Forum Discussion
dperusich
Apr 28, 2023Copper Contributor
ASR Logging for the Block settings
I'm trying to troubleshoot some office plugin which aren't functioning and I'm trying to determine whether it's the various Office block settings, which I've enumerated below. When Attack Surface Reduction blocks these events are they logged and if so where are those events located?
Block Win32 API calls from Office macros
Block JavaScript or VBScript from launching downloaded executable content
Block Office communication application from creating child processes
Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
- GI472Brass Contributor
Hi dperusich,
Not sure if this helps, but if you go to the Hunting > Advanced hunting tab in the Defender portal and run this query:
DeviceEvents
| where ActionType contains "asr"
It will show all ASR events and whether they were blocked or audited, plus filename, folderpath etc. The default timescale is 7 days, but you can change this to 30 days.
It helped us identify issues and files/paths to add to our ASR exclusions list in Endpoint Manager/Intune.
You can also export the data, as it's easier to analyse in Excel, in my opinion.
I also found this, which may or may not be helpful:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide - dperusichCopper ContributorI'm aware events are logged locally at Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational and I'm leveraging the Troubleshooting ASR rules documentation, but they are not helping me dig into the issue which is why I'm asking.
Thanks!
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide