Query Details

ASR Rule Configuration

Pivot ASR Config

Query

DeviceTvmInfoGathering
| summarize arg_max(Timestamp, DeviceId, DeviceName, AdditionalFields) by DeviceId
| extend ASRConfig = AdditionalFields.AsrConfigurationStates
| evaluate bag_unpack(ASRConfig)

About this query

ASR Rule Configuration

Query Information

Description

This query returns a row for each device and states for every rule the configurationstate. This can help to prioritize rules that are not enabled or misconfigurations in the policy.

References

Defender XDR

Explanation

This query is designed to provide information about the configuration state of Attack Surface Reduction (ASR) rules on devices. Here's a simple breakdown of what it does:

  1. Data Source: It uses data from DeviceTvmInfoGathering, which likely contains information about devices and their security configurations.

  2. Summarization: The query summarizes the data to get the most recent information (arg_max) for each device. It selects the latest entry based on the Timestamp for each DeviceId, along with the DeviceName and AdditionalFields.

  3. ASR Configuration Extraction: It extracts the ASR configuration states from the AdditionalFields column, which contains details about the ASR rules.

  4. Unpacking Configuration: The evaluate bag_unpack function is used to unpack the ASR configuration states, making the data more accessible for analysis.

Overall, this query helps identify the current configuration state of ASR rules on each device, which can be useful for identifying rules that are not enabled or any misconfigurations in the security policy.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceTvmInfoGathering

Keywords

Devices

Operators

summarizearg_maxbyextendevaluatebag_unpack

Actions

GitHub