Query Details

MDE Attack Surface Reduction Rule State

MDE ASR State

Query

DeviceInfo
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceName
| where OSPlatform startswith "Windows"
| project DeviceName, OSPlatform
| join kind=leftouter (
    DeviceTvmInfoGathering
    | extend AF = parse_json(AdditionalFields)
    | extend ASR1 = parse_json(AdditionalFields.AsrConfigurationStates)
    | project DeviceName, ASR1
    | evaluate bag_unpack(ASR1)
    )
    on $left.DeviceName == $right.DeviceName
    | project-away DeviceName1

About this query

Explanation

The first query retrieves information about the state of individual Attack Surface Reduction (ASR) rules for Windows devices. It uses the DeviceTvmInfoGathering table from Microsoft Defender Threat and Vulnerability Management. The query joins the DeviceInfo table with the DeviceTvmInfoGathering table to get the ASR rule state for each device. The result includes the DeviceName, OSPlatform, and ASR rule state.

The second query is similar to the first one but also includes the ASR policy names. It joins the DeviceInfo table with the DeviceTvmInfoGathering table and the DeviceTvmInfoGatheringKB table to get the ASR rule state and policy names for each device. The result includes the DeviceName, OSPlatform, ASR rule name, ASR rule setting, and ASR policy name. The ASR rule settings are summarized by DeviceName and ASR policy name.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceTvmInfoGathering

Keywords

DevicesIntuneUser

Operators

whereisnotemptysummarizearg_maxstartswithprojectjoinextendparse_jsonevaluatebag_unpackproject-awayletmaterializereplace_regexmv-expandtostringbag_keysextractonmake_setpivot

Actions

GitHub