SOLVED

Defender not correctly reporting ASR rule status.

%3CLINGO-SUB%20id%3D%22lingo-sub-2918771%22%20slang%3D%22en-US%22%3EDefender%20not%20correctly%20reporting%20ASR%20rule%20status.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2918771%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20the%20following%20query%20to%20get%20the%20statistics%20on%20ASR%20rules%20on%20a%20host%20and%20their%20status%3A%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDeviceTvmSecureConfigurationAssessment%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20ConfigurationId%20in%20(%22scid-2500%22%2C%20%22scid-2501%22%2C%20%22scid-2502%22%2C%20%22scid-2503%22%2C%20%22scid-2504%22%2C%20%22scid-2505%22%2C%20%22scid-2506%22%2C%20%22scid-2507%22%2C%20%22scid-2508%22%2C%20%22scid-2509%22%2C%20%22scid-2510%22%2C%22scid-2511%22%2C%22scid-2512%22%2C%22scid-2513%22%2C%22scid-2514%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20arg_max(Timestamp%2C%20IsCompliant%2C%20IsApplicable%2CContext)%20by%20DeviceName%2C%20ConfigurationId%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2FUncomment%20next%20line%20if%20you%20want%20a%20report%20on%20only%20devices%20where%20Auditing%20is%20not%20enabled%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%7C%20where%20Context%20contains%20%22Off%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Test%20%3D%20case(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2500%22%2C%20%22BlockMailExe%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2501%22%2C%20%22BlockOfficeChildProc%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2502%22%2C%20%22BlockOfficeExe%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2503%22%2C%20%22BlockOfficeInjection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2504%22%2C%20%22BlockJavaScriptVBScriptExe%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2505%22%2C%20%22BlockObfuscatedScripts%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2506%22%2C%20%22BlockOfficeMacroW32API%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2507%22%2C%20%22BlockUntrustedExecutables%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2508%22%2C%20%22AdvancedRansomwareProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2509%22%2C%20%22BlockCredentialStealing%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2510%22%2C%20%22BlockProcPSexecWMI%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2511%22%2C%20%22BlockUnsignedEXEonUSB%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2512%22%2C%20%22BlockOfficeCommunicationChildProc%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2513%22%2C%20%22BlockAdobeReaderChildProc%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationId%20%3D%3D%20%22scid-2514%22%2C%20%22BlockWMIPersist%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22N%2FA%22)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EResult%20%3D%20case(IsApplicable%20%3D%3D%200%2C%20%22N%2FA%22%2C%20Context%20contains%20%22Audit%22%20%2C%20%22AUDITED%22%2C%20%22OFF%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20packed%20%3D%20pack(Test%2C%20Result)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20Tests%20%3D%20make_bag(packed)%20by%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20evaluate%20bag_unpack(Tests)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThis%20is%20however%20returning%20results%20indicating%20there%20are%20no%20ASR%20rules%20in%20block%20mode.%3CBR%20%2F%3EBut%20running%20the%20following%20query%20indicates%20there%20are%20ASR%20block%20events%20being%20generated%3A%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDeviceEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20ActionType%20startswith%20'Asr'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20EventCount%3Dcount()%20by%20ActionType%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWhat%20could%20be%20the%20reason%20for%20the%20incorrect%20reporting%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EPrincely%20Dmello%20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2920308%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20not%20correctly%20reporting%20ASR%20rule%20status.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2920308%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1136687%22%20target%3D%22_blank%22%3E%40Princely%3C%2FA%3E%26nbsp%3BJust%20to%20confirm%20that%20the%20only%20AV%20active%5Cinstalled%20is%20Defender%3F%20if%20not%20then%20ASR%20rules%20do%20not%20work%5Creport%20correctly.%20Also%20worth%20testing%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdemo.wd.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdemo.wd.microsoft.com%2F%3C%2FA%3E%26nbsp%3Bto%20check%20for%20detections%20(allow%2010-15mins).%20Some%20rules%20just%20generate%20nothing%20until%20triggered%20which%20could%20take%20a%20while%20before%20this%20happens%20things%20Folder%20protection%20or%20meets%20prevalence%20rules%20will%20generate%20more%20results%20quicker.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2920727%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20not%20correctly%20reporting%20ASR%20rule%20status.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2920727%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1136687%22%20target%3D%22_blank%22%3E%40Princely%3C%2FA%3E%20check%20that%20if%20you%20are%20getting%20results%20with%20below%20query%3CBR%20%2F%3E%3CBR%20%2F%3Elet%20ASRRules%20%3D%20dynamic(%5B%22AsrAdobeReaderChildProcessBlocked%22%2C%20%22AsrExecutableEmailContentBlocked%22%2C%20%22AsrExecutableOfficeContentBlocked%22%2C%20%22AsrLsassCredentialTheftBlocked%22%2C%22AsrObfuscatedScriptBlocked%22%2C%3CBR%20%2F%3E%22AsrOfficeChildProcessBlocked%22%2C%22AsrOfficeMacroWin32ApiCallsBlocked%22%2C%20%22AsrOfficeProcessInjectionBlocked%22%2C%20%22AsrPersistenceThroughWmiBlocked%22%2C%22AsrPsexecWmiChildProcessBlocked%22%2C%20%22AsrRansomwareBlocked%22%2C%20%22AsrScriptExecutableDownloadBlocked%22%2C%3CBR%20%2F%3E%22AsrUntrustedExecutableBlocked%22%2C%22AsrUntrustedUsbProcessBlocked%22%2C%22AsrVulnerableSignedDriverBlocked%22%5D)%3B%3CBR%20%2F%3EDeviceEvents%3CBR%20%2F%3E%7C%20where%20ActionType%20in%20(ASRRules)%3CBR%20%2F%3E%7C%20project%20Timestamp%2CDeviceName%2CActionType%2CFileName%2CFolderPath%2CInitiatingProcessAccountUpn%2CInitiatingProcessFileName%2CInitiatingProcessFolderPath%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3021023%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20not%20correctly%20reporting%20ASR%20rule%20status.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3021023%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20help.%3CBR%20%2F%3EMissed%20this%20reply%2C%20we%20have%20CB%20running%20along%20with%20Defender%20which%20seems%20to%20be%20the%20issue%20here.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello ,

