Forum Discussion
Attack surface reduction - check trigger if possible
Hello, I configured ASR rules and now reviewing exceptions. Is it possible to find out what triggers "sc.exe" or "conhost.exe" without checking event viewer on the specific machine? Or we can just ...
Have you considered device events in Defender using advanced hunting queries?
Thanks, this query provides enough information:
DeviceEvents
| where ActionType startswith 'Asr'
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName,ActionType,FolderPath,ProcessCommandLine,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,
InitiatingProcessVersionInfoProductName,RuleID=tostring(ParsedFields.RuleId),InitiatingProcessVersionInfoFileDescription,
InitiatingProcessParentFileName,InitiatingProcessVersionInfoInternalFileName
DeviceEvents
| where ActionType startswith 'Asr'
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName,ActionType,FolderPath,ProcessCommandLine,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,
InitiatingProcessVersionInfoProductName,RuleID=tostring(ParsedFields.RuleId),InitiatingProcessVersionInfoFileDescription,
InitiatingProcessParentFileName,InitiatingProcessVersionInfoInternalFileName
