Definitive guide for aligning ASR Rules with ActionTypes?

%3CLINGO-SUB%20id%3D%22lingo-sub-1600374%22%20slang%3D%22en-US%22%3EDefinitive%20guide%20for%20aligning%20ASR%20Rules%20with%20ActionTypes%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1600374%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20currently%20auditing%20a%20bunch%20of%20ASR%20rules%2C%20and%20I'm%20trying%20to%20pull%20out%20data%20from%20advanced%20hunting%20so%20that%20I%20can%20see%20which%20rules%20are%20safe%20to%20enable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20hoping%20someone%20might%20be%20able%20to%20help%20with%20aligning%20the%20ASR%20Rule%20Names%20with%20the%20ActionTypes%20used%20for%20hunting.%20I%20have%20found%20several%2C%20but%20there%20are%20a%20few%20I%20still%20haven't%20figured%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20Audited%2FBlocked%20%22ActionTypes%22%20for%20the%20following%20rules%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBlock%20executable%20content%20from%20email%20client%20and%20webmail%3CBR%20%2F%3EBlock%20execution%20of%20potentially%20obfuscated%20scripts%3CBR%20%2F%3EUse%20advanced%20protection%20against%20ransomware%3CBR%20%2F%3EBlock%20process%20creations%20originating%20from%20PSExec%20and%20WMI%20commands%3CBR%20%2F%3EBlock%20Office%20communication%20application%20from%20creating%20child%20processes%3CBR%20%2F%3EBlock%20Adobe%20Reader%20from%20creating%20child%20processes%3CBR%20%2F%3EBlock%20persistence%20through%20WMI%20event%20subscription%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20documentation%20points%20me%20to%20the%20Schema%20listing%20in%20the%20hunting%20console%2C%20but%20the%20only%20action%20type%20listed%20is%26nbsp%3BAsrOfficeChildProcessAudited.%20It%20would%20be%20good%20if%20someone%20could%20add%20the%20rest%20into%20this%20list...%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20found%20the%20following%20ActionTypes%20by%20searching%20for%20%22ASR*%22%20they%20all%20logically%20line%20up%20with%20their%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAsrExecutableOfficeContentAudited%3CBR%20%2F%3EAsrExecutableOfficeContentBlocked%3CBR%20%2F%3EAsrLsassCredentialTheftAudited%3CBR%20%2F%3EAsrLsassCredentialTheftBlocked%3CBR%20%2F%3EAsrOfficeChildProcessAudited%3CBR%20%2F%3EAsrOfficeChildProcessBlocked%3CBR%20%2F%3EAsrOfficeMacroWin32ApiCallsAudited%3CBR%20%2F%3EAsrOfficeMacroWin32ApiCallsBlocked%3CBR%20%2F%3EAsrOfficeProcessInjectionAudited%3CBR%20%2F%3EAsrOfficeProcessInjectionBlocked%3CBR%20%2F%3EAsrScriptExecutableDownloadAudited%3CBR%20%2F%3EAsrScriptExecutableDownloadBlocked%3CBR%20%2F%3EAsrUntrustedExecutableAudited%3CBR%20%2F%3EAsrUntrustedExecutableBlocked%3CBR%20%2F%3EAsrUntrustedUsbProcessAudited%3CBR%20%2F%3EAsrUntrustedUsbProcessBlocked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602824%22%20slang%3D%22en-US%22%3ERe%3A%20Definitive%20guide%20for%20aligning%20ASR%20Rules%20with%20ActionTypes%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602824%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3BI%20see%20you've%20just%20posted%20about%20extensions%20to%20the%20schema%20-%20are%20you%20able%20to%20help%20with%20this%2C%20or%20at%20least%20point%20me%20to%20someone%20that%20can%20help%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603125%22%20slang%3D%22en-US%22%3ERe%3A%20Definitive%20guide%20for%20aligning%20ASR%20Rules%20with%20ActionTypes%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603125%22%20slang%3D%22en-US%22%3EI%20have%20a%20few%20for%20you%3A%3CBR%20%2F%3E-%20AsrExecutableEmailContentAudited%20%2F%20Block%20executable%20content%20from%20email%20client%20and%20webmail%3CBR%20%2F%3E-%20AsrExecutableOfficeContentAudited%20%2F%20Block%20Office%20applications%20from%20creating%20executable%20content%3CBR%20%2F%3E-%20AsrPsexecWmiChildProcessAudited%20%2F%20Block%20process%20creations%20originating%20from%20PSExec%20and%20WMI%20commands%3CBR%20%2F%3E-%20AsrOfficeMacroWin32ApiCallsAudited%20%2F%20Block%20Office%20communication%20application%20from%20creating%20child%20processes%3CBR%20%2F%3E-%20AsrObfuscatedScriptAudited%20%2F%20Block%20execution%20of%20potentially%20obfuscated%20scripts%3CBR%20%2F%3E-%20AsrOfficeChildProcessAudited%20%2F%20Block%20Office%20communication%20application%20from%20creating%20child%20processes%3CBR%20%2F%3E-%20AsrAdobeReaderChildProcessAudited%20%2F%20Block%20Adobe%20Reader%20from%20creating%20child%20processes%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1606360%22%20slang%3D%22en-US%22%3ERe%3A%20Definitive%20guide%20for%20aligning%20ASR%20Rules%20with%20ActionTypes%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1606360%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570128%22%20target%3D%22_blank%22%3E%40mongie105%3C%2FA%3E%26nbsp%3Bthanks%20for%20raising%20it%20up!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20added%20%3CSTRONG%3Eall%20%3C%2FSTRONG%3EASR%20action%20types%20into%20the%20schema%20reference%2C%20you%20will%20find%20for%20%3CSTRONG%3Eall%3C%2FSTRONG%3E%20description%20after%20the%20next%20update%20of%20the%20product(in%20the%20coming%202%20weeks).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

