Forum Discussion
Dr_Snooze
Jul 05, 2022Brass Contributor
Attack Surface Reduction Audits are Not Appearing in My Reports
I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit mode. These have been in place for a couple weeks now and when I go to my Reports -> Security Report, I can see that my rules are generating Audit activity.
That's great, except that when I drill into my Reports -> Attack Surface Reduction report, I only find details for one of my ASR rules.
It doesn't seem to matter how I Group By or Filter this report, I only ever get details for one ASR rule.
What am I doing wrong?
Thanks,
- Dr_SnoozeBrass ContributorTo update this briefly, MSFT Support has identified this is a problem on their end. They implemented a fix, but I'm still looking at results for only 2 policies instead of the 16 I have set up. MSFT is still working on it, and I'll continue to update as I learn more.
- Dr_SnoozeBrass ContributorOkay. I finally got this resolved. I had to reach out to Microsoft Support. They did some back end tinkering and I started getting results for more audits. Note that if you aren't generating any audits, then you won't see anything on your run. Hope that helps someone else.
Thanks again to everyone! - aexlzBrass ContributorHi
This table of content always lacks the complete rule-set. Don’t ask my why. I guess it only consolidates the most recent.
I suggest you to use AdvancedThunting. You can build querys there, which explicitly queries for the certain audit-event.
You can review the results there also export them.
Cheers Axel- Dr_SnoozeBrass ContributorThanks Axel. I'll look into that. I also opened a trouble ticket with MSFT yesterday and sent them some logs. I'll update if that turns up anything helpful.
- Dr_SnoozeBrass ContributorStill working on it...