Update ExploitGuardBlockOfficeChildProcess.txt
This commit is contained in:
tali-ash
GitHub
Родитель
583361f083
Коммит
8ff24d70e9
|
|
@ -5,7 +5,6 @@
|
|||
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
|
||||
// Query #1 is used after setting it to block mode - to analyze the block stats.
|
||||
// Tags: #ASR
|
||||
|
||||
//Query #1: block stats
|
||||
DeviceEvents
|
||||
| where ActionType == "AsrOfficeChildProcessBlocked" and Timestamp > ago(7d)
|
||||
|
|
@ -13,6 +12,13 @@ DeviceEvents
|
|||
| summarize MachineCount=dcount(DeviceName), RuleHits=count() by BlockedProcess, ParentProcess
|
||||
| sort by MachineCount desc
|
||||
|
||||
// These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes
|
||||
// (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
|
||||
// Read more about it here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
|
||||
// Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
|
||||
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
|
||||
// Query #1 is used after setting it to block mode - to analyze the block stats.
|
||||
// Tags: #ASR
|
||||
// Query #2: investigate audit events - before turning the rule on in block mode
|
||||
let minTime = ago(7d);
|
||||
// Enrich the ExploitGuard events with column saying if there was a nearby Microsoft Defender for Endpoint alert or not.
|
||||
|
|
@ -43,7 +49,6 @@ DeviceEvents
|
|||
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
|
||||
// Query #1 is used after setting it to block mode - to analyze the block stats.
|
||||
// Tags: #ASR
|
||||
|
||||
//Query #1: block stats
|
||||
DeviceEvents
|
||||
| where ActionType == "AsrOfficeChildProcessBlocked" and Timestamp > ago(7d)
|
||||
|
|
@ -51,6 +56,13 @@ DeviceEvents
|
|||
| summarize MachineCount=dcount(DeviceName), RuleHits=count() by BlockedProcess, ParentProcess
|
||||
| sort by MachineCount desc
|
||||
|
||||
// These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes - MTP Schema
|
||||
// (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
|
||||
// Read more about it here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
|
||||
// Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
|
||||
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
|
||||
// Query #1 is used after setting it to block mode - to analyze the block stats.
|
||||
// Tags: #ASR
|
||||
// Query #2: investigate audit events - before turning the rule on in block mode
|
||||
let minTime = ago(7d);
|
||||
// Enrich the ExploitGuard events with column saying if there was a nearby Windows Defender ATP alert or not.
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче