Defender not correctly reporting ASR rule status.

Hello ,

I am using the following query to get the statistics on ASR rules on a host and their status:

DeviceTvmSecureConfigurationAssessment

| where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514")

| summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId

//Uncomment next line if you want a report on only devices where Auditing is not enabled

//| where Context contains "Off"

| extend Test = case(

ConfigurationId == "scid-2500", "BlockMailExe",

ConfigurationId == "scid-2501", "BlockOfficeChildProc",

ConfigurationId == "scid-2502", "BlockOfficeExe",

ConfigurationId == "scid-2503", "BlockOfficeInjection",

ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe",

ConfigurationId == "scid-2505", "BlockObfuscatedScripts",

ConfigurationId == "scid-2506", "BlockOfficeMacroW32API",

ConfigurationId == "scid-2507", "BlockUntrustedExecutables",

ConfigurationId == "scid-2508", "AdvancedRansomwareProtection",

ConfigurationId == "scid-2509", "BlockCredentialStealing",

ConfigurationId == "scid-2510", "BlockProcPSexecWMI",

ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB",

ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc",

ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc",

ConfigurationId == "scid-2514", "BlockWMIPersist",

"N/A"),

Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF")

| extend packed = pack(Test, Result)

| summarize Tests = make_bag(packed) by DeviceName

| evaluate bag_unpack(Tests)

This is however returning results indicating there are no ASR rules in block mode.
But running the following query indicates there are ASR block events being generated:

DeviceEvents

| where ActionType startswith 'Asr'

| summarize EventCount=count() by ActionType

What could be the reason for the incorrect reporting?

Regards,

Princely Dmello

Darren6742
Nov 03, 2021
Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.

Darren6742
Copper Contributor
Nov 03, 2021
Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.
- Princely
  Copper Contributor
  Dec 01, 2021
  Thanks for the help.
  Missed this reply, we have CB running along with Defender which seems to be the issue here.
Shviam
Copper Contributor
Nov 03, 2021
Princely check that if you are getting results with below query

let ASRRules = dynamic(["AsrAdobeReaderChildProcessBlocked", "AsrExecutableEmailContentBlocked", "AsrExecutableOfficeContentBlocked", "AsrLsassCredentialTheftBlocked","AsrObfuscatedScriptBlocked",
"AsrOfficeChildProcessBlocked","AsrOfficeMacroWin32ApiCallsBlocked", "AsrOfficeProcessInjectionBlocked", "AsrPersistenceThroughWmiBlocked","AsrPsexecWmiChildProcessBlocked", "AsrRansomwareBlocked", "AsrScriptExecutableDownloadBlocked",
"AsrUntrustedExecutableBlocked","AsrUntrustedUsbProcessBlocked","AsrVulnerableSignedDriverBlocked"]);
DeviceEvents
| where ActionType in (ASRRules)
| project Timestamp,DeviceName,ActionType,FileName,FolderPath,InitiatingProcessAccountUpn,InitiatingProcessFileName,InitiatingProcessFolderPath

Forum Discussion

Defender not correctly reporting ASR rule status.

Share

Resources