Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
- Lists each ASR rule with its GUID
- Counts number of endpoints with audit hits for each rule
- Counts number of endpoints with blocks for each rule
- Counts total number of events for each rule
- Attack Surface Reduction (ASR) rules in Audit mode generate events that would be blocks in Block mode
- View ASR audit hits to build your exceptions before putting rules in block mode
- Query shows individual process information for all audit hits in a single rule
- Top files triggering ASR rules, sorted by number of audit hits
- Each file is displayed with which rule it is triggering
- Top ASR rules being triggered, sorted by number of audit hits
- Top users triggering ASR rules, sorted by number of audit hits
- Each user is displayed with which rule(s) they are triggering, their job title, and device name