Attack Surface Reduction Dashboard for Microsoft Sentinel

Before we start, my Microsoft Sentinel contributions have a new home on GitHub! I will gather all my Sentinel resources in one central repo called DCSecurityOperations. This is a sister project to my DCToolbox repo.

Today I’m happy to announce my new Attack Surface Reduction Dashboard. This dashboard helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The dashboard can filter on rules in Audit mode and Block mode.

What You Can See In The Dashboard

Before showing you the data in your tenant, the dashboard will give you an overview of all available ASR rules in Windows, with descriptions and docs links. There are currently (as of 15/6-22) 16 different ASR rules in Windows. You can find their documentation here. The rules reference is followed by some instructions on how to use the dashboard.

Now it gets interesting. There are some filters you can apply in the dashboard. First you need to decide if you are interested in rules running in audit mode or block mode. Select the time range. After that you can, if you want to, filter on specific rules, devices or users. This is optional. The filters you set will affect all graphs in the dashboard.

The first graph is a timeline of all ASR events in the current time frame. This is great for understanding when problems arise, key indications in a security incident investigation, etc.

You will then see pie charts of the number of ASR events by Rule, Device or User. Finally, at the bottom, you will get a detailed event log where you can dive into specifics about ASR events, like which application triggered it, and what it tried to do. This is incredibly powerful when investigating ASR incidents, or when building exclusion policies during ASR deployment.

Install the Attack Surface Reduction Dashboard in Microsoft Sentinel

First, download (or copy) the latest version (it’s a JSON file) of Attack Surface Reduction Dashboard from my GitHub.

Go to your Microsoft Sentinel workspace and click on Workbooks. Add a new workbook.

A new workbook will appear based on the default template. Click on Edit and the Advanced Editor button. This will allow you to replace the entire JSON content with the one from my GitHub repo.

Replace the JSON content and click on Apply. The new workbook will now appear and you can start to use it. Easy!

Finally, to permanently save the workbook in Sentinel, click on the save icon at the top and select the same Azure resource group as your Sentinel workspace (or else it won’t show up in Sentinel). Also set the Title to Attack Surface Reduction Dashboard. You’re all set!

Note that you can do this without Microsoft Sentinel as long as you are exporting your Azure AD audit logs to an Azure Log Analytics workspace. Just do the same procedure in Azure AD workbooks instead: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks

Summary

I hope that the Attack Surface Reduction Dashboard can help you understand the ASR rules and their events in your tenant, and prevent bad configuration, security incidents, and ease deployment.

Please follow me here, on LinkedIn, and on Twitter!

@DanielChronlund