Forum Discussion

Dr_Snooze's avatar
Dr_Snooze
Brass Contributor
Jul 05, 2022

Attack Surface Reduction Audits are Not Appearing in My Reports

I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit mode. These have been in place for a couple weeks now and when I go to my Reports -> Security Report, I can see that my rules are generating Audit activity. 

 

 

That's great, except that when I drill into my Reports -> Attack Surface Reduction report, I only find details for one of my ASR rules. 

 

 

It doesn't seem to matter how I Group By or Filter this report, I only ever get details for one ASR rule.

 

What am I doing wrong?

 

Thanks,

  • Dr_Snooze's avatar
    Dr_Snooze
    Brass Contributor
    To update this briefly, MSFT Support has identified this is a problem on their end. They implemented a fix, but I'm still looking at results for only 2 policies instead of the 16 I have set up. MSFT is still working on it, and I'll continue to update as I learn more.
  • Dr_Snooze's avatar
    Dr_Snooze
    Brass Contributor
    Okay. I finally got this resolved. I had to reach out to Microsoft Support. They did some back end tinkering and I started getting results for more audits. Note that if you aren't generating any audits, then you won't see anything on your run. Hope that helps someone else.

    Thanks again to everyone!
  • aexlz's avatar
    aexlz
    Brass Contributor
    Hi
    This table of content always lacks the complete rule-set. Don’t ask my why. I guess it only consolidates the most recent.
    I suggest you to use AdvancedThunting. You can build querys there, which explicitly queries for the certain audit-event.
    You can review the results there also export them.
    Cheers Axel
    • Dr_Snooze's avatar
      Dr_Snooze
      Brass Contributor
      Thanks Axel. I'll look into that. I also opened a trouble ticket with MSFT yesterday and sent them some logs. I'll update if that turns up anything helpful.
      • aexlz's avatar
        aexlz
        Brass Contributor

        Dr_Snooze, just to give you an idea:

        DeviceEvents 
         | where ActionType startswith "Asr"
         | where ActionType contains "Audit"
         | where Timestamp > ago(30d)
         | extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
         | summarize EventCount=count() by ActionType

Resources