SOLVED

Defender not correctly reporting ASR rule status.

Occasional Contributor

Hello ,

 

I am using the following query to get the statistics on ASR rules on a host and their status: 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId
//Uncomment next line if you want a report on only devices where Auditing is not enabled
//| where Context contains "Off"
| extend Test = case(
ConfigurationId == "scid-2500", "BlockMailExe",
ConfigurationId == "scid-2501", "BlockOfficeChildProc",
ConfigurationId == "scid-2502", "BlockOfficeExe",
ConfigurationId == "scid-2503", "BlockOfficeInjection",
ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe",
ConfigurationId == "scid-2505", "BlockObfuscatedScripts",
ConfigurationId == "scid-2506", "BlockOfficeMacroW32API",
ConfigurationId == "scid-2507", "BlockUntrustedExecutables",
ConfigurationId == "scid-2508", "AdvancedRansomwareProtection",
ConfigurationId == "scid-2509", "BlockCredentialStealing",
ConfigurationId == "scid-2510", "BlockProcPSexecWMI",
ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB",
ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc",
ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc",
ConfigurationId == "scid-2514", "BlockWMIPersist",
"N/A"),
Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)
 
This is however returning results indicating there are no ASR rules in block mode.
But running the following query indicates there are ASR block events being generated: 

DeviceEvents
| where ActionType startswith 'Asr'
| summarize EventCount=count() by ActionType
 
What could be the reason for the incorrect reporting? 
 
Regards,
Princely Dmello
3 Replies
best response confirmed by Princely (Occasional Contributor)
Solution

@Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.

@Princely check that if you are getting results with below query

let ASRRules = dynamic(["AsrAdobeReaderChildProcessBlocked", "AsrExecutableEmailContentBlocked", "AsrExecutableOfficeContentBlocked", "AsrLsassCredentialTheftBlocked","AsrObfuscatedScriptBlocked",
"AsrOfficeChildProcessBlocked","AsrOfficeMacroWin32ApiCallsBlocked", "AsrOfficeProcessInjectionBlocked", "AsrPersistenceThroughWmiBlocked","AsrPsexecWmiChildProcessBlocked", "AsrRansomwareBlocked", "AsrScriptExecutableDownloadBlocked",
"AsrUntrustedExecutableBlocked","AsrUntrustedUsbProcessBlocked","AsrVulnerableSignedDriverBlocked"]);
DeviceEvents
| where ActionType in (ASRRules)
| project Timestamp,DeviceName,ActionType,FileName,FolderPath,InitiatingProcessAccountUpn,InitiatingProcessFileName,InitiatingProcessFolderPath
Thanks for the help.
Missed this reply, we have CB running along with Defender which seems to be the issue here.