"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| extend DeviceName = tostring(DeviceName)
| extend ASRRule = ActionType
| project DeviceName, ASRRule, FullPath
| distinct DeviceName, ASRRule, FullPathAbout this query
Explanation
This query is designed to analyze and summarize Attack Surface Reduction (ASR) rule activities on devices over the past 30 days. It focuses on identifying unique events where ASR rules have been triggered, excluding any events related to LSASS credential theft. Here's a simple breakdown of what the query does:
- Time Frame: It examines device events from the last 30 days.
- ASR Rule Events: It filters for events where the action type starts with "Asr", indicating they are related to ASR rules.
- Exclusions: It specifically excludes events related to LSASS credential theft to focus on other ASR activities.
- File Path Construction: It combines the folder path and file name into a single full file path for clarity.
- Normalization: It ensures the device name is treated as a string for consistency.
- Output: The query returns a list of unique combinations of device names, ASR rules, and full file paths, helping to identify patterns and recurring issues.
This query is particularly useful for security teams to monitor ASR rule activity, understand which files are frequently involved, and assist in tuning ASR settings to improve security posture. The output provides a clear view of which devices and files are affected by ASR rules, aiding in both investigation and reporting.
Details

Effie Antoniadi
Released: April 17, 2026
Tables
DeviceEvents
Keywords
DeviceEventsASRRuleFilePath
Operators
wherestartswith!startswithextendstrcattostringprojectdistinct