MDE Attack Surface Reduction Rule State
MDE ASR State
Query
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceName
| where OSPlatform startswith "Windows"
| project DeviceName, OSPlatform
| join kind=leftouter (
DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| extend ASR1 = parse_json(AdditionalFields.AsrConfigurationStates)
| project DeviceName, ASR1
| evaluate bag_unpack(ASR1)
)
on $left.DeviceName == $right.DeviceName
| project-away DeviceName1About this query
Explanation
The first query retrieves information about the state of individual Attack Surface Reduction (ASR) rules for Windows devices. It uses the DeviceTvmInfoGathering table from Microsoft Defender Threat and Vulnerability Management. The query joins the DeviceInfo table with the DeviceTvmInfoGathering table to get the ASR rule state for each device. The result includes the DeviceName, OSPlatform, and ASR rule state.
The second query is similar to the first one but also includes the ASR policy names. It joins the DeviceInfo table with the DeviceTvmInfoGathering table and the DeviceTvmInfoGatheringKB table to get the ASR rule state and policy names for each device. The result includes the DeviceName, OSPlatform, ASR rule name, ASR rule setting, and ASR policy name. The ASR rule settings are summarized by DeviceName and ASR policy name.
Details

Alex Verboon
Released: June 4, 2023
Tables
Keywords
Operators