ADR: Audited detections not showing in Microsoft Defender

In Microsoft Defender, Attack Surface Reduction (ASR) audit events don’t always appear in the “ASR rules report” the way you’d expect. The key thing is that the Defender portal report only shows data that has been sent up to Microsoft 365 and aggregated. When you run a test locally, you’ll see the audit event in the Windows Event Viewer under the Defender Operational log, which confirms the rule is firing, but that doesn’t guarantee it will be reflected in the Purview/Defender reports.

There are a few common reasons for this. First, endpoint telemetry has to be onboarded into Microsoft 365 Defender for ASR audit data to flow into the central report. If the device is not fully onboarded or if the telemetry pipeline is disrupted, the local events won’t sync. Second, audit-only mode sometimes doesn’t populate the report immediately because those detections are considered low-priority you may need to wait up to 24 hours for data to appear. Third, the report only shows rules that are actually enabled and recognized in Microsoft 365 security settings. If the ASR policy is applied via local settings or Intune but not tied to the same tenant, the central report may not reflect it.

 if you see the audit event locally but not in the Defender report, it usually means the endpoint isn’t sending that telemetry up or the data hasn’t been aggregated yet. Please ensure the device is properly onboarded into Microsoft 365 Defender, confirm the ASR policy is deployed via a supported management channel (Intune, GPO with Defender for Endpoint onboarded), and allow sufficient time for the audit events to be ingested. If after all of that the data still doesn’t show, it’s worth raising a ticket with Microsoft, as sometimes specific ASR rules lag or have known reporting gaps.