After you’ve fully deployed ASR rules, it’s vital that you have processes in place to monitor and respond to ASR-related activities.
Manage false positives
False positives/negatives can occur with any threat protection solution. False positives are cases in which an entity (such as a file or process) is detected and identified as malicious, although the entity isn’t actually a threat. In contrast, a false negative is an entity that wasn’t detected as a threat but is malicious. For more information about false positives and false negatives, see: Address false positives/negatives in Microsoft Defender for Endpoint
Keeping up with reports
Consistent, regular review of reports is an essential aspect of maintaining your ASR rules deployment and keeping abreast of newly emerging threats. Your organization should have scheduled reviews of ASR rules events on a cadence that will keep current with ASR rules-reported events. Depending on the size of your organization, reviews might be daily, hourly, or continuous monitoring.
One of the most powerful features of Microsoft 365 Defender is advanced hunting. If you’re not familiar with advanced hunting, see: Proactively hunt for threats with advanced hunting.
Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting, you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
Through advanced hunting, it is possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.
You can query ASR rules events from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender portal. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.
The above shows that 187 events were registered for AsrLsassCredentialTheft:
- 102 for Blocked
- 85 for Audited
- 2 events for AsrOfficeChildProcess (1 for Audited and 1 for Block)
- 8 events for AsrPsexecWmiChildProcessAudited
If you want to focus on the AsrOfficeChildProcess rule and get details on the actual files and processes involved, change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.).
The true benefit of advanced hunting is that you can shape the queries to your liking. By shaping your query you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.
For more information about hunting options, see: Demystifying attack surface reduction rules – Part 3.