The hypothesis is that an adversary may be leveraging ASR audit events to exfiltrate data or assess system configurations by monitoring and manipulating audit statistics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or reconnaissance activities that could indicate a broader compromise.
KQL Query
// View ASR audit events - but remove repeating events (e.g. multiple events with same machine, rule, file and process)
DeviceEvents
| where ActionType startswith "ASR" and ActionType endswith "Audited"
| summarize Timestamp =max(Timestamp) by DeviceName, ActionType,FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, SHA1
id: d8892c99-08d2-4385-a767-0754c41d7fb9
name: ExploitGuardASRStats (2)
description: |
Get stats on ASR audit events - count events and machines per rule.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
// View ASR audit events - but remove repeating events (e.g. multiple events with same machine, rule, file and process)
DeviceEvents
| where ActionType startswith "ASR" and ActionType endswith "Audited"
| summarize Timestamp =max(Timestamp) by DeviceName, ActionType,FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, SHA1
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs to update or maintain the ASR (Audit and Security Reporting) service, which generates audit events.
Filter/Exclusion: Exclude events where the source is a known system maintenance task (e.g., Task Scheduler or Windows Update).
Scenario: Administrative Audit Log Review
Description: An admin manually reviews ASR audit logs using tools like Windows Event Viewer or PowerShell to check for compliance or security issues.
Filter/Exclusion: Exclude events where the event ID corresponds to a known audit log review activity (e.g., Event ID 4624 or Event ID 4648).
Scenario: Automated Compliance Reporting Job
Description: A third-party or internal compliance tool (e.g., Microsoft Intune, Azure Security Center, or Log Analytics) runs a scheduled job to generate compliance reports, which may trigger ASR audit events.
Filter/Exclusion: Exclude events where the source is a known compliance tool or job (e.g., Intune Compliance Job or Log Analytics Agent).
Scenario: User-Initiated Security Scan
Description: A user or admin initiates a security scan using tools like Microsoft Defender for Endpoint or CrowdStrike Falcon, which may generate audit events related to ASR.
Filter/Exclusion: Exclude events where the source is a known security scanning tool (e.g., Microsoft Defender or CrowdStrike).
Scenario: System Configuration Change via Group Policy
Description: A system administrator modifies ASR-related settings via Group Policy Management Console (GPMC), which can result in audit events being logged.
Filter/Exclusion: Exclude