Find all the ASR events that have triggered from a compromised device
MDE Triggered ASR Events From Compromised Device
Query
let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
TimeGenerated,
ActionType,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessCommandLine,
AccountDomain,
AccountNameAbout this query
Find all the ASR events that have triggered from a compromised device
Defender XDR
let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
Timestamp,
ActionType,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessCommandLine,
AccountDomain,
AccountName
Sentinel
Explanation
The query is designed to identify all Attack Surface Reduction (ASR) events that have occurred on a specific device, which is suspected to be compromised. Here's a simple breakdown of what the query does:
-
Target Device: The query focuses on a device named "laptop1," which is considered compromised.
-
Time Frame: It looks for events that happened within the last 48 hours. This time window can be adjusted by changing the
SearchWindowparameter. -
Event Type: The query filters for events where the action type begins with "ASR," indicating they are related to Attack Surface Reduction.
-
Data Source: The query is applied to the
DeviceEventstable, which contains logs of various device activities. -
Output: For each relevant event, the query retrieves and displays the following details:
- Timestamp (or TimeGenerated in Sentinel)
- ActionType (the specific ASR action that was triggered)
- FileName (the name of the file involved in the event)
- FolderPath (the location of the file)
- ProcessCommandLine (the command line of the process that triggered the event)
- InitiatingProcessCommandLine (the command line of the process that initiated the event)
- AccountDomain (the domain of the account involved)
- AccountName (the name of the account involved)
This query is useful for security analysts to quickly identify and investigate ASR events on a device that may have been compromised.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators