Forum Discussion
Solved
Defender not correctly reporting ASR rule status.
Hello , I am using the following query to get the statistics on ASR rules on a host and their status: DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-2500", "scid...
Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.
Princely check that if you are getting results with below query
let ASRRules = dynamic(["AsrAdobeReaderChildProcessBlocked", "AsrExecutableEmailContentBlocked", "AsrExecutableOfficeContentBlocked", "AsrLsassCredentialTheftBlocked","AsrObfuscatedScriptBlocked",
"AsrOfficeChildProcessBlocked","AsrOfficeMacroWin32ApiCallsBlocked", "AsrOfficeProcessInjectionBlocked", "AsrPersistenceThroughWmiBlocked","AsrPsexecWmiChildProcessBlocked", "AsrRansomwareBlocked", "AsrScriptExecutableDownloadBlocked",
"AsrUntrustedExecutableBlocked","AsrUntrustedUsbProcessBlocked","AsrVulnerableSignedDriverBlocked"]);
DeviceEvents
| where ActionType in (ASRRules)
| project Timestamp,DeviceName,ActionType,FileName,FolderPath,InitiatingProcessAccountUpn,InitiatingProcessFileName,InitiatingProcessFolderPath
let ASRRules = dynamic(["AsrAdobeReaderChildProcessBlocked", "AsrExecutableEmailContentBlocked", "AsrExecutableOfficeContentBlocked", "AsrLsassCredentialTheftBlocked","AsrObfuscatedScriptBlocked",
"AsrOfficeChildProcessBlocked","AsrOfficeMacroWin32ApiCallsBlocked", "AsrOfficeProcessInjectionBlocked", "AsrPersistenceThroughWmiBlocked","AsrPsexecWmiChildProcessBlocked", "AsrRansomwareBlocked", "AsrScriptExecutableDownloadBlocked",
"AsrUntrustedExecutableBlocked","AsrUntrustedUsbProcessBlocked","AsrVulnerableSignedDriverBlocked"]);
DeviceEvents
| where ActionType in (ASRRules)
| project Timestamp,DeviceName,ActionType,FileName,FolderPath,InitiatingProcessAccountUpn,InitiatingProcessFileName,InitiatingProcessFolderPath