Forum Discussion
Missing Advanced Hunting action types for ASR rules in preview mode
Are there no AH action types for ASR rules in preview mode available yet?
Or is this currently undocumented?
Not finding any AH action types for:
- Block use of copied or impersonated system tools (preview)
- Block rebooting machine in Safe Mode (preview)
Ref: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#per-rule-descriptions
1 Reply
It seems that Microsoft has updated the documentation regarding ActionTypes for both rules, which are still in preview: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-use-of-copied-or-impersonated-system-tools-preview
Oddly enough, we notice throughout several customers the ActionType ' asrCustomRule ' that seems to be regarding ' Block use of copied or impersonated system tools (preview) ' , although the documentation states otherwise.
Anyone else noticed this?
