Descriptor: Name: Device Enrichment Skills DisplayName: Device Enrichment Skills Description: A set of KQL-based skills designed to enrich device-related data in Microsoft Defender and Sentinel. These skills provide insights into device vulnerabilities, logon events, exposure levels, and event timelines, empowering security analysts to monitor, investigate, and prioritize device-level security risks. DescriptionForModel: |- A collection of KQL-based skills that interact with Microsoft Defender and Sentinel to enhance device-related data analysis. These skills include: - Summarizing device exposure levels to identify high-risk and internet-facing devices. - Retrieving detailed logon events for specified accounts and devices. - Constructing event timelines around specific timestamps to analyze suspicious device activities. - Identifying vulnerabilities (CVEs) affecting devices and assessing their impact. - Listing devices affected by specific CVEs to prioritize remediation efforts. This skillset enables comprehensive device-level security investigations, helping analysts understand vulnerabilities, logon behavior, and event patterns to mitigate risks effectively. Use these skills for detailed insights into device security posture and incident response. SupportedAuthTypes: - None Settings: - Name: TenantId Label: TenantId Description: Azure TenantId. HintText: TenantId SettingType: String Required: true - Name: SubscriptionName Label: SubscriptionName Description: This is the subscription name that security copilot will use for sentinel. HintText: yoursubscriptionname SettingType: String Required: true - Name: WorkspaceName Label: WorkspaceName Description: This is the workspace name that security copilot will use for sentinel. HintText: yourworkspace SettingType: String Required: true - Name: ResourceGroupName Label: ResourceGroupName Description: This is the resource group name that security copilot will use for sentinel. HintText: yourresourcegroup SettingType: String Required: true SkillGroups: - Format: KQL Skills: - Name: DeviceExposureLevel DisplayName: Summarize Device Exposure Levels DescriptionForModel: |- Performs a KQL query on the `DeviceInfo` table to evaluate the exposure posture of devices by calculating two key metrics: - **Total Number of High-Risk Devices**: The count of devices classified with a "High" exposure level. - **High Exposure Internet-Facing Devices**: The count of high-risk devices that are accessible from the internet. Designed to provide insights into the security posture of devices, this skill helps prioritize remediation actions by highlighting critical and exposed devices, enabling GPT to suggest further steps to reduce risk. Description: Summarize device exposure levels in the environment by identifying the total number of high-risk devices and high-risk internet-facing devices. Helps prioritize remediation efforts for critical assets. Settings: Target: Defender Template: |- // Count the number of devices with a High Exposure Level let highRiskDevices = DeviceInfo | where ExposureLevel == "High" | summarize HighRiskDeviceCount = count(); // Count the number of high exposure level devices that are internet-facing let highExposureInternetFacingDevices = DeviceInfo | where ExposureLevel == "High" and IsInternetFacing == true | summarize HighExposureInternetFacingCount = count(); // Combine both summaries in a single output union highRiskDevices, highExposureInternetFacingDevices - Name: DeviceLogonSearch DisplayName: Device Logon & Owner DescriptionForModel: |- Performs a KQL query on the `DeviceLogonEvents` table to retrieve interactive and remote logon activities for a specified account and date. Key details include: - `Timestamp`: Logon event time. - `DeviceId`: Unique identifier of the device. - `DeviceName`: Name of the device. - `AccountName`: Account name used for the logon. - `LogonType`: Type of logon (e.g., Interactive, Remote). This skill enables security analysts to track and investigate logon events for specific accounts, identify devices associated with the account, and review activity timelines for further analysis. Description: Retrieve a detailed log of interactive and remote device logon events for a specified account on a specific date. Includes device ID, device name, logon timestamps, and account name to aid in tracking user activity and identifying associated devices. Inputs: - Name: AccountName Description: The account name, NOT the UPN. Example jsmith Required: true - Name: event_date Description: The date to retrieve logon events for, formatted as YYYY-MM-DD. Example 2024-09-13 Required: true Settings: Target: Defender Template: |- // This query retrieves detailed device logon events for a specified account on a given date. // It focuses on interactive and remote logon types, providing details like device IDs and names. let userDate = "{{event_date}}"; let start = strcat(userDate, "T00:00:00"); let stop = strcat(userDate, "T23:59:59"); let startDatetime = todatetime(start); let stopDatetime = todatetime(stop); DeviceLogonEvents | where AccountName == "{{AccountName}}" and Timestamp >= startDatetime and Timestamp < stopDatetime and LogonType in ("Interactive", "Remote") // Includes only interactive logons (2: Interactive, 10: RemoteInteractive) | project Timestamp, DeviceId, DeviceName, AccountName, LogonType | order by Timestamp desc - Name: DeviceTimeline DisplayName: Device Timeline DescriptionForModel: |- Performs a KQL query to construct a timeline of device events and security alerts for a specified device, centered around a user-provided timestamp. Captures events within a defined time window (e.g., 15 seconds before and after) to identify suspicious behavior, anomalies, and patterns. Key features include: - Events: File actions, network connections, process activity, and logon events. - Alerts: Related security alerts and evidence for additional context. - Time categorization: Events are classified as occurring "Before," "Pivot," or "After" the specified timestamp. This skill enables security analysts to investigate device behavior comprehensively, focusing on potential malicious actions or correlated events, and provides actionable