 

I am using the following query to get the statistics on ASR rules on a host and their status: 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId
//Uncomment next line if you want a report on only devices where Auditing is not enabled
//| where Context contains "Off"
| extend Test = case(
ConfigurationId == "scid-2500", "BlockMailExe",
ConfigurationId == "scid-2501", "BlockOfficeChildProc",
ConfigurationId == "scid-2502", "BlockOfficeExe",
ConfigurationId == "scid-2503", "BlockOfficeInjection",
ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe",
ConfigurationId == "scid-2505", "BlockObfuscatedScripts",
ConfigurationId == "scid-2506", "BlockOfficeMacroW32API",
ConfigurationId == "scid-2507", "BlockUntrustedExecutables",
ConfigurationId == "scid-2508", "AdvancedRansomwareProtection",
ConfigurationId == "scid-2509", "BlockCredentialStealing",
ConfigurationId == "scid-2510", "BlockProcPSexecWMI",
ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB",
ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc",
ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc",
ConfigurationId == "scid-2514", "BlockWMIPersist",
"N/A"),
Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)
 
This is however returning results indicating there are no ASR rules in block mode.
But running the following query indicates there are ASR block events being generated: 

DeviceEvents
| where ActionType startswith 'Asr'
| summarize EventCount=count() by ActionType
 
What could be the reason for the incorrect reporting? 
 
Regards,
Princely Dmello
3 Replies
best response confirmed by Princely (Occasional Contributor)
Solution

@Princely Just to confirm that the only AV active\installed is Defender? if not then ASR rules do not work\report correctly. Also worth testing https://demo.wd.microsoft.com/ to check for detections (allow 10-15mins). Some rules just generate nothing until triggered which could take a while before this happens things Folder protection or meets prevalence rules will generate more results quicker.

@Princely check that if you are getting results with below query

let ASRRules = dynamic(["AsrAdobeReaderChildProcessBlocked", "AsrExecutableEmailContentBlocked", "AsrExecutableOfficeContentBlocked", "AsrLsassCredentialTheftBlocked","AsrObfuscatedScriptBlocked",
"AsrOfficeChildProcessBlocked","AsrOfficeMacroWin32ApiCallsBlocked", "AsrOfficeProcessInjectionBlocked", "AsrPersistenceThroughWmiBlocked","AsrPsexecWmiChildProcessBlocked", "AsrRansomwareBlocked", "AsrScriptExecutableDownloadBlocked",
"AsrUntrustedExecutableBlocked","AsrUntrustedUsbProcessBlocked","AsrVulnerableSignedDriverBlocked"]);
DeviceEvents
| where ActionType in (ASRRules)
| project Timestamp,DeviceName,ActionType,FileName,FolderPath,InitiatingProcessAccountUpn,InitiatingProcessFileName,InitiatingProcessFolderPath
Thanks for the help.
Missed this reply, we have CB running along with Defender which seems to be the issue here.