Forum Discussion

mongie105's avatar
mongie105
Copper Contributor
Aug 20, 2020

Definitive guide for aligning ASR Rules with ActionTypes?

Hello,   We're currently auditing a bunch of ASR rules, and I'm trying to pull out data from advanced hunting so that I can see which rules are safe to enable.   I was hoping someone might be abl...
Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Aug 21, 2020
I have a few for you:
- AsrExecutableEmailContentAudited / Block executable content from email client and webmail
- AsrExecutableOfficeContentAudited / Block Office applications from creating executable content
- AsrPsexecWmiChildProcessAudited / Block process creations originating from PSExec and WMI commands
- AsrOfficeMacroWin32ApiCallsAudited / Block Office communication application from creating child processes
- AsrObfuscatedScriptAudited / Block execution of potentially obfuscated scripts
- AsrOfficeChildProcessAudited / Block Office communication application from creating child processes
- AsrAdobeReaderChildProcessAudited / Block Adobe Reader from creating child processes
  • Tali Ash's avatar
    Tali Ash
    Former Employee
    Aug 23, 2020

    mongie105 thanks for raising it up!

     

    We added all ASR action types into the schema reference, you will find for all description after the next update of the product(in the coming 2 weeks).

     

    Thanks!

    Tali

     

     

    • MR-777's avatar
      MR-777
      Copper Contributor
      Aug 10, 2021
      Is this list now available? Where can it be found?
      • John Matrix's avatar
        John Matrix
        Brass Contributor
        Oct 14, 2021
        I am looking for the same - any progress here?
        Which MEM ASR rule triggers "AsrUntrustedExecutableBlocked"?

        ActionType:
        AsrUntrustedExecutableBlocked
        FileName:
        gpo-client.exe
        FolderPath:
        C:\Master\GPO\bin

        Thanks.

        John

Resources