Skip to content

Latest commit

 

History

History
42 lines (37 loc) · 926 Bytes

MDE - TriggeredASREventsFromCompromisedDevice.md

File metadata and controls

42 lines (37 loc) · 926 Bytes

Find all the ASR events that have triggered from a compromised device

Defender For Endpoint

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
     Timestamp,
     ActionType,
     FileName,
     FolderPath,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     AccountDomain,
     AccountName

Sentinel

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where ActionType startswith "ASR"
| project
     TimeGenerated,
     ActionType,
     FileName,
     FolderPath,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     AccountDomain,
     AccountName