0
(0)

After you’ve fully deployed ASR rules, it’s vital that you have processes in place to monitor and respond to ASR-related activities.

Manage false positives

False positives/negatives can occur with any threat protection solution. False positives are cases in which an entity (such as a file or process) is detected and identified as malicious, although the entity isn’t actually a threat. In contrast, a false negative is an entity that wasn’t detected as a threat but is malicious. For more information about false positives and false negatives, see: Address false positives/negatives in Microsoft Defender for Endpoint

Keeping up with reports

Consistent, regular review of reports is an essential aspect of maintaining your ASR rules deployment and keeping abreast of newly emerging threats. Your organization should have scheduled reviews of ASR rules events on a cadence that will keep current with ASR rules-reported events. Depending on the size of your organization, reviews might be daily, hourly, or continuous monitoring.

Hunting

One of the most powerful features of Microsoft 365 Defender is advanced hunting. If you’re not familiar with advanced hunting, see: Proactively hunt for threats with advanced hunting.

Microsoft 365 Defender Advanced hunting

Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting, you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.

Through advanced hunting, it is possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.

You can query ASR rules events from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender portal. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.

Microsoft 365 Defender Advanced hunting query command line

Microsoft 365 Defender Advanced hunting query results

The above shows that 187 events were wp-signup.phped for AsrLsassCredentialTheft:

  • 102 for Blocked
  • 85 for Audited
  • 2 events for AsrOfficeChildProcess (1 for Audited and 1 for Block)
  • 8 events for AsrPsexecWmiChildProcessAudited

If you want to focus on the AsrOfficeChildProcess rule and get details on the actual files and processes involved, change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.).

Microsoft 365 Defender Advanced hunting query focused

Microsoft 365 Defender Advanced hunting query focused results

The true benefit of advanced hunting is that you can shape the queries to your liking. By shaping your query you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.

For more information about hunting options, see: Demystifying attack surface reduction rules – Part 3.

Topics in this deployment collection

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.