We're currently auditing a bunch of ASR rules, and I'm trying to pull out data from advanced hunting so that I can see which rules are safe to enable.

 

I was hoping someone might be able to help with aligning the ASR Rule Names with the ActionTypes used for hunting. I have found several, but there are a few I still haven't figured out.

 

What are the Audited/Blocked "ActionTypes" for the following rules?

 

Block executable content from email client and webmail
Block execution of potentially obfuscated scripts
Use advanced protection against ransomware
Block process creations originating from PSExec and WMI commands
Block Office communication application from creating child processes
Block Adobe Reader from creating child processes
Block persistence through WMI event subscription

 

The documentation points me to the Schema listing in the hunting console, but the only action type listed is AsrOfficeChildProcessAudited. It would be good if someone could add the rest into this list...

 

I have found the following ActionTypes by searching for "ASR*" they all logically line up with their rules.

 

AsrExecutableOfficeContentAudited
AsrExecutableOfficeContentBlocked
AsrLsassCredentialTheftAudited
AsrLsassCredentialTheftBlocked
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeMacroWin32ApiCallsAudited
AsrOfficeMacroWin32ApiCallsBlocked
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrScriptExecutableDownloadAudited
AsrScriptExecutableDownloadBlocked
AsrUntrustedExecutableAudited
AsrUntrustedExecutableBlocked
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked

 

 

Thanks,

Alex

3 Replies
Highlighted

@Tali Ash I see you've just posted about extensions to the schema - are you able to help with this, or at least point me to someone that can help?

Highlighted
I have a few for you:
- AsrExecutableEmailContentAudited / Block executable content from email client and webmail
- AsrExecutableOfficeContentAudited / Block Office applications from creating executable content
- AsrPsexecWmiChildProcessAudited / Block process creations originating from PSExec and WMI commands
- AsrOfficeMacroWin32ApiCallsAudited / Block Office communication application from creating child processes
- AsrObfuscatedScriptAudited / Block execution of potentially obfuscated scripts
- AsrOfficeChildProcessAudited / Block Office communication application from creating child processes
- AsrAdobeReaderChildProcessAudited / Block Adobe Reader from creating child processes
Highlighted

@mongie105 thanks for raising it up!

 

We added all ASR action types into the schema reference, you will find for all description after the next update of the product(in the coming 2 weeks).

 

Thanks!

Tali