Forum Discussion

sintra3000's avatar
sintra3000
Copper Contributor
Oct 15, 2020

ASR rule - Block persistence through WMI event subscription

Hi,  I have a question on ASR rules. In the Security and Compliance - Reports section there is a nice overview of the rules with status of audit / blocked / not present etc. For 14 out of the 15 ASR...
Vytas_Boyev's avatar
Vytas_Boyev
Icon for Microsoft rankMicrosoft
Oct 27, 2020

Audit mode works for that specific rule - it's not clear if that is the answer to your question though.....

0= Disable

1=Enabled/Block

2= Audit mode

  • sintra3000's avatar
    sintra3000
    Copper Contributor
    Oct 28, 2020

    Vytas_Boyev 

     

    Hi and thank you. 

    My question is more on after audit mode is enabled, where can I see the number of events generated ?

    "security.microsoft.com/reports" provides a nice overview of many of the ASR rules, but not not for "Block persistence through WMI event subscription". So how can I use the audit mode to evaluate the impact is my question :). 

    • Vytas_Boyev's avatar
      Vytas_Boyev
      Icon for Microsoft rankMicrosoft
      Oct 28, 2020

      sintra3000 That rule should audit in that portal as well - just yesterday saw this rule firing audits there. If it isn't - I would think that may be cause for a support ticket.

       

       

Resources