insights for remediation or further inquiry. Description: Retrieve and analyze a detailed timeline of device events and security alerts surrounding a specific timestamp for a given device. Includes file actions, network connections, process activity, and related alerts to investigate suspicious behavior and anomalies. Inputs: - Name: device_name Description: The name of the device for which the timeline is being constructed. Example vnevado-win10v Required: true - Name: event_timestamp Description: The timestamp to build the timeline around, formatted in ISO 8601. Example 2024-08-30T01:10:39.501000 Required: true - Name: time_window Description: The time window to search. Example 30s for 30 seconds. Default: 15s Required: false Settings: Target: Sentinel TenantId: "{{TenantId}}" SubscriptionName: "{{SubscriptionName}}" ResourceGroupName: "{{ResourceGroupName}}" WorkspaceName: "{{WorkspaceName}}" Template: |- // This query retrieves and analyzes a timeline of device events and security alerts for a specific device, // centered around a user-provided timestamp. // The query focuses on a user specified time window (X seconds before and after the provided timestamp) // to understand events before, during, and after a key moment. // Results include key information like file actions, network connections, and process activity. // The GPT model should analyze the data to identify suspicious patterns or anomalies, // focusing on potential malicious behaviors or correlating events. let deviceName = "{{device_name}}"; // The name of the device to filter the timeline let timelineWindow = {{time_window}}; // Default of 15 seconds before and after the provided timestamp let pivotTimestampInput = datetime('{{event_timestamp}}'); // Timestamp provided by the user let pivotTimestamp = pivotTimestampInput; // Define the start and end times of the time window to capture relevant events let startTime = pivotTimestamp - timelineWindow; let endTime = pivotTimestamp + timelineWindow; // Fetch and combine relevant device events: file events, network events, logon events, and process events. // The union of these event types is filtered by the device name and the defined time window. // Exclude network signature inspection events as they are less relevant for the analysis. let deviceEvents = DeviceEvents | union DeviceFileEvents, DeviceNetworkEvents, DeviceLogonEvents, DeviceProcessEvents | where DeviceName contains deviceName // Filter events by the specified device name | where Timestamp between (startTime .. endTime) // Capture only events within the time window | where ActionType != "NetworkSignatureInspected" // Exclude irrelevant network signature inspection events // Classify events as "Before", "Pivot", or "After" based on their relationship to the pivot timestamp | extend TimeRelation = case( Timestamp < pivotTimestamp, "Before", Timestamp == pivotTimestamp, "Pivot", Timestamp > pivotTimestamp, "After", "Unknown") // Default case for any unexpected values // Project relevant event details for analysis, including timestamp, action type, filenames, and network information | project Timestamp, ActionType, FileName, FolderPath, ProcessCommandLine, RemoteIP, RemotePort, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertId = "", Title = "", Category = "", AttackTechniques = "", TimeRelation; // Fetch alert evidence for the specified device within the same time window. // Alert evidence provides additional context about alerts triggered around the device. deviceEvents | distinct Timestamp, ActionType, FileName, FolderPath, ProcessCommandLine, RemoteIP, RemotePort, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp asc - Name: DeviceCVESearch DisplayName: Device CVE Search DescriptionForModel: |- Identify specific CVEs affecting a specified device based on the selected severity level. For each vulnerability, it: Identify specific CVEs affecting a specified device based on the selected severity level. For each vulnerability, it: 1. **Analyzes Software Vendors**: Evaluates the type of software the vendor produces and the potential risks associated with the vulnerability, considering the software's role in the system and possible exploitation impacts. 2. **Summarizes Device Security State**: Assesses the device's security posture by reviewing the number and severity of CVEs and identifying critical areas requiring immediate attention. This skill provides actionable security insights, enabling security analysts to prioritize remediation and address vulnerabilities effectively. Description: Retrieve a list of software vulnerabilities (CVEs) affecting a specified device, filtered by severity level (Critical, High, Medium, or Low). Provides insights into software vendors, vulnerability impacts, and the device's overall security posture to help prioritize remediation efforts. Inputs: - Name: device_name Description: Device to search on Required: true - Name: severity_level Description: Critical, High, Medium, or Low Required: true Settings: Target: Defender Template: |- // Retrieve vulnerabilities affecting the specified device and severity level DeviceTvmSoftwareVulnerabilities | where DeviceName == "{{device_name}}" | where VulnerabilitySeverityLevel contains "{{severity_level}}" | project DeviceName, SoftwareVendor, SoftwareName, CveId | lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId | project DeviceName, SoftwareVendor, SoftwareName, CveId, CvssScore, EpssScore, CvssVector, IsExploitAvailable | order by EpssScore desc, CvssScore desc | lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId | project DeviceName, SoftwareVendor, SoftwareName, CveId, CvssScore, EpssScore, CvssVector, IsExploitAvailable | order by EpssScore desc, CvssScore desc - Name: CVEHostSearch DisplayName: CVE Host Search DescriptionForModel: |- Performs a KQL query to identify devices impacted by a specific CVE identifier. For each affected device, it: 1. **Analyzes Impact**: Examines how the vulnerability affects the device, considering the type of software involved, its role in the system, and potential impacts if the vulnerability is exploited. 