Asr Ransomware
Query
DeviceEvents
| where ingestion_time() > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcessesAbout this query
Explanation
This query is designed to detect potential ransomware activity within a network by identifying when specific security rules related to ransomware are triggered. Here's a simplified breakdown:
-
Purpose: The query looks for events where the "ASR Ransomware" rules are either blocked or audited. These rules help identify files that resemble ransomware, such as scripts used to encrypt files.
-
Data Source: It searches through device events collected over the past 30 days.
-
Key Actions:
- It filters events to only include those where the action type is either "AsrRansomwareBlocked" or "AsrRansomwareAudited".
- It summarizes these events by counting the total number of occurrences and collecting details about the files and processes involved.
-
Output: The query provides a list of devices and accounts where these events occurred, along with:
- The timestamp of the most recent event.
- The total number of events detected.
- The names and hashes of the files that triggered the rules.
- The command lines of the processes that initiated these events.
-
Risk: The presence of these events suggests that an actor may have gained access to the network and is attempting to execute ransomware.
-
Tools: The query can be run in both Microsoft Defender XDR and Sentinel environments, which are security platforms used for threat detection and response.
Overall, this query helps security teams identify and investigate potential ransomware threats by providing detailed information about suspicious activities on their network.
