splApache-2.0from splunk/security_content
Windows Defender ASR Block Events
This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_defender_asr_block_events.yml
`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133)
| stats count min(_time) as firstTime max(_time) as lastTime
BY host, Path, Parent_Commandline,
Process_Name, ID, EventCode
| lookup asr_rules ID OUTPUT ASR_Rule
| fillnull value=NULL
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename host as dest
| `windows_defender_asr_block_events_filter`