2. **Summarizes Security Posture**: Evaluates the overall security risk by analyzing the number of affected devices, their importance within the network, and the severity of the vulnerability. This skill provides actionable insights to prioritize remediation, mitigate security risks, and strengthen the overall security posture of the environment. Description: Retrieve a list of devices affected by a specified CVE identifier. Provides insights into the impact of the vulnerability on each device, highlights critical risks, and assesses the overall security posture to support remediation efforts across the network. Inputs: - Name: cve_id Description: CVE identifier to search for (e.g., CVE-2023-12345) Required: true Settings: Target: Defender Template: |- // Retrieve devices affected by the specified CVE DeviceTvmSoftwareVulnerabilities | where CveId == "{{cve_id}}" | project DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate // For each device: // 1. Analyze the impact of the vulnerability on the device, considering the type of software and why the vulnerability could be problematic. // 2. Summarize the device's security posture based on the number of devices impacted and their importance. // Use this information to provide security insights and prioritize remediation efforts. - Name: DeviceDefenderSensorHealthReport DisplayName: Microsoft Defender Sensor Health Report DescriptionForModel: |- Executes a KQL query against DeviceTvmSecureConfigurationAssessment to evaluate Microsoft Defender sensor health status and configurations across Windows, macOS, and Linux devices. This skill: 1. **Evaluates Defender Components**: Assesses critical security features including real-time protection, tamper protection, cloud protection, PUA protection, and behavior monitoring. 2. **Tracks Protection Status**: Monitors Defender operational states (Active/Passive/EDR Blocked) and compliance status (GOOD/BAD). 3. **Monitors Version Currency**: Tracks antivirus signature versions, product versions, and engine versions to ensure up-to-date protection. This skill enables security teams to identify misconfigurations, outdated signatures, and disabled protections that could impact endpoint security. Description: |- Analyzes Microsoft Defender health and configuration status using DeviceTvmSecureConfigurationAssessment data. Evaluates multiple security components: - Protection Features: Real-time protection, cloud protection, email scanning, PUA protection, and behavior monitoring - Operational Status: • GOOD: Configuration meets security requirements • BAD: Configuration fails compliance checks, requires attention • Active: Defender is primary antivirus with full protection • Passive: Defender is in passive mode (another antivirus is primary) • EDR Blocked: Defender is blocked by endpoint detection and response policy • Unknown: Status cannot be determined Tracks version information for signatures, product, and engine to ensure current protection levels. Results help prioritize security gaps and maintain strong endpoint protection across Windows, macOS, and Linux systems. Inputs: - Name: device_name Description: Name of the device to evaluate (e.g., "Device01") Required: true Settings: Target: Defender Template: |- DeviceTvmSecureConfigurationAssessment | where isnotempty('{{device_name}}') and DeviceName =~ '{{device_name}}' // Only filter if device_name is provided or isempty('{{device_name}}') // Otherwise return all devices | where ConfigurationId in ('scid-90', 'scid-91', 'scid-2003', 'scid-2010', 'scid-2011', 'scid-2012', 'scid-2013', 'scid-2016', 'scid-5095', 'scid-6095', 'scid-5090', 'scid-6090', 'scid-5091', 'scid-6091', 'scid-5094', 'scid-6094') | extend Test = case( ConfigurationId == 'scid-2003' and OSPlatform startswith 'Windows', 'TamperProtection', ConfigurationId == 'scid-2010' and OSPlatform startswith 'Windows', 'DefenderMode', ConfigurationId == 'scid-90' and OSPlatform startswith 'Windows', 'EmailScanning', ConfigurationId == 'scid-2011' and OSPlatform startswith 'Windows', 'AntivirusSignatureVersion', ConfigurationId == 'scid-5095' and OSPlatform == 'macOS', 'AntivirusSignatureVersion', ConfigurationId == 'scid-6095' and OSPlatform == 'Linux', 'AntivirusSignatureVersion', ConfigurationId == 'scid-2012' and OSPlatform startswith 'Windows','RealtimeProtection', ConfigurationId == 'scid-5090' and OSPlatform == 'macOS', 'RealtimeProtection', ConfigurationId == 'scid-6090' and OSPlatform == 'Linux', 'RealtimeProtection', ConfigurationId == 'scid-2013' and OSPlatform startswith 'Windows', 'PUAProtection', ConfigurationId == 'scid-5091' and OSPlatform == 'macOS', 'PUAProtection', ConfigurationId == 'scid-6091' and OSPlatform == 'Linux', 'PUAProtection', ConfigurationId == 'scid-2016' and OSPlatform startswith 'Windows', 'CloudProtection', ConfigurationId == 'scid-5094' and OSPlatform == 'macOS', 'CloudProtection', ConfigurationId == 'scid-6094' and OSPlatform == 'Linux', 'CloudProtection', ConfigurationId == 'scid-91' and OSPlatform startswith 'Windows', 'BehaviourMonitoring', 'NA') | extend Result = case( ConfigurationId == 'scid-2010', case( parse_json(Context)[0][0] == '0', 'Active', parse_json(Context)[0][0] == '1', 'Passive', parse_json(Context)[0][0] == '4', 'EDR Blocked', 'Unknown' ), IsCompliant == 1, 'GOOD', 'BAD' ) | extend SignVer = case( ConfigurationId == 'scid-2011' and OSPlatform startswith 'Windows', parse_json(Context)[0], ConfigurationId == 'scid-5095' and OSPlatform == 'macOS', parse_json(Context)[0], ConfigurationId == 'scid-6095' and OSPlatform == 'Linux', parse_json(Context)[0], '') | extend DeviceName = toupper(tostring(split(DeviceName, '.')