Forum Discussion
ASR Logging for the Block settings
I'm trying to troubleshoot some office plugin which aren't functioning and I'm trying to determine whether it's the various Office block settings, which I've enumerated below. When Attack Surface Reduction blocks these events are they logged and if so where are those events located?
3 Replies
Hi dperusich,
Not sure if this helps, but if you go to the Hunting > Advanced hunting tab in the Defender portal and run this query:
DeviceEvents
| where ActionType contains "asr"
It will show all ASR events and whether they were blocked or audited, plus filename, folderpath etc. The default timescale is 7 days, but you can change this to 30 days.
It helped us identify issues and files/paths to add to our ASR exclusions list in Endpoint Manager/Intune.
You can also export the data, as it's easier to analyse in Excel, in my opinion.
I also found this, which may or may not be helpful:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide- I'm aware events are logged locally at Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational and I'm leveraging the Troubleshooting ASR rules documentation, but they are not helping me dig into the issue which is why I'm asking.
Thanks!
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide
