%3CLINGO-SUB%20id%3D%22lingo-sub-1361498%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361498%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20work%20Antonio!%20Technical%20but%20easy%20to%20understand!%3C%2FP%3E%3CP%3EKeep%20up%20the%20great%20work%20mate!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361513%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361513%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656875%22%20target%3D%22_blank%22%3E%40Ggaspar%3C%2FA%3E%26nbsp%3BThanks!%20Yeah%2C%20it's%20always%20a%20challenge%20to%20balance%20deep%20technical%20info%2C%20while%20being%20of%20value%20for%20every%20person%2C%20their%20level%20of%20knowledge%20and%20experience%20with%20the%20actual%20topic.%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20what%20else%20you%20would%20like%20to%20see%20in%20this%2C%20or%20future%2C%20blog%20posts!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1362522%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362522%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Antonio%2C%3C%2FP%3E%3CP%3EIf%20I%20go%20to%20the%20M365%20Security%20Center%20I%20get%200%20Devices%20on%20the%20configuration%20tab%20(compared%20to%20your%201st%20screenshot).%20I%20do%20however%20see%20exclusions%20and%20detections.%20I%20can%20also%20hunt%20in%20Defender%20ATP%20so%20there%20seems%20to%20be%20underlying%20data.%20Am%20I%20missing%20a%20configuration%20to%20see%20data%20on%20the%20Configuration%20tab%3F%20(My%20devices%20are%20MDATP%20and%20Intune%20enrolled).%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EPieter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378216%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378216%22%20slang%3D%22en-US%22%3E%3CP%3Ewhy%20is%20there%20securitycenter.microsoft.com%20and%20security.microsoft.com%3F%20are%20there%20any%20plans%20to%20consolidate%20these%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1379310%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1379310%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3Bsecuritycenter.microsoft.com%20is%20the%20portal%20for%20Microsoft%20Defender%20ATP%2C%20while%20security.microsoft%20is%20the%20portal%20for%20Microsoft%20Threat%20Protection.%3C%2FP%3E%0A%3CP%3EMTP%20will%20be%20the%20defacto%20product%20that%20will%20encompass%20all%20of%20the%20existing%20M365%20Security%20Workloads%20(MDATP%2C%20AATP%2C%20OATP%20and%20MCAS).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20yes%2C%20MDATP%20portal%20will%20be%20migrated%20to%20MTP%20soon.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20info%20here%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3E%3CFONT%20size%3D%223%22%3EDive%20deep%20into%20Microsoft%20Threat%20Protection%3A%20See%20how%20we%20defend%20against%20threats%20like%20%7C%20SE%3C%2FFONT%3ECO20%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNogNroy0FSM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNogNroy0FSM%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnnouncing%20Microsoft%20Threat%20Protection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-privacy-and-compliance%2Fannouncing-microsoft-threat-protection%2Fba-p%2F262783%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-privacy-and-compliance%2Fannouncing-microsoft-threat-protection%2Fba-p%2F262783%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMicrosoft%20Threat%20Protection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fmicrosoft-threat-protection%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fmicrosoft-threat-protection%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETurn%20on%20Microsoft%20Threat%20Protection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fmtp-enable%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fmtp-enable%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1379318%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1379318%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F323159%22%20target%3D%22_blank%22%3E%40PHancke%3C%2FA%3E%26nbsp%3BKnown%20bug.%20It%20should%20be%20fixed%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360968%22%20slang%3D%22en-US%22%3EDemystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EUpdate%2023%2F05%2F2020%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAdded%20new%20info%20regarding%20ASR%20GUI!%20A%20community%20tool%20that%20will%20help%20you%20reporting%20and%20setting%20ASR%20rules%20locally!%20Ideal%20for%20lab%20scenarios!%3C%2FP%3E%0A%3CP%3EKudos%20to%20Hermann%20Maurer!