[0])) | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed), SignatureData = max(SignVer), DeviceName = any(DeviceName), OSPlatform = any(OSPlatform) by DeviceId // Create a default record if no data exists | union (print DeviceId = "", Tests = pack( "TamperProtection", "N/A", "DefenderMode", "N/A", "EmailScanning", "N/A", "AntivirusSignatureVersion", "N/A", "RealtimeProtection", "N/A", "PUAProtection", "N/A", "CloudProtection", "N/A", "BehaviourMonitoring", "N/A" ), SignatureData = "", DeviceName = "", OSPlatform = "" ) | evaluate bag_unpack(Tests) | extend AVSignatureVersion = tostring(parse_json(SignatureData)[0]), Date = todatetime(parse_json(SignatureData)[2]), ProductVersion = tostring(parse_json(SignatureData)[3]), EngineVersion = tostring(parse_json(SignatureData)[1]) | join kind=leftouter (DeviceInfo | distinct DeviceId, MachineGroup, OnboardingStatus) on DeviceId | where OnboardingStatus == "Onboarded" or isempty(DeviceId) | project DeviceName, OSPlatform, MachineGroup, TamperProtection, DefenderMode, EmailScanning, AntivirusSignatureVersion, RealtimeProtection, PUAProtection, CloudProtection, BehaviourMonitoring, AVSignatureVersion, Date, ProductVersion, EngineVersion - Name: DefenderAvSignatureHealthReport DisplayName: Microsoft Defender AV Signature Health Report DescriptionForModel: |- Executes a KQL query against DeviceTvmSecureConfigurationAssessment to evaluate Microsoft Defender antivirus signature status and real-time protection health across Windows, macOS, and Linux devices. This skill: 1. **Tracks Signature Currency**: Compares current device signatures against latest available signatures per platform 2. **Monitors Protection Status**: Identifies devices with inactive real-time protection 3. **Cross-Platform Coverage**: Evaluates protection across Windows, macOS, and Linux endpoints This skill enables security teams to quickly identify devices with outdated signatures or disabled real-time protection that require immediate attention. Description: |- Analyzes Microsoft Defender antivirus signature status and real-time protection health using DeviceTvmSecureConfigurationAssessment data. Evaluates critical security components: - Signature Status: • Current device signature version • Latest available signature version for the platform • Last update timestamp - Protection Status: • GOOD: Real-time protection is active and functioning • BAD: Real-time protection is inactive or malfunctioning Results are filtered to show only devices requiring attention (outdated signatures or inactive protection), helping teams prioritize updates and fixes across Windows, macOS, and Linux systems. Settings: Target: Defender Template: |- // Find the latest signature version for each OS platform let LatestSignatures = DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ('scid-2011', 'scid-5095', 'scid-6095') // AV signature configs for Windows, macOS, Linux | where IsCompliant == 1 // Only look at devices with good signatures | extend OSPlatform = case( OSPlatform startswith 'Windows', 'Windows', OSPlatform == 'macOS', 'macOS', OSPlatform == 'Linux', 'Linux', 'Other' ) | extend SignVer = parse_json(Context)[0] | extend SignatureVersion = tostring(SignVer) | summarize arg_max(todatetime(parse_json(Context)[2]), SignatureVersion) by OSPlatform; // Main query for devices with AV issues DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ('scid-90', 'scid-91', 'scid-2003', 'scid-2010', 'scid-2011', 'scid-2012', 'scid-2013', 'scid-2016', 'scid-5095', 'scid-6095', 'scid-5090', 'scid-6090', 'scid-5091', 'scid-6091', 'scid-5094', 'scid-6094') | extend Test = case( ConfigurationId == 'scid-2011' and OSPlatform startswith 'Windows', 'AntivirusSignatureVersion', ConfigurationId == 'scid-5095' and OSPlatform == 'macOS', 'AntivirusSignatureVersion', ConfigurationId == 'scid-6095' and OSPlatform == 'Linux', 'AntivirusSignatureVersion', ConfigurationId == 'scid-2012' and OSPlatform startswith 'Windows','RealtimeProtection', ConfigurationId == 'scid-5090' and OSPlatform == 'macOS', 'RealtimeProtection', ConfigurationId == 'scid-6090' and OSPlatform == 'Linux', 'RealtimeProtection', 'NA') | where Test in ('AntivirusSignatureVersion', 'RealtimeProtection') | extend Result = case( IsCompliant == 1, 'GOOD', 'BAD' ) | extend SignVer = case( ConfigurationId in ('scid-2011', 'scid-5095', 'scid-6095'), parse_json(Context)[0], '') | extend DeviceName = toupper(tostring(split(DeviceName, '.')[0])) | extend OSType = case( OSPlatform startswith 'Windows', 'Windows', OSPlatform == 'macOS', 'macOS', OSPlatform == 'Linux', 'Linux', 'Other' ) | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed), SignatureData = max(SignVer), DeviceName = any(DeviceName), OSPlatform = any(OSPlatform), OSType = any(OSType) by DeviceId | evaluate bag_unpack(Tests) | extend AVSignatureVersion = tostring(parse_json(SignatureData)[0]), Date = todatetime(parse_json(SignatureData)[2]) | join kind=leftouter (DeviceInfo | distinct DeviceId, MachineGroup, OnboardingStatus) on DeviceId | join kind=leftouter LatestSignatures on $left.OSType == $right.OSPlatform | where OnboardingStatus == "Onboarded" // Filter to show only devices with AV issues | where AntivirusSignatureVersion == "BAD" or RealtimeProtection == "BAD" | project DeviceName, OSPlatform, MachineGroup, ['AV Status'] = RealtimeProtection, ['Current Signature'] = AVSignatureVersion, ['Latest Available Signature'] = SignatureVersion, ['Last Update'] = Date | sort by DeviceName asc | take 15 - Name: WindowsCriticalVulnerabilitiesReport DisplayName: Windows Critical Vulnerabilities Health Report DescriptionForModel: |- Executes a KQL query against DeviceTvmSoftwareVulnerabilities and DeviceTvmSoftwareVulnerabilitiesKB to evaluate critical vulnerabilities across Windows 10 and 11 devices. This skill: 1. **Identifies High-Risk Devices**: Finds top 10 devices with most critical vulnerabilities 2. **Tracks Exploit Status**: Monitors exploitable vulnerabilities and CVSS scores 3. **Evaluates Zero-Day Impact**: Identifies devices affected by zero-day vulnerabilities This skill enables security teams to quickly identify and prioritize the most vulnerable Windows devices requiring immediate attention. Description: |- Analyzes critical vulnerabilities on Windows 10 and 11 devices using DeviceTvmSoftwareVulnerabilities and DeviceTvmSoftwareVulnerabilitiesKB data. Evaluates critical security metrics: - Vulnerability Status: • Total critical vulnerabilities per device • Zero-day vulnerability count • Number of exploitable vulnerabilities - Risk Assessment: • Maximum CVSS score • Maximum EPSS score • CVSS vector patterns - System Details: • OS Platform and Version • Architecture • CVE count Results are ordered by critical vulnerability count and CVSS scores, helping teams prioritize remediation efforts