CONTROLLED FOLDER ACCESS RULES
ControlledFolderAccess – All excluding Temp
DeviceEvents
| where ActionType in ("ControlledFolderAccessViolationAudited","ControlledFolderAccessViolationBlocked")
| extend FolderCustomized = strcat(InitiatingProcessFolderPath, "\\")
| where FolderCustomized !contains "temp"
| extend FullName = strcat(FolderCustomized, InitiatingProcessFileName)
| project FullName
| distinct FullName
ControlledFolderAccess – Only Temp
DeviceEvents
| where ActionType in ("ControlledFolderAccessViolationAudited","ControlledFolderAccessViolationBlocked")
| extend FolderCustomized = strcat(InitiatingProcessFolderPath, "\\")
| where FolderCustomized contains "temp"
| extend FullName = strcat(FolderCustomized, InitiatingProcessFileName)
| project FolderCustomized, FullName, InitiatingProcessFileName
| distinct FolderCustomized, FullName, InitiatingProcessFileName
ATTACK SURFACE REDUCTION RULES
ASR – All Events
DeviceEvents
| where ActionType startswith "asr"
| extend FolderCustomized = strcat(FolderPath, "\\")
| extend FullName = strcat(FolderCustomized, FileName)
| project FolderCustomized, FullName, FileName
| distinct FolderCustomized, FullName, FileName
ASR – All excluding InetCache
DeviceEvents
| where ActionType startswith "asr"
| extend FolderCustomized = strcat(FolderPath, "\\")
| where FolderCustomized !contains "INetCache"
| extend FullName = strcat(FolderCustomized, FileName)
| project FullName
| distinct FullName
ASR – Only Temp
DeviceEvents
| where ActionType startswith "asr"
| extend FolderCustomized = strcat(FolderPath, "\\")
| where FolderCustomized contains "INetCache"
| extend FullName = strcat(FolderCustomized, FileName)
| project FolderCustomized, FullName, FileName
| distinct FolderCustomized, FullName, FileName
Like this:
Like Loading...