Princely
Nov 02, 2021Copper Contributor
Defender not correctly reporting ASR rule status.
Hello ,
I am using the following query to get the statistics on ASR rules on a host and their status:
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId
//Uncomment next line if you want a report on only devices where Auditing is not enabled
//| where Context contains "Off"
| extend Test = case(
ConfigurationId == "scid-2500", "BlockMailExe",
ConfigurationId == "scid-2501", "BlockOfficeChildProc",
ConfigurationId == "scid-2502", "BlockOfficeExe",
ConfigurationId == "scid-2503", "BlockOfficeInjection",
ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe",
ConfigurationId == "scid-2505", "BlockObfuscatedScripts",
ConfigurationId == "scid-2506", "BlockOfficeMacroW32API",
ConfigurationId == "scid-2507", "BlockUntrustedExecutables",
ConfigurationId == "scid-2508", "AdvancedRansomwareProtection",
ConfigurationId == "scid-2509", "BlockCredentialStealing",
ConfigurationId == "scid-2510", "BlockProcPSexecWMI",
ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB",
ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc",
ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc",
ConfigurationId == "scid-2514", "BlockWMIPersist",
"N/A"),
Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)
This is however returning results indicating there are no ASR rules in block mode.
But running the following query indicates there are ASR block events being generated:
But running the following query indicates there are ASR block events being generated:
DeviceEvents
| where ActionType startswith 'Asr'
| summarize EventCount=count() by ActionType
What could be the reason for the incorrect reporting?
Regards,
Princely Dmello
Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.