across Windows devices. Settings: Target: Defender Template: |- let TopDevices = DeviceTvmSoftwareVulnerabilities | where OSPlatform in ("Windows10", "Windows11") | where VulnerabilitySeverityLevel == "Critical" | summarize VulnCount=count() by DeviceId, DeviceName | top 10 by VulnCount desc; let DeviceVulns = DeviceTvmSoftwareVulnerabilities | where OSPlatform in ("Windows10", "Windows11") | where VulnerabilitySeverityLevel == "Critical" | where DeviceId in (TopDevices); DeviceVulns | summarize ['Critical Vulnerabilities'] = count(), ['Zero Days'] = countif(CveTags has "ZeroDay") by DeviceId, DeviceName, OSPlatform, OSVersion, OSArchitecture, CveId | lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId | summarize ['Critical Vulnerabilities'] = max(['Critical Vulnerabilities']), ['Zero Days'] = max(['Zero Days']), ['Max CVSS Score'] = max(CvssScore), ['Exploitable CVEs'] = countif(IsExploitAvailable == true), ['Max EPSS Score'] = max(EpssScore), ['CVSS Vectors'] = make_set(CvssVector), ['CVE Count'] = dcount(CveId) by DeviceId, DeviceName, OSPlatform, OSVersion, OSArchitecture | project DeviceName, OSPlatform, OSVersion, OSArchitecture, ['Critical Vulnerabilities'], ['Zero Days'], ['Exploitable CVEs'], ['Max CVSS Score'], ['Max EPSS Score'], ['CVE Count'], ['CVSS Vectors'] | order by ['Critical Vulnerabilities'] desc, ['Max CVSS Score'] desc - Name: ASRRuleTriggerCount DisplayName: ASR Rule Trigger Frequency DescriptionForModel: |- Executes a KQL query against DeviceEvents to determine how often each Attack Surface Reduction (ASR) rule has been triggered. This skill: 1. **Identifies High-Frequency Rules**: Counts occurrences of each ASR rule 2. **Prioritizes Impact**: Ranks rules based on trigger frequency 3. **Prepares for Enforcement**: Helps security teams assess the potential disruption before enabling ASR rules This skill is useful for determining which ASR rules are triggering frequently and require careful evaluation before enforcement. Description: |- Analyzes the frequency of ASR rule triggers across devices using DeviceEvents data. Evaluates key security insights: - **ASR Rule Analysis**: • Count of ASR rule triggers • ASR rule names • Ordered by most frequently triggered rules - **Risk & Enforcement Considerations**: • Identifies high-frequency ASR rules that may impact business processes • Helps prioritize which ASR rules should be tested first Results provide security teams with data to understand potential operational impact before enforcing ASR rules in block mode. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by RuleName, ActionType, FileName, FolderPath | where TriggerCount > 10 | extend ExclusionPath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, "\\", FileName), "") | order by TriggerCount desc | project RuleName, ActionType, FileName, FolderPath, ExclusionPath, TriggerCount - Name: ASRBusinessHoursImpact DisplayName: ASR Rule Business Hours Impact Analysis DescriptionForModel: |- Executes a KQL query against DeviceEvents to analyze ASR rule impact during business hours vs. non-business hours. This skill: 1. **Compares Working vs. Non-Working Hours**: Analyzes when ASR rules are triggered 2. **Identifies Business-Critical Rules**: Highlights rules with high business hours impact 3. **Supports Risk Assessment**: Helps evaluate potential productivity impact This skill helps security teams understand the potential impact on business operations when enforcing ASR rules. Description: |- Analyzes when ASR rules are triggered to assess business operational impact. Key insights include: - **Temporal Impact Analysis**: • Business hours vs. non-business hours trigger comparison • Business impact ratio calculation - **Operational Risk Assessment**: • Identifies rules with highest impact during working hours • Helps prioritize rules based on potential productivity disruption Results help security teams understand when ASR rules are most likely to impact business operations. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | extend HourOfDay = toint(datetime_part("hour", TimeGenerated)) | extend DayOfWeek = toint(dayofweek(TimeGenerated)) | extend IsBusinessHours = HourOfDay >= 9 and HourOfDay <= 17 and DayOfWeek >= 1 and DayOfWeek <= 5 | summarize BusinessHoursTriggers = countif(IsBusinessHours == true), NonBusinessHoursTriggers = countif(IsBusinessHours == false) by RuleName, ActionType | extend TotalTriggers = BusinessHoursTriggers + NonBusinessHoursTriggers | where TotalTriggers > 0 | extend BusinessImpactRatio = round((1.0 * BusinessHoursTriggers) / TotalTriggers, 2) | order by BusinessImpactRatio desc, BusinessHoursTriggers desc - Name: ASRImplementationPlan DisplayName: ASR Implementation Phasing Plan DescriptionForModel: |- Executes a KQL query against DeviceEvents to create a phased implementation plan for ASR rules. This skill: 1. **Calculates Impact Scores**: Combines trigger count, device count, and user count 2. **Creates Phased Approach**: Groups rules into low, medium, and high impact phases 3. **Supports Gradual Rollout**: Helps security teams implement ASR rules in a controlled manner This skill is essential for planning a staged approach to ASR rule enforcement. Description: |- Creates a phased implementation plan for ASR rules based on impact assessment. Key insights include: - **Impact Assessment**: • Combined impact score calculation • Rule categorization by impact level - **Implementation Strategy**: • Three-phase implementation approach • Start with low-impact rules and gradually enforce higher-impact rules Results provide security teams with a structured approach to implementing ASR rules in enforcement mode. Settings: Target: Defender Template: |- // Get rule trigger counts let ruleTriggers = DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by RuleName, ActionType; // Get device counts per rule let deviceCounts = DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | summarize DeviceCount = dcount(DeviceName) by ActionType; // Get user counts per rule let userCounts = DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | summarize UserCount = dcount(AccountName) by ActionType; // Get max values for normalization let maxTriggerCount = toscalar(ruleTriggers | summarize max(TriggerCount)); let maxDeviceCount = toscalar(deviceCounts | summarize max(DeviceCount)); let maxUserCount = toscalar(userCounts | summarize max(UserCount)); let ruleCount = toscalar(ruleTriggers | summarize count()); // Join the data and calculate normalized impact scores ruleTriggers | join kind=leftouter deviceCounts on ActionType | join kind=leftouter userCounts on ActionType // Normalize each metric to a 0-1 scale | extend NormalizedTriggers = 1.0 * TriggerCount / maxTriggerCount | extend NormalizedDevices = 1.0 * DeviceCount / maxDeviceCount | extend NormalizedUsers = 1.0 * UserCount / maxUserCount // Apply weights to each factor (can be adjusted based on organizational priorities) | extend NormalizedImpactScore = (0.4 * NormalizedTriggers) + (0.3 * NormalizedDevices) + (0.3 * NormalizedUsers) | sort by NormalizedImpactScore asc | extend RowNum = row_number() | extend ImplementationPhase = case( RowNum <= (ruleCount / 3), "Phase 1 (Low Impact)", RowNum <= (ruleCount * 2 / 3), "Phase 2 (Medium Impact)", "Phase 3 (High Impact)" ) | project RuleName, ActionType, TriggerCount, DeviceCount, UserCount, NormalizedImpactScore, ImplementationPhase | sort by NormalizedImpactScore asc - Name: ASRPlatformCompatibility DisplayName: ASR Rule Platform Compatibility Analysis DescriptionForModel: |- Executes a KQL query against DeviceEvents to analyze ASR rule compatibility with different Windows platforms. This skill: 1. **Maps Platform Compatibility**: Shows which ASR rules are supported on which platforms 2. **Identifies Platform-Specific Issues**: Highlights rules that may not be compatible with certain platforms 3. **Enables Targeted Deployment**: Helps plan ASR rule enforcement based on platform distribution This skill is valuable for organizations with mixed Windows environments to understand compatibility constraints. Description: |- Analyzes ASR rule compatibility with different Windows platforms. Key insights include: - **Platform Compatibility Matrix**: • Shows which ASR rules are supported on which platforms • Identifies platform-specific compatibility issues - **Deployment Planning**: • Helps create platform-specific ASR policies • Prevents attempted enforcement of unsupported rules Results enable security teams to plan appropriate ASR policies for their specific Windows environment mix. Settings: Target: Defender Template: |- let actionTypeToRuleName = datatable(ActionTypePattern:string, RuleName:string) [ // Standard rule names "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", // Additional patterns for actual event log formats "AsrPsexecWmiChildProcessBlocked", "Block process creations originating from PSExec and WMI commands", "AsrPsexecWmiChildProcessAudited", "Block process creations originating from PSExec and WMI commands", "AsrLsassCredentialTheftBlocked", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", "AsrLsassCredentialTheftAudited", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", "AsrOfficeChildProcessBlocked", "Block all Office applications from creating child processes", "AsrOfficeChildProcessAudited", "Block all Office applications from creating child processes", "AsrOfficeProcessInjectionBlocked", "Block Office applications from injecting code into other processes", "AsrOfficeProcessInjectionAudited", "Block Office applications from injecting code into other processes", "AsrOfficeMacroWin32ApiCallsBlocked", "Block Win32 API calls from Office macros", "AsrOfficeMacroWin32ApiCallsAudited", "Block Win32 API calls from Office macros", "AsrScriptObfuscatedMshtmlContentBlocked", "Block execution of potentially obfuscated scripts", "AsrScriptObfuscatedMshtmlContentAudited", "Block execution of potentially obfuscated scripts", "AsrOfficeExecutableContentCreationBlocked", "Block Office applications from creating executable content", "AsrOfficeExecutableContentCreationAudited", "Block Office applications from creating executable content", "AsrPersistenceThroughWmiEventSubscriptionAudited", "Block persistence through WMI event subscription", "AsrPersistenceThroughWmiEventSubscriptionBlocked", "Block persistence through WMI event subscription", "AsrOfficeCommunicationChildProcessBlocked", "Block Office communication application from creating child processes", "AsrOfficeCommunicationChildProcessAudited", "Block Office communication application from creating child processes", "AsrAdobeReaderChildProcessBlocked", "Block Adobe Reader from creating child processes", "AsrAdobeReaderChildProcessAudited", "Block Adobe Reader from creating child processes", "AsrRansomwareBlocked", "Use advanced protection against ransomware", "AsrRansomwareAudited", "Use advanced protection against ransomware", "AsrUntrustedExecutableBlocked", "Block untrusted and unsigned processes that run from USB", "AsrUntrustedExecutableAudited", "Block untrusted and unsigned processes that run from USB", "AsrJsVbsLaunchExecutableContentBlocked", "Block JavaScript or VBScript from launching downloaded executable content", "AsrJsVbsLaunchExecutableContentAudited", "Block JavaScript or VBScript from launching downloaded executable content", "AsrEmailContentExecutionBlocked", "Block executable content from email client and webmail", "AsrEmailContentExecutionAudited", "Block executable content from email client and webmail", "AsrExecutableFilesDroppedFromEmailBlocked", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", "AsrExecutableFilesDroppedFromEmailAudited", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", "AsrVulnerableSignedDriverBlocked", "Block abuse of exploited vulnerable signed drivers", "AsrVulnerableSignedDriverAudited", "Block abuse of exploited vulnerable signed drivers", "AsrImitationSystemToolsBlocked", "Block use of copied or impersonated system tools (preview)", "AsrImitationSystemToolsAudited", "Block use of copied or impersonated system tools (preview)", "AsrWebShellCreationBlocked", "Block Webshell creation for Servers", "AsrWebShellCreationAudited", "Block Webshell creation for Servers", "AsrSafeModeRebootBlocked", "Block rebooting machine in Safe Mode (preview)", "AsrSafeModeRebootAudited", "Block rebooting machine in Safe Mode (preview)" ]; // Create the platform compatibility reference table let rulePlatformCompatibility = datatable(RuleName:string, Win10_11:bool, ServerPost1803:bool, Server2016:bool) [ "Block abuse of exploited vulnerable signed drivers", true, true, true, "Block Adobe Reader from creating child processes", true, true, true, "Block all Office applications from creating child processes", true, true, true, "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", true, true, true, "Block executable content from email client and webmail", true, true, true, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", true, true, true, "Block execution of potentially obfuscated scripts", true, true, true, "Block JavaScript or VBScript from launching downloaded executable content", true, true, false, "Block Office applications from creating executable content", true, true, true, "Block Office applications from injecting code into other processes", true, true, true, "Block Office communication application from creating child processes", true, true, true, "Block persistence through WMI event subscription", true, true, false, "Block process creations originating from PSExec and WMI commands", true, true, true, "Block rebooting machine in Safe Mode (preview)", true, true, true, "Block untrusted and unsigned processes that run from USB", true, true, true, "Block use of copied or impersonated system tools (preview)", true, true, true, "Block Webshell creation for Servers", false, true, true, "Block Win32 API calls from Office macros", true, false, false, "Use advanced protection against ransomware", true, true, true ]; // Get rule trigger counts with improved pattern matching let deviceTriggers = DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend MatchedPattern = ActionType | join kind=leftouter actionTypeToRuleName on $left.ActionType == $right.ActionTypePattern | extend RuleName = iif(isnotempty(RuleName), RuleName, strcat("Unknown Rule: ", ActionType)) | summarize TriggerCount = count() by RuleName, MatchedPattern; // Join rule triggers with platform compatibility information deviceTriggers | join kind=leftouter rulePlatformCompatibility on RuleName | project RuleName, MatchedPattern, TriggerCount, Windows10_11_Compatible = iff(isnotempty(Win10_11) and Win10_11, "Supported", "Not Supported"), ServerPost1803_Compatible = iff(isnotempty(ServerPost1803) and ServerPost1803, "Supported", "Not Supported"), Server2016_Compatible = iff(isnotempty(Server2016) and Server2016, "Supported", "Not Supported") | order by RuleName asc - Name: ASRImpactByDevice DisplayName: ASR Rule Impact Analysis by Device DescriptionForModel: |- Executes a KQL query against DeviceEvents to analyze ASR rule impact by device. This skill: 1. **Identifies Affected Devices**: Counts ASR rule triggers per device 2. **Highlights High-Impact Endpoints**: Finds devices triggering ASR rules frequently 3. **Enables Targeted Testing**: Helps security teams isolate test groups before full ASR enforcement This skill is useful for prioritizing devices that need evaluation before ASR rules are enforced. Description: |- Analyzes ASR rule triggers per device to determine operational impact. Key insights include: - **Device-Level ASR Analysis**: • Number of ASR rule triggers per device • Most frequently triggered ASR rules - **Risk & Readiness Considerations**: • Identifies endpoints at risk of breaking functionality • Helps security teams plan phased ASR rule enforcement Results allow teams to pinpoint which devices should be monitored closely when enabling ASR rules. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by DeviceName, RuleName, ActionType | order by TriggerCount desc - Name: ASRRuleTrends DisplayName: ASR Rule Trends Over Time DescriptionForModel: |- Executes a KQL query against DeviceEvents to track ASR rule triggers over time. This skill: 1. **Monitors ASR Rule Trends**: Aggregates ASR rule triggers per day 2. **Identifies Changes in Attack Patterns**: Helps detect increasing or decreasing ASR activity 3. **Supports Security Policy Decisions**: Provides data to guide ASR rule enforcement strategies This skill helps security teams analyze ASR rule activity over time to fine-tune security policies. Description: |- Tracks how ASR rules are triggered over time. Evaluates: - **Trend Analysis**: • Daily ASR rule trigger counts • Breakdown by ASR rule type - **Security Policy Insights**: • Helps assess whether ASR rules are becoming more or less impactful • Supports data-driven enforcement decisions Results enable security teams to monitor and adjust ASR rule implementations based on observed trends. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by bin(TimeGenerated, 1d), RuleName | order by TimeGenerated desc - Name: ASRRuleApplicationMapping DisplayName: ASR Rule to Application Mapping DescriptionForModel: |- Executes a KQL query against DeviceEvents to map ASR rules to specific applications. This skill: 1. **Maps Rules to Applications**: Identifies which applications trigger specific ASR rules 2. **Assesses Business Impact**: Helps identify critical business applications affected by ASR rules 3. **Supports Exclusion Planning**: Provides data for creating targeted exclusions This skill is essential for understanding which business applications might be affected when enforcing ASR rules. Description: |- Maps ASR rules to specific applications to understand business impact. Key insights include: - **Application Impact Analysis**: • Which applications trigger specific ASR rules • Frequency of triggers per application - **Business Continuity Planning**: • Identifies critical applications that may require exclusions • Helps prioritize testing before enforcement Results allow security teams to develop targeted exclusion strategies for business-critical applications. