Query Details

ASR Rule Activity - File Path Summary

ASR Rule Hits File Path Summary

Query

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where ActionType !startswith "AsrLsassCredentialTheft"
| extend FullPath = strcat(FolderPath, "\\", FileName)
| extend DeviceName = tostring(DeviceName)
| extend ASRRule = ActionType
| project DeviceName, ASRRule, FullPath
| distinct DeviceName, ASRRule, FullPath

About this query

Explanation

This query is designed to analyze and summarize Attack Surface Reduction (ASR) rule activities on devices over the past 30 days. It focuses on identifying unique events where ASR rules have been triggered, excluding any events related to LSASS credential theft. Here's a simple breakdown of what the query does:

  1. Time Frame: It examines device events from the last 30 days.
  2. ASR Rule Events: It filters for events where the action type starts with "Asr", indicating they are related to ASR rules.
  3. Exclusions: It specifically excludes events related to LSASS credential theft to focus on other ASR activities.
  4. File Path Construction: It combines the folder path and file name into a single full file path for clarity.
  5. Normalization: It ensures the device name is treated as a string for consistency.
  6. Output: The query returns a list of unique combinations of device names, ASR rules, and full file paths, helping to identify patterns and recurring issues.

This query is particularly useful for security teams to monitor ASR rule activity, understand which files are frequently involved, and assist in tuning ASR settings to improve security posture. The output provides a clear view of which devices and files are affected by ASR rules, aiding in both investigation and reporting.

Details

Effie Antoniadi profile picture

Effie Antoniadi

Released: April 17, 2026

Tables

DeviceEvents

Keywords

DeviceEventsASRRuleFilePath

Operators

wherestartswith!startswithextendstrcattostringprojectdistinct

Actions

GitHub