Query Details

Find all the ASR events that have triggered from a compromised device

MDE Triggered ASR Events From Compromised Device

Query

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
     TimeGenerated,
     ActionType,
     FileName,
     FolderPath,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     AccountDomain,
     AccountName

About this query

Find all the ASR events that have triggered from a compromised device

Defender XDR

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
     Timestamp,
     ActionType,
     FileName,
     FolderPath,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     AccountDomain,
     AccountName

Sentinel

Explanation

The query is designed to identify all Attack Surface Reduction (ASR) events that have occurred on a specific device, which is suspected to be compromised. Here's a simple breakdown of what the query does:

  1. Target Device: The query focuses on a device named "laptop1," which is considered compromised.

  2. Time Frame: It looks for events that happened within the last 48 hours. This time window can be adjusted by changing the SearchWindow parameter.

  3. Event Type: The query filters for events where the action type begins with "ASR," indicating they are related to Attack Surface Reduction.

  4. Data Source: The query is applied to the DeviceEvents table, which contains logs of various device activities.

  5. Output: For each relevant event, the query retrieves and displays the following details:

    • Timestamp (or TimeGenerated in Sentinel)
    • ActionType (the specific ASR action that was triggered)
    • FileName (the name of the file involved in the event)
    • FolderPath (the location of the file)
    • ProcessCommandLine (the command line of the process that triggered the event)
    • InitiatingProcessCommandLine (the command line of the process that initiated the event)
    • AccountDomain (the domain of the account involved)
    • AccountName (the name of the account involved)

This query is useful for security analysts to quickly identify and investigate ASR events on a device that may have been compromised.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceEvents

Keywords

DeviceEventsTimestampActionTypeFileNameFolderPathProcessCommandLineInitiatingProcessCommandLineAccountDomainAccountName

Operators

letwhereagostartswithproject

Actions

GitHub