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by RuleName, InitiatingProcessFileName, InitiatingProcessFolderPath | order by RuleName, TriggerCount desc - Name: ASRUserImpactAnalysis DisplayName: ASR Rule Impact Analysis by User DescriptionForModel: |- Executes a KQL query against DeviceEvents to analyze ASR rule impact by user. This skill: 1. **Identifies Affected Users**: Counts ASR rule triggers per user account 2. **Highlights High-Impact Users/Departments**: Finds users triggering ASR rules frequently 3. **Enables User-Centric Planning**: Helps security teams plan user communication and training This skill is useful for identifying which users or departments will be most affected by ASR enforcement. Description: |- Analyzes ASR rule triggers by user to determine operational impact. Key insights include: - **User-Level ASR Analysis**: • Number of ASR rule triggers per user • User distribution across rules - **Organizational Impact Considerations**: • Identifies departments at risk of workflow disruption • Helps plan targeted user communication before enforcement Results allow teams to identify key stakeholders who should be involved in ASR testing and rollout. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by AccountName, AccountDomain, RuleName | order by TriggerCount desc - Name: ASRExclusionCandidates DisplayName: ASR Rule Exclusion Candidates DescriptionForModel: |- Executes a KQL query against DeviceEvents to identify potential candidates for ASR rule exclusions. This skill: 1. **Identifies Common Triggers**: Finds files and paths frequently triggering ASR rules 2. **Formulates Exclusion Paths**: Creates ready-to-use exclusion path formats 3. **Prioritizes Exclusions**: Ranks exclusion candidates by frequency This skill helps security teams create targeted exclusions to minimize business disruption when enforcing ASR rules. Description: |- Identifies potential candidates for ASR rule exclusions based on trigger frequency. Insights include: - **Exclusion Planning**: • Files and paths frequently triggering ASR rules • Ready-to-use exclusion path formats - **Business Continuity Support**: • Helps create targeted exclusions for legitimate business applications • Minimizes disruption when moving to enforcement mode Results allow security teams to proactively plan exclusions before enforcing ASR rules. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count() by RuleName, ActionType, FileName, FolderPath | where TriggerCount > 10 | extend ExclusionPath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, "\\", FileName), "") | order by TriggerCount desc - Name: ASRProcessAnalysis DisplayName: ASR Rule Process Trigger Analysis DescriptionForModel: |- Executes a KQL query against DeviceEvents to analyze which processes are triggering ASR rules. This skill: 1. **Identifies Specific Processes**: Examines initiating process details for each ASR rule 2. **Quantifies Process Impact**: Shows how many devices and users are affected by each process 3. **Tracks Timing Patterns**: Monitors when processes first began triggering rules and their recurrence This skill helps security teams determine if ASR triggers are from legitimate or suspicious processes. Description: |- Analyzes which specific processes are triggering ASR rules to determine if exclusions are needed. Key insights include: - **Process-Level Analysis**: • Detailed information on process paths, file names, and command lines • Frequency analysis of process triggers per ASR rule - **Context for Decision-Making**: • Timeline data showing first and last occurrences • Device and user scope for each process trigger pattern Results help security teams distinguish between legitimate software needing exclusions and potentially malicious activity. Settings: Target: Defender Template: |- DeviceEvents | where tolower(ActionType) startswith "asr" | where TimeGenerated > ago(30d) | extend RuleName = case( ActionType == "AsrRuleBlockOfficeChildProcessCreation", "Block all Office applications from creating child processes", ActionType == "AsrRuleBlockOfficeExeContentExecution", "Block Office applications from creating executable content", ActionType == "AsrRuleBlockOfficeMacroChildProcesses", "Block Office applications from injecting code into other processes", ActionType == "AsrRuleBlockPersistenceThroughWmiEventSubscription", "Block persistence through WMI event subscription", ActionType == "AsrRuleBlockAdobeReaderChildProcess", "Block Adobe Reader from creating child processes", ActionType == "AsrRuleBlockObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleBlockOfficeCommsChildProcess", "Block Office communication application from creating child processes", ActionType == "AsrRuleBlockWin32ApiCallsFromOfficeMacros", "Block Win32 API calls from Office macros", ActionType == "AsrRuleBlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", ActionType == "AsrRuleBlockUntrustedUnsignedProcessThatRunFromUsb", "Block untrusted and unsigned processes that run from USB", ActionType == "AsrRuleBlockExecutableContentFromEmailClientAndWebmail", "Block executable content from email client and webmail", ActionType == "AsrRuleBlockExecutableFilesRunningUnlessMeetCriteria", "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", ActionType == "AsrRuleBlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Block JavaScript or VBScript from launching downloaded executable content", ActionType == "AsrRuleBlockExecutionOfPotentiallyObfuscatedScripts", "Block execution of potentially obfuscated scripts", ActionType == "AsrRuleUseAdvancedProtectionAgainstRansomware", "Use advanced protection against ransomware", ActionType == "AsrRuleBlockProcessCreationsFromPsexecAndWmiCommands", "Block process creations originating from PSExec and WMI commands", ActionType == "AsrRuleBlockRebootingMachineInSafeMode", "Block rebooting machine in Safe Mode (preview)", ActionType == "AsrRuleBlockAbuseOfExploitedVulnerableSignedDrivers", "Block abuse of exploited vulnerable signed drivers", ActionType == "AsrRuleBlockUseOfCopiedOrImpersonatedSystemTools", "Block use of copied or impersonated system tools (preview)", ActionType == "AsrRuleBlockWebshellCreationForServers", "Block Webshell creation for Servers", ActionType ) | summarize TriggerCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), DeviceCount = dcount(DeviceName), UserCount = dcount(AccountName), DeviceList = make_set(DeviceName, 5), UserList = make_set(AccountName, 5) by RuleName, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine | order by RuleName asc, TriggerCount desc