Forum Discussion

stever3901's avatar
stever3901
Copper Contributor
Dec 22, 2021

How to show devices that would be impacted by ASR setting

I have the ASR rule "Block persistence through WMI event subscription" set to audit and it shows that enabling it will be ok for 400 of 410 computers.  IT also shows which computers are not set as re...
Jonhed's avatar
Jonhed
Iron Contributor
Dec 22, 2021

stever3901 

I would imagine you could check for devices with the query below.

The query will list unique devices, but you can show the specific events by removing the third line.

 

 

DeviceEvents
| where ActionType == "AsrPersistenceThroughWmiAudited"
| distinct DeviceName

 

 

The actiontypes per rule is listed here.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-persistence-through-wmi-event-subscription

  • GD2009985's avatar
    GD2009985
    Copper Contributor
    Jan 12, 2022

    Jonhed when i try the mentioned query nothing happens even though I know the rule is applied ? 

    • Jonhed's avatar
      Jonhed
      Iron Contributor
      Jan 12, 2022

      GD2009985 

      That seems odd.

      Did you try to widen the time frame for the search to the last 30 days? (the maximum)

Resources