Forum Discussion

Princely's avatar
Princely
Copper Contributor
Nov 02, 2021

Defender not correctly reporting ASR rule status.

Hello ,

 

I am using the following query to get the statistics on ASR rules on a host and their status: 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId
//Uncomment next line if you want a report on only devices where Auditing is not enabled
//| where Context contains "Off"
| extend Test = case(
ConfigurationId == "scid-2500", "BlockMailExe",
ConfigurationId == "scid-2501", "BlockOfficeChildProc",
ConfigurationId == "scid-2502", "BlockOfficeExe",
ConfigurationId == "scid-2503", "BlockOfficeInjection",
ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe",
ConfigurationId == "scid-2505", "BlockObfuscatedScripts",
ConfigurationId == "scid-2506", "BlockOfficeMacroW32API",
ConfigurationId == "scid-2507", "BlockUntrustedExecutables",
ConfigurationId == "scid-2508", "AdvancedRansomwareProtection",
ConfigurationId == "scid-2509", "BlockCredentialStealing",
ConfigurationId == "scid-2510", "BlockProcPSexecWMI",
ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB",
ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc",
ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc",
ConfigurationId == "scid-2514", "BlockWMIPersist",
"N/A"),
Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)
 
This is however returning results indicating there are no ASR rules in block mode.
But running the following query indicates there are ASR block events being generated: 

DeviceEvents
| where ActionType startswith 'Asr'
| summarize EventCount=count() by ActionType
 
What could be the reason for the incorrect reporting? 
 
Regards,
Princely Dmello
  • Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.

  • Darren6742's avatar
    Darren6742
    Copper Contributor

    Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.

    • Princely's avatar
      Princely
      Copper Contributor
      Thanks for the help.
      Missed this reply, we have CB running along with Defender which seems to be the issue here.
  • Shviam's avatar
    Shviam
    Copper Contributor
    Princely check that if you are getting results with below query

    let ASRRules = dynamic(["AsrAdobeReaderChildProcessBlocked", "AsrExecutableEmailContentBlocked", "AsrExecutableOfficeContentBlocked", "AsrLsassCredentialTheftBlocked","AsrObfuscatedScriptBlocked",
    "AsrOfficeChildProcessBlocked","AsrOfficeMacroWin32ApiCallsBlocked", "AsrOfficeProcessInjectionBlocked", "AsrPersistenceThroughWmiBlocked","AsrPsexecWmiChildProcessBlocked", "AsrRansomwareBlocked", "AsrScriptExecutableDownloadBlocked",
    "AsrUntrustedExecutableBlocked","AsrUntrustedUsbProcessBlocked","AsrVulnerableSignedDriverBlocked"]);
    DeviceEvents
    | where ActionType in (ASRRules)
    | project Timestamp,DeviceName,ActionType,FileName,FolderPath,InitiatingProcessAccountUpn,InitiatingProcessFileName,InitiatingProcessFolderPath

Resources