← Back to SOC feed Coverage →

ASR rules categorized detection graph

kql MEDIUM Azure-Sentinel
DeviceEvents
backdoorhuntingmicrosoftofficialwmi
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-04-24T09:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may exploit misconfigured or outdated Azure Security Rules to bypass detection in specific categories like office-related activities or WMI. SOC teams should proactively hunt for this behavior to identify potential rule evasion tactics and ensure effective threat detection in their Azure Sentinel environment.

KQL Query

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType startswith "asr"
| extend Parsed = parse_json(AdditionalFields)
// | where Parsed.IsAudit == "true" 
| where Parsed.IsAudit == "false" 
| summarize Email = countif(ActionType in ("AsrExecutableEmailContentBlocked", "AsrOfficeCommAppChildProcessBlocked")),
            Script = countif(ActionType in ("AsrObfuscatedScriptBlocked", "AsrScriptExecutableDownloadBlocked")),
            WMI = countif(ActionType in ("AsrPersistenceThroughWmiBlocked", "AsrPsexecWmiChildProcessBlocked")),
            OfficeApp = countif(ActionType in ("AsrOfficeChildProcessBlocked", "AsrOfficeMacroWin32ApiCallsBlocked", "AsrExecutableOfficeContentBlocked", "AsrOfficeProcessInjectionBlocked")),
            3rdPartyApp = countif(ActionType == "AsrAdobeReaderChildProcessBlocked"),
            WindowsCredentials = countif(ActionType == "AsrLsassCredentialTheftBlocked"),
            PolymorphicThreats = countif(ActionType in ("AsrUntrustedExecutableBlocked", "AsrUntrustedUsbProcessBlocked", "AsrRansomwareBlocked", "AsrVulnerableSignedDriverBlocked")) by bin(Timestamp, 1d)
| render columnchart

Analytic Rule Definition

id: 4a7bf574-fe5f-4168-97e7-5a8aa19a5eed
name: ASR rules categorized detection graph
description: |
  This query offers daily categorization of ASR rules, helping SOC analysts monitor specific categories like office-related activities or WMI among the 16 rules. 
  It aids in tracking detection rates and organizational trends.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
tactics: []
query: |
   DeviceEvents
   | where Timestamp > ago(7d)
   | where ActionType startswith "asr"
   | extend Parsed = parse_json(AdditionalFields)
   // | where Parsed.IsAudit == "true" 
   | where Parsed.IsAudit == "false" 
   | summarize Email = countif(ActionType in ("AsrExecutableEmailContentBlocked", "AsrOfficeCommAppChildProcessBlocked")),
               Script = countif(ActionType in ("AsrObfuscatedScriptBlocked", "AsrScriptExecutableDownloadBlocked")),
               WMI = countif(ActionType in ("AsrPersistenceThroughWmiBlocked", "AsrPsexecWmiChildProcessBlocked")),
               OfficeApp = countif(ActionType in ("AsrOfficeChildProcessBlocked", "AsrOfficeMacroWin32ApiCallsBlocked", "AsrExecutableOfficeContentBlocked", "AsrOfficeProcessInjectionBlocked")),
               3rdPartyApp = countif(ActionType == "AsrAdobeReaderChildProcessBlocked"),
               WindowsCredentials = countif(ActionType == "AsrLsassCredentialTheftBlocked"),
               PolymorphicThreats = countif(ActionType in ("AsrUntrustedExecutableBlocked", "AsrUntrustedUsbProcessBlocked", "AsrRansomwareBlocked", "AsrVulnerableSignedDriverBlocked")) by bin(Timestamp, 1d)
   | render columnchart

Required Data Sources

Sentinel TableNotes
DeviceEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/ASR rules/ASR-rules-categorized-detection-graph.yaml