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHello%20again%20and%20welcome%20to%20the%203%3CSUP%3Erd%3C%2FSUP%3E%20part%20of%20our%20blog%20series%20on%20demystifying%20attack%20surface%20reduction%20(ASR)%20rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%203%3CSUP%3Erd%20%3C%2FSUP%3Epart%20is%20focused%20on%20how%20to%20report%20and%20troubleshoot%20Microsoft%20Defender%20ATP%20ASR%20Rules%2C%20both%20their%20configuration%20and%20the%20audit%20and%20block%20events.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERemember%20that%20you%20can%20follow%20the%20blog%20series%20-ERR%3AREF-NOT-FOUND-here%20to%20read%20all%20the%20posts%20on%20this%20topic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1353637035%22%20id%3D%22toc-hId--1353637035%22%20id%3D%22toc-hId--1353637035%22%3E%3CSTRONG%3EContinuing%20with%20the%20%E2%80%9CHow%E2%80%9D%20-%20now%20on%20how%20to%20report%20and%20troubleshoot%20ASR%20rules%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKeeping%20a%20bit%20of%20the%20tradition%20on%20the%20former%20blog%20post%20parts%2C%20if%20you%20asked%20us%20what%20is%20the%20best%20possible%20way%20to%20report%20and%20troubleshoot%20ASR%20rules%20events%2C%20our%20answer%20would%20logically%20be%3A%20It%20depends!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20that%20is%20very%20much%20the%20truth.%20Because%20it%20will%20depend%20eventually%20on%20the%20actual%20solution%20of%20choice%20that%20you%20are%20using%20to%20enable%20and%20configure%20ASR%20rules%2C%20your%20licensing%2C%20your%20role%20within%20your%20organization%2C%20etc.%20The%20point%20is%2C%20we%20have%20multiple%20ways%20of%20accomplishing%20very%20similar%20outcomes%2C%20some%20with%20more%20functionalities%20and%2For%20granularity%20than%20others.%20Part%203%20is%20all%20about%20going%20through%20each%20one%20of%20those%20and%20making%20sure%20you%20are%20aware%20of%20the%20options.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%231%20How%20can%20I%20get%20a%20report%20on%20ASR%20rules%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23800080%22%3EMicrosoft%20365%20security%20center%3C%2FFONT%3E%20%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20-ERR%3AREF-NOT-FOUND-Microsoft%20365%20security%20center%20is%20the%20new%20home%20for%20monitoring%20and%20managing%20security%20across%20your%20Microsoft%20identities%2C%20data%2C%20devices%2C%20apps%2C%20and%20infrastructure.%20Here%20you%20can%20easily%20view%20the%20security%20health%20of%20your%20organization%2C%20act%20to%20configure%20devices%2C%20users%2C%20and%20apps%2C%20and%20get%20alerts%20for%20suspicious%20activity.%20The%20Microsoft%20365%20security%20center%20is%20specifically%20intended%20for%20security%20admins%20and%20security%20operations%20teams%20to%20better%20manage%20and%20protect%20their%20organization.%20Visit%20the%20Microsoft%20365%20security%20center%20at%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Microsoft%20365%20security%20center%2C%20we%20offer%20you%20a%20complete%20look%20at%20the%20current%20ASR%20rules%20configuration%20and%20events%20in%20your%20estate.%20Please%20note%20that%20your%20devices%20must%20be%20onboarded%20into%20the%20Microsoft%20Defender%20ATP%20service%20for%20these%20reports%20to%20be%20populated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20a%20screenshot%2C%20directly%20taken%20from%20the%20Microsoft%20365%20security%20center%20(under%20%3CSTRONG%3EReports%20%26gt%3B%20Devices%20%26gt%3B%20Attack%20surface%20reduction%20%3C%2FSTRONG%3E).%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorAntonio%20Vasconcelos_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20drill%20down%20to%20the%20device%20level%2C%20select%20%3CSTRONG%3EConfiguration%3C%2FSTRONG%3E%20from%20the%20%3CSTRONG%3EAttack%20surface%20reduction%20rules%3C%2FSTRONG%3E%20pane.%20This%20will%20take%20you%20the%20following%20screen%2C%20where%20you%20can%20select%20a%20specific%20device%20and%20check%20its%20individual%20ASR%20rule%20configuration.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASR_Report_2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189068i0F860636676CF615%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ASR_Report_2.png%22%20alt%3D%22ASR_Report_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23800080%22%3E%3CSTRONG%3EMicrosoft%20Defender%20ATP%20%E2%80%93%20Advanced%20hunting%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EOne%20of%20the%20most%20powerful%20and%20coolest%20features%20of%20-ERR%3AREF-NOT-FOUND-Microsoft%20Defender%20ATP%20is%20advanced%20hunting.%20If%20you%20are%20unfamiliar%20with%20advanced%20hunting%2C%20please%20refer%20to%20our%20documentation%20-%20-ERR%3AREF-NOT-FOUND-Proactively%20hunt%20for%20threats%20with%20advanced%20hunting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdvanced%20hunting%20is%20a%20query-based%20(Kusto%20Query%20Language)%20threat-hunting%20tool%20that%20lets%20you%20explore%20up%20to%2030%20days%20of%20the%20captured%20(raw)%20data%2C%20that%20Microsoft%20Defender%20ATP%20Endpoint%20Detection%20and%20Response%20(EDR)%20collects%20from%20all%20your%20machines.