ASR Single Rule Audits
Query
// uncomment one line at a time to look at hits within a specific category
DeviceEvents
//| where ActionType =~ "AsrAdobeReaderChildProcessAudited"
//| where ActionType =~ "AsrExecutableEmailContentAudited"
//| where ActionType =~ "AsrExecutableOfficeContentAudited"
//| where ActionType =~ "AsrLsassCredentialTheftAudited"
//| where ActionType =~ "AsrObfuscatedScriptAudited"
//| where ActionType =~ "AsrOfficeChildProcessAudited"
//| where ActionType =~ "AsrOfficeCommAppChildProcessAudited"
//| where ActionType =~ "AsrOfficeMacroWin32ApiCallsAudited"
//| where ActionType =~ "AsrOfficeProcessInjectionAudited"
//| where ActionType =~ "AsrPersistenceThroughWmiAudited"
//| where ActionType =~ "AsrPsexecWmiChildProcessAudited"
//| where ActionType =~ "AsrRansomwareAudited"
//| where ActionType =~ "AsrScriptExecutableDownloadAudited"
//| where ActionType =~ "AsrUntrustedExecutableAudited"
//| where ActionType =~ "AsrUntrustedUsbProcessAudited"
//| where ActionType =~ "AsrVulnerableSignedDriverAudited"
//| where ActionType =~ "ControlledFolderAccessViolationAudited"
| project DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLineExplanation
The query is looking at DeviceEvents and filtering the results based on different ActionType values. Each commented line represents a different ActionType value that is being filtered. The final projection includes specific fields such as DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath, and ProcessCommandLine.
Details

C.J. May
Released: October 13, 2022
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeDeviceNameFileNameFolderPathInitiatingProcessFileNameInitiatingProcessFolderPathProcessCommandLine
Operators
where=~|project