splApache-2.0from splunk/security_content
Windows Defender ASR Audit Events
This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_defender_asr_audit_events.yml
`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134)
| stats count min(_time) as firstTime max(_time) as lastTime
BY host, Process_Name, Target_Commandline,
Path, ID, EventCode
| lookup asr_rules ID OUTPUT ASR_Rule
| fillnull value=NULL
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename host as dest
| `windows_defender_asr_audit_events_filter`