%20Through%20advanced%20hunting%20you%20can%20proactively%20inspect%20events%20in%20order%20to%20locate%20interesting%20indicators%20and%20entities.%20The%20flexible%20access%20to%20data%20facilitates%20unconstrained%20hunting%20for%20both%20known%20and%20potential%20threats.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThrough%20advanced%20hunting%2C%20it%20is%20possible%20to%20extract%20ASR%20rules%20information%2C%20create%20reports%2C%20and%20get%20in-depth%20information%20on%20the%20context%20of%20a%20given%20ASR%20rule%20audit%20or%20block%20event.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EASR%20rules%20events%20are%20available%20to%20be%20queried%20from%20the%20DeviceEvents%20table%20in%20the%20advanced%20hunting%20section%20of%20the%20Microsoft%20Defender%20Security%20Center.%20For%20example%2C%20a%20simple%20query%20such%20as%20the%20one%20below%20can%20report%20all%20the%20events%20that%20have%20ASR%20rules%20as%20data%20source%2C%20for%20the%20last%2030%20days%2C%20and%20will%20summarize%20them%20by%20the%20ActionType%20count%2C%20that%20in%20this%20case%20it%20will%20be%20the%20actual%20codename%20of%20the%20ASR%20rule.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3EDeviceEvents%20%0A%7C%20where%20Timestamp%20%26gt%3B%20ago(30d)%20%20%20%0A%7C%20where%20ActionType%20startswith%20%E2%80%9CAsr%E2%80%9D%0A%7C%20summarize%20EventCount%3Dcount()%20by%20ActionType%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AH_Query_full.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189110i64A8DF61DC221F1D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AH_Query_full.png%22%20alt%3D%22AH_Query_full.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20above%20shows%20that%20187%20events%20were%20registered%20for%20AsrLsassCredentialTheft%20(102%20for%20Blocked%20and%2085%20for%20Audited)%2C%202%20events%20for%20AsrOfficeChildProcess%20(1%20for%20Audited%20and%201%20for%20Block)%20and%208%20events%20for%20AsrPsexecWmiChildProcessAudited.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20let%20us%20say%20that%20you%20want%20to%20focus%20on%20the%20AsrOfficeChildProcess%20rule%2C%20and%20get%20details%20on%20the%20actual%20files%20and%20processes%20involved.%20We%20just%20need%20to%20change%20the%20filter%20for%20ActionType%20and%20replace%20the%20summarize%20line%20with%20a%20projection%20of%20the%20wanted%20fields%20(in%20this%20case%20they%20are%20DeviceName%2C%20FileName%2C%20FolderPath%2C%20etc.).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markdown%22%3E%3CCODE%3EDeviceEvents%20%0A%7C%20where%20(ActionType%20startswith%20%E2%80%9CAsrOfficeChild%E2%80%9D)%20%20%20%0A%7C%20extend%20RuleId%3Dextractjson(%E2%80%9C%24Ruleid%E2%80%9D%2C%20AdditionalFields%2C%20typeof(string))%0A%7C%20project%20DeviceName%2C%20FileName%2C%20FolderPath%2C%20ProcessCommandLine%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASR_Query_2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189116iD43277468F164526%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ASR_Query_2.png%22%20alt%3D%22ASR_Query_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20cool%20thing%20about%20advanced%20hunting%20is%20that%20you%20can%20shape%20the%20queries%20to%20your%20liking%2C%20so%20that%20you%20can%20see%20the%20exact%20story%20of%20what%20was%20happening%2C%20regardless%20of%20whether%20you%20want%20to%20pinpoint%20something%20on%20an%20individual%20machine%2C%20or%20you%20want%20to%20extract%20insights%20from%20your%20entire%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23800080%22%3E%3CSTRONG%3EMicrosoft%20Defender%20ATP%20machine%20timeline%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EAn%20alternative%20to%20advanced%20hunting%2C%20but%20with%20a%20narrower%20scope%2C%20is%20the%20Microsoft%20Defender%20ATP%20machine%20timeline.%20You%20can%20view%20all%20the%20collected%20events%20of%20a%20device%2C%20for%20the%20past%206%20months%2C%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Defender%20Security%20Center%3C%2FA%3E%2C%20by%20going%20to%20the%20Machines%20list%2C%20select%20a%20given%20machine%2C%20and%20then%20click%20on%20the%20Timeline%20tab.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPictured%20below%20is%20a%20screenshot%20of%20the%20Timeline%20view%20of%20these%20events%20on%20a%20given%20endpoint.%26nbsp%3B%20From%20this%20view%2C%20you%20can%20filter%20the%20events%20list%20based%20on%20any%20of%20the%20Event%20Groups%20along%20the%20right-side%20pane.