Detection rules › Splunk
Windows Defender ASR Audit Events
This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment, T1566.002 Phishing: Spearphishing Link |
| Execution | T1059 Command and Scripting Interpreter |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Defender | 1122 | |
| Windows-Defender | 1125 | |
| Windows-Defender | 1126 | |
| Windows-Defender | 1132 | |
| Windows-Defender | 1134 |
Stages and Predicates
Stage 1: search
search EventCode IN (1122, 1125, 1126, 1132, 1134)
Stage 2: stats
stats BY host, Process_Name, Target_Commandline, Path, ID, EventCode
Stage 3: lookup
lookup <lookup> ASR_Rule, ID
Stage 4: fillnull
fillnull
Stage 5: search
search
Stage 6: search
search
Stage 7: rename
rename
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.