Forum Discussion
Attack Surface Reduction Audits are Not Appearing in My Reports
I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit ...
Thanks Axel. I'll look into that. I also opened a trouble ticket with MSFT yesterday and sent them some logs. I'll update if that turns up anything helpful.
Dr_Snooze, just to give you an idea:
DeviceEvents
| where ActionType startswith "Asr"
| where ActionType contains "Audit"
| where Timestamp > ago(30d)
| extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
| summarize EventCount=count() by ActionType- If you can believe it, that only gets me results for 2 policies. But both policies are now showing in my ASR report. ?!