%20You%20can%20also%20enable%20or%20disable%20Flagged%20and%20Verbose%20events%20while%20viewing%20alerts%20and%20scrolling%20through%20the%20historical%20timeline.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MachineTimeline.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189117iE31A9DF91558C732%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MachineTimeline.png%22%20alt%3D%22MachineTimeline.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%232%20How%20to%20troubleshoot%20ASR%20rules%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20first%20and%20most%20immediate%20way%20is%20to%20check%20locally%2C%20on%20a%20Windows%20device%2C%20which%20ASR%20rules%20are%20enabled%20(and%20their%20configuration)%20is%20by%20using%20the%20PowerShell%20cmdlets.%3C%2FP%3E%0A%3CP%3ENevertheless%2C%20we%20will%20show%20you%20other%20sources%20of%20information%20that%20Windows%20offers%2C%20to%20troubleshoot%20ASR%20rules%E2%80%99%20impact%20and%20operation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--663075561%22%20id%3D%22toc-hId--663075561%22%20id%3D%22toc-hId--663075561%22%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%232.1%20Querying%20which%20rules%20are%20active%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3EOne%20of%20the%20easiest%20ways%20to%20determine%20if%20ASR%20rules%20are%20already%20enabled%E2%80%94and%2C%20if%20so%2C%20which%20ones%E2%80%94is%20through%20a%20PowerShell%20cmdlet%2C%20%3CSTRONG%3EGet-MpPreference.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22posh_1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189120iA2010F0E4FD8EA4B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22posh_1.png%22%20alt%3D%22posh_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%2C%20there%20are%20multiple%20ASR%20rules%20active%2C%20with%20different%20configured%20actions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20expand%20the%20above%20information%20on%20ASR%20rules%2C%20you%20can%20use%20the%20properties%20%3CSTRONG%3EAttackSurfaceReductionRules_Ids%3C%2FSTRONG%3E%20and%2For%20%3CSTRONG%3EAttackSurfaceReductionRules%3C%2FSTRONG%3E_%3CSTRONG%3EActions%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3EGet-MPPreference%20%7C%20Select-Object%20-ExpandProperty%20AttackSurfaceReductionRules_Ids%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22posh_2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189123iFEE8269E91579FD7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22posh_2.png%22%20alt%3D%22posh_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThe%20above%20shows%20all%20the%20IDs%20for%20ASR%20rules%20that%20have%20a%20setting%20different%20from%200%20(Not%20Configured).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20next%20step%20is%20then%20to%20list%20the%20actual%20actions%20(Block%20or%20Audit)%20that%20each%20rule%20is%20configured%20with.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EGet-MPPreference%20%7C%20Select-Object%20-ExpandProperty%20AttackSurfaceReductionRules_Actions%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22posh_3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189124i7D7515437DF27CAB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22posh_3.png%22%20alt%3D%22posh_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20from%20the%20above%20output%2C%20mapping%20rules%20to%20actions%20via%20PowerShell%20can%20be%20a%20bit%20of%20a%20pain.%20You%20can%20do%20it%20manually%2C%20by%20copying%20and%20pasting%20both%20above%20results%20into%20an%20Excel%20file%2C%20but%20that%E2%80%99s%20not%20the%20easiest%20way%20of%20achieving%20our%20end%20goal%20(knowing%20which%20rules%20are%20enabled%20and%20their%20specific%20actions).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDon%E2%80%99t%20forget%20to%20always%20map%20the%20above%20results%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fattack-surface-reduction%23attack-surface-reduction-rules)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eavailable%20list%20of%20rules%3C%2FA%3E!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20simplify%20your%20ASR%20rules%20troubleshooting%20in%20PowerShell%2C%20we%20have%20made%20a%20quick%20and%20dirty%20sample%20script%20that%20helps%20you%20map%20rules%20and%20actions%20in%20an%20easy%20way.%20Just%20pull%20the%20script%20from%20this%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fanthonws%2FMDATP_PoSh_Scripts%2Fblob%2Fmaster%2FASR%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGitHub%20repo%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20a%20small%20example%20of%20what%20the%20above%20script%20might%20output.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22posh_4.