ExploitGuardASRStats | SOC Hunt Feed

Hunt Hypothesis

The ExploitGuardASRStats rule detects potential adversary activity by identifying unusual patterns in ASR audit events, which may indicate unauthorized access or tampering with endpoint protection settings. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of endpoint security controls.

KQL Query

DeviceEvents
| where ActionType startswith "Asr" and ActionType endswith "Audited"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType

Analytic Rule Definition

id: 4302c0fa-dda5-4a6a-b29a-a96736bce088
name: ExploitGuardASRStats
description: |
  Get stats on ASR audit events - count events and machines per rule.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  DeviceEvents
  | where ActionType startswith "Asr" and ActionType endswith "Audited"
  // Count total stats - count events and machines per rule
  | summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardASRStats.yaml)

False Positive Guidance

Scenario: Scheduled ASR Audit Log Collection Job
Description: A legitimate scheduled job runs to collect and audit ASR (Advanced Security Reporting) logs for compliance or reporting purposes.
Filter/Exclusion: process.name != "ASRLogCollector.exe" or process.parent.name != "TaskScheduler"
Scenario: Administrative User Performing ASR Configuration Audit
Description: An admin is manually reviewing ASR configuration settings or audit logs as part of routine security checks.
Filter/Exclusion: user.name != "DomainAdmins" or user.rights != "Administrators"
Scenario: Automated Compliance Tool Generating ASR Audit Events
Description: A third-party compliance tool (e.g., Microsoft Intune, Azure Security Center) generates ASR audit events as part of its normal operation.
Filter/Exclusion: process.name != "IntuneAgent.exe" or process.name != "AzureSecurityCenter.exe"
Scenario: System Maintenance Task Generating ASR Audit Events
Description: A system maintenance task (e.g., Windows Update, Group Policy refresh) triggers ASR audit events as part of its normal operation.
Filter/Exclusion: process.name != "wuauserv.exe" or process.name != "gpolusr.exe"
Scenario: User-Initiated ASR Report Generation
Description: A user generates an ASR report using a tool like Microsoft Endpoint Manager or the Microsoft 365 Defender portal.
Filter/Exclusion: process.name != "MicrosoftEndpointManager.exe" or process.name != "Microsoft365Defender.exe"