Analytics Story: Windows Attack Surface Reduction

This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.

This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Windows Event Log Defender 1121 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational
Windows Event Log Defender 1122 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational
Windows Event Log Defender 1125 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Defender 1126 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Defender 1129 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational
Windows Event Log Defender 1131 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Defender 1132 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Defender 1133 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Defender 1134 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Defender 5007 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational

Source: GitHub | Version: 1