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189127i2FF2742D99D9C5E8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22posh_4.png%22%20alt%3D%22posh_4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUpdate%2023%2F05%2F2020%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EBased%20on%20the%20above%20code%2C%20a%20MS%20colleague%20(Hermann%20Maurer)%2C%20created%20a%20nice%20GUI%20both%20for%20reporting%20and%20setting%20ASR%20rules!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20how%20it%20looks%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASR_Rules_Posh_GUI.jpg%22%20style%3D%22width%3A%20620px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194077i15191C8F91BDDCCA%2Fimage-dimensions%2F620x452%3Fv%3D1.0%22%20width%3D%22620%22%20height%3D%22452%22%20title%3D%22ASR_Rules_Posh_GUI.jpg%22%20alt%3D%22ASR_Rules_Posh_GUI.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3EVery%20slick!%20Files%20are%20available%20in%20his%20Github%20-ERR%3AREF-NOT-FOUND-repo.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll-in-all%2C%20although%20PowerShell%20is%20an%20important%20auditing%2Freporting%20mechanism%20to%20have%2C%20there%20are%20alternative%20ways%2C%20more%20streamlined%20ones%2C%20of%20checking%20your%20machine%E2%80%99s%20and%20estate%E2%80%99s%20current%20ASR%20rule%20configurations%2C%20such%20as%20the%20ones%20showed%20at%20the%20beginning%20of%20the%20blog%20in%20-ERR%3AREF-NOT-FOUND-part%202%20of%20this%20blog%20series%2C%20in%20the%20%E2%80%9CHow%20can%20I%20get%20a%20report%20on%20ASR%20rules%3F%E2%80%9D%20section.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1824437272%22%20id%3D%22toc-hId-1824437272%22%20id%3D%22toc-hId-1824437272%22%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%232.2%20Querying%20blocking%20and%20auditing%20events%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-16982809%22%20id%3D%22toc-hId-16982809%22%20id%3D%22toc-hId-16982809%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1790471654%22%20id%3D%22toc-hId--1790471654%22%20id%3D%22toc-hId--1790471654%22%3E%3CFONT%20size%3D%223%22%20color%3D%22%23800080%22%3E%3CSTRONG%3EWindows%20Event%20Viewer%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3EASR%20rule%20events%20can%20be%20viewed%20within%20the%20Windows%20Defender%20log.%3C%2FP%3E%0A%3CP%3ETo%20access%20it%2C%20open%20Windows%20Event%20Viewer%2C%20and%20browse%20to%20%3CSTRONG%3EApplications%20and%20Services%20Logs%20%26gt%3B%20Microsoft%20%26gt%3B%20Windows%20%26gt%3B%20Windows%20Defender%20%26gt%3B%20Operational.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22eventviewer1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189130i05CBB778C75D7348%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22eventviewer1.png%22%20alt%3D%22eventviewer1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-697041179%22%20id%3D%22toc-hId-697041179%22%20id%3D%22toc-hId-697041179%22%3E%3CFONT%20size%3D%223%22%20color%3D%22%23800080%22%3E%3CSTRONG%3EMicrosoft%20Defender%20Malware%20Protection%20Logs%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3EYou%20can%20also%20view%20rule%20events%20through%20the%20Microsoft%20Defender%20Antivirus%20dedicated%20command-line%20tool%2C%20called%20%3CEM%3Empcmdrun.exe%2C%20%3C%2FEM%3Ethat%20can%20be%20used%20to%20manage%20and%20configure%2C%20as%20well%20as%20automate%20tasks%20if%20needed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20this%20utility%20in%20%3CEM%3E%25ProgramFiles%25%5CWindows%20Defender%5CMpCmdRun.exe%3C%2FEM%3E.%20You%20must%20run%20it%20from%20an%20elevated%20command%20prompt%20(i.e.%20run%20as%20Admin).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20generate%20the%20support%20information%2C%20type%20%3CEM%3EMpCmdRun.exe%20-getfiles%3C%2FEM%3E.%20After%20a%20while%2C%20several%20logs%20will%20be%20packaged%20into%20an%20archive%20(%3CEM%3EMpSupportFiles.cab%3C%2FEM%3E)%20and%20made%20available%20in%20%3CEM%3EC%3A%5CProgramData%5CMicrosoft%5CWindows%20Defender%5CSupport.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mpcmdrun.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189133i6075026A1A24E8AF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22mpcmdrun.png%22%20alt%3D%22mpcmdrun.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExtract%20that%20archive%20and%20you%20will%20have%20many%20files%20available%20for%20troubleshooting%20purposes.%3C%2FP%3E%0A%3CP%3EThe%20most%20relevant%20files%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMPOperationalEvents.txt%3C%2FSTRONG%3E%20-%20This%20file%20contains%20same%20level%20of%20information%20found%20in%20Event%20Viewer%20for%20Windows%20Defender%E2%80%99s%20Operational%20log.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMPRegistry.txt%20%E2%80%93%20%3C%2FSTRONG%3EIn%20this%20file%20you%20will%20be%20able%20to%20analyze%20all%20the%20current%20Windows%20Defender%20configurations%2C%20from%20the%20moment%20the%20support%20logs%20were%20captured.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMPLog-***.txt%20%3C%2FSTRONG%3E%E2%80%93%20This%20log%20contains%20more%20verbose%20information%20about%20all%20the%20actions%2Foperations%20of%20the%20Windows%20Defender.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ELooking%20into%20%3CEM%3EMPOperationalEvents.txt%3C%2FEM%3E%2C%20we%20find%20the%20same%20sort%20of%20information%20we%20found%20before%20when%20we%20blocked%20Word%20from%20launching%20a%20child%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mpregistry.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189137i2DC953702B96C3F4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22mpregistry.png%22%20alt%3D%22mpregistry.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20another%20file%2C%20called%26nbsp%3B%3CEM%3EMPRegistry.txt%3C%2FEM%3E%2C%20you%20will%20find%20a%20section%20called%20%E2%80%9CWindows%20Defender%20Exploit%20Guard%5CASR%E2%80%9D%2C%20where%20you%20can%20doublecheck%20what%20rules%20are%20active%20and%20see%20their%20configurations.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mpregistry2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189140i56F4D2A0C0EF0281%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22mpregistry2.png%22%20alt%3D%22mpregistry2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20above%20screenshot%20we%20can%20see%20rule%20%E2%80%9CBlock%20all%20Office%20applications%20from%20creating%20child%20processes%E2%80%9D%20(D4F940AB-401B-4EFC-AADC-AD5F3C50688A)%20is%20enabled%20with%20a%20value%20of%202%2C%20which%20means%20Audit.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20you%20have%20found%20part%203%20of%20our%20blog%20series%20about%20demystifying%20ASR%20rules%20helpful!%20Please%20let%20us%20know%20if%20you%20have%20any%20questions%20in%20the%20comments%20section.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20you%20can%20find%20all%20the%20blogs%20in%20the%20series%20-ERR%3AREF-NOT-FOUND-here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOur%204%3CSUP%3Eth%3C%2FSUP%3E%20and%20final%20post%20will%20be%20coming%20out%20shortly%2C%20stay%20tuned!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnt%C3%B3nio%20and%20Rob%3C%2FP%3E%0A%3CP%3EProgram%20Managers%26nbsp%3B-ERR%3AREF-NOT-FOUND-%40microsoft%20Defender%20ATP%20Product%20Group%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1360968%22%20slang%3D%22en-US%22%3E%3CDIV%20id%3D%22lia-teaserTinyMceEditorAntonio%20Vasconcelos_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22lia-teaserTinyMceEditorAntonio%20Vasconcelos_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3EAn%20A%20to%20Z%20guide%2C%20to%20help%20you%20understand%20what%20are%20Attack%20Surface%20Reduction%20(ASR)%20rules%20and%20how%20to%20successfully%20adopt%20it.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1360968%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDemystifying%20ASR%20rules%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1459134%22%20slang%3D%22en-US%22%3ERe%3A%20Demystifying%20attack%20surface%20reduction%20rules%20-%20Part%203%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1459134%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20great%2C%20but%20I%20just%20dont%20understand%20why%20ASR%20detects%20files%20that%20ATP%20itself%20is%20loading.%20I%20have%20the%20following%20messages%20in%20my%20timeline%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMicrosoft.AppV.AppvClientComConsumer.ni.dll%20was%20blocked%20by%20ASR%20using%20rule%20%22loading%20non-Microsoft%20signed%20binary%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EMicrosoft.PowerShell.Commands.Management.ni.dll%20was%20blocked%20by%20ASR%20using%20rule%20%22loading%20non-Microsoft%20signed%20binary%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ESystem.Management.Automation.ni.dll%20was%20blocked%20by%20ASR%20using%20rule%20%22loading%20non-Microsoft%20signed%20binary%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhich%20all%20are%20loaded%20by%3CSTRONG%3E%20..%5C%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3EWindows%20Defender%20Advanced%20Threat%20Protection%5CSenseIR.exe%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20this%20is%20Insider%20Build%20Related%20but%20I%20am%20perplexed%20either%20way%20why%20a%20security%20product%20is%20using%20unsigned%20DLLs%20.%20I%20guess%20i%20need%20to%20exclude%20SenseIR.exe%20from%20the%20ASR%20rules%3F%20Or%20am%20I%20missing%20something%3F%20Thanks%20in%20advance%20to%20anyone%20with%20some%20insight.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Update 23/05/2020

