How to check the events for Attack surface reduction in Audit mode using Advanced hunting

%3CLINGO-SUB%20id%3D%22lingo-sub-2738749%22%20slang%3D%22en-US%22%3EHow%20to%20check%20the%20events%20for%20Attack%20surface%20reduction%20in%20Audit%20mode%20using%20Advanced%20hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2738749%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20deployed%20ASR%20rules%20using%20Microsoft%20System%20Center%20Configuration%20Manager%20in%20audit%20mode.%20I%20found%20that%20the%26nbsp%3B%20ASR%20events%20in%20audit%20mode%20can%20only%20be%20checked%20in%20Event%20logs%20by%20configuring%20event%20forwarder.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20I%20want%20to%20know%20whether%20there%20is%20any%20Kusto%20query%20to%20run%20in%20Advanced%20Hunting%20and%20get%20the%20list%20of%20files%20in%20audit%20mode.%20This%20help%20us%20in%20whitelisting%20the%20ASR%20rules%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hello Team,

 

We have deployed ASR rules using Microsoft System Center Configuration Manager in audit mode. I found that the  ASR events in audit mode can only be checked in Event logs by configuring event forwarder. 

  I want to know whether there is any Kusto query to run in Advanced Hunting and get the list of files in audit mode. This help us in whitelisting the ASR rules

1 Reply
I used this very simple advanced hunting search to find all events and then use the filters to drill into specific rules and amend the search timefrme.
DeviceEvents
| where ActionType startswith "Asr"

Each action type will include the rule and a status of Audited or Blocked. If you wanted to search for all audited events on Untrusted Executables for example you could amend search to:
DeviceEvents
| where ActionType == "AsrUntrustedExecutableAudited"

I found that there isn't always a need to exclude files listed in the audit before turning on block mode. I was able to turn on the LSASS Credential Theft rule for example without any exclusions being identified and I've had no complaints. Something to bear in mind if you find hundreds of audited events.