ExploitGuardASRStats (1)

Hunt Hypothesis

Adversaries may leverage ASR audit events to exfiltrate data or assess system vulnerabilities by analyzing event and machine statistics. SOC teams should proactively hunt for this behavior to identify potential data leakage or reconnaissance activities in their Azure Sentinel environment.

KQL Query

// Get stats on ASR blocks - count events and machines per rule
DeviceEvents
| where ActionType startswith "Asr" and ActionType endswith "Blocked"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType

Analytic Rule Definition

id: f809e596-87ff-4849-8eeb-cc636f0c92a0
name: ExploitGuardASRStats (1)
description: |
  Get stats on ASR audit events - count events and machines per rule.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  // Get stats on ASR blocks - count events and machines per rule
  DeviceEvents
  | where ActionType startswith "Asr" and ActionType endswith "Blocked"
  // Count total stats - count events and machines per rule
  | summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardASRStats (1).yaml)

False Positive Guidance

Scenario: System Update Audit Logs
Description: A scheduled system update or patching job generates a high volume of ASR audit events as part of the update process.
Filter/Exclusion: Exclude events where the EventID corresponds to system update tasks (e.g., EventID=10000 for Windows Update) or filter by SourceName like Windows Update.
Scenario: Security Software Compliance Scan
Description: A third-party security tool (e.g., Microsoft Defender, CrowdStrike, or Palo Alto Prisma Access) performs a compliance scan that triggers ASR audit events.
Filter/Exclusion: Exclude events where the SourceName matches the security tool’s service name (e.g., Microsoft Defender Antivirus or CrowdStrike).
Scenario: Administrative Task Execution
Description: An administrator runs a script or command-line tool (e.g., auditpol, wevtutil, or PowerShell) to configure or audit event logging, which results in ASR audit events.
Filter/Exclusion: Exclude events where the User field matches a known admin account (e.g., Administrator, Domain Admins) or filter by EventID related to audit policy changes.
Scenario: Log Collection and Forwarding
Description: A log management tool (e.g., Splunk, Logstash, or Microsoft Log Analytics) collects and forwards ASR audit events from multiple systems, increasing the count.
Filter/Exclusion: Exclude events where the SourceComputerName matches the log collection server or filter by EventSource to exclude log forwarding agents.
Scenario: Group Policy Object (GPO) Deployment
Description: A GPO deployment triggers audit events across multiple machines as part of policy application or enforcement.
Filter/Exclusion: