I am using the following query to get the statistics on ASR rules on a host and their status:
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId
//Uncomment next line if you want a report on only devices where Auditing is not enabled
//| where Context contains "Off"
| extend Test = case(
ConfigurationId == "scid-2500", "BlockMailExe",
ConfigurationId == "scid-2501", "BlockOfficeChildProc",
ConfigurationId == "scid-2502", "BlockOfficeExe",
ConfigurationId == "scid-2503", "BlockOfficeInjection",
ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe",
ConfigurationId == "scid-2505", "BlockObfuscatedScripts",
ConfigurationId == "scid-2506", "BlockOfficeMacroW32API",
ConfigurationId == "scid-2507", "BlockUntrustedExecutables",
ConfigurationId == "scid-2508", "AdvancedRansomwareProtection",
ConfigurationId == "scid-2509", "BlockCredentialStealing",
ConfigurationId == "scid-2510", "BlockProcPSexecWMI",
ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB",
ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc",
ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc",
ConfigurationId == "scid-2514", "BlockWMIPersist",
"N/A"),
Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)
This is however returning results indicating there are no ASR rules in block mode.
But running the following query indicates there are ASR block events being generated:
DeviceEvents
| where ActionType startswith 'Asr'
| summarize EventCount=count() by ActionType
What could be the reason for the incorrect reporting?
Regards,
Princely Dmello
