Detection rules › Splunk
Windows Defender ASR Block Events
This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment, T1566.002 Phishing: Spearphishing Link |
| Execution | T1059 Command and Scripting Interpreter |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Defender | 1121 | |
| Windows-Defender | 1126 | |
| Windows-Defender | 1129 | |
| Windows-Defender | 1131 | |
| Windows-Defender | 1133 |
Stages and Predicates
Stage 1: search
search EventCode IN (1121, 1126, 1129, 1131, 1133)
Stage 2: stats
stats BY host, Path, Parent_Commandline, Process_Name, ID, EventCode
Stage 3: lookup
lookup <lookup> ASR_Rule, ID
Stage 4: fillnull
fillnull
Stage 5: search
search
Stage 6: search
search
Stage 7: rename
rename
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.