cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to check the events for Attack surface reduction in Audit mode using Advanced hunting

Naresh2174
Copper Contributor

‎Sep 09 2021 09:27 PM

‎Sep 09 2021 09:27 PM

How to check the events for Attack surface reduction in Audit mode using Advanced hunting

Hello Team,

 

We have deployed ASR rules using Microsoft System Center Configuration Manager in audit mode. I found that the  ASR events in audit mode can only be checked in Event logs by configuring event forwarder. 

  I want to know whether there is any Kusto query to run in Advanced Hunting and get the list of files in audit mode. This help us in whitelisting the ASR rules

4,622 Views
0 Likes
1 Reply
Reply
1 Reply
Phil Cook

‎Sep 13 2021 06:38 AM

‎Sep 13 2021 06:38 AM

Re: How to check the events for Attack surface reduction in Audit mode using Advanced hunting

I used this very simple advanced hunting search to find all events and then use the filters to drill into specific rules and amend the search timefrme.
DeviceEvents
| where ActionType startswith "Asr"

Each action type will include the rule and a status of Audited or Blocked. If you wanted to search for all audited events on Untrusted Executables for example you could amend search to:
DeviceEvents
| where ActionType == "AsrUntrustedExecutableAudited"

I found that there isn't always a need to exclude files listed in the audit before turning on block mode. I was able to turn on the LSASS Credential Theft rule for example without any exclusions being identified and I've had no complaints. Something to bear in mind if you find hundreds of audited events.
2 Likes
Reply