Added new info regarding ASR GUI! A community tool that will help you reporting and setting ASR rules locally! Ideal for lab scenarios!

Kudos to Hermann Maurer!

 

Hello again and welcome to the 3rd part of our blog series on demystifying attack surface reduction (ASR) rules.

 

The 3rd part is focused on how to report and troubleshoot Microsoft Defender ATP ASR Rules, both their configuration and the audit and block events.

 

Remember that you can follow the blog series here to read all the posts on this topic.

 

Continuing with the “How” - now on how to report and troubleshoot ASR rules

 

Keeping a bit of the tradition on the former blog post parts, if you asked us what is the best possible way to report and troubleshoot ASR rules events, our answer would logically be: It depends! :)

 

And that is very much the truth. Because it will depend eventually on the actual solution of choice that you are using to enable and configure ASR rules, your licensing, your role within your organization, etc. The point is, we have multiple ways of accomplishing very similar outcomes, some with more functionalities and/or granularity than others. Part 3 is all about going through each one of those and making sure you are aware of the options.

 

#1 How can I get a report on ASR rules?

 

Microsoft 365 security center  

The Microsoft 365 security center is the new home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. Here you can easily view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 security center is specifically intended for security admins and security operations teams to better manage and protect their organization. Visit the Microsoft 365 security center at https://security.microsoft.com.

 

In Microsoft 365 security center, we offer you a complete look at the current ASR rules configuration and events in your estate. Please note that your devices must be onboarded into the Microsoft Defender ATP service for these reports to be populated.

 

Here is a screenshot, directly taken from the Microsoft 365 security center (under Reports > Devices > Attack surface reduction ).

 

 

If you want to drill down to the device level, select Configuration from the Attack surface reduction rules pane. This will take you the following screen, where you can select a specific device and check its individual ASR rule configuration.

ASR_Report_2.png

 

Microsoft Defender ATP – Advanced hunting

One of the most powerful and coolest features of Microsoft Defender ATP is advanced hunting. If you are unfamiliar with advanced hunting, please refer to our documentation - Proactively hunt for threats with advanced hunting.

 

Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data, that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.

 

Through advanced hunting, it is possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.

 

ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender Security Center. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.

 

 

 

DeviceEvents 
| where Timestamp > ago(30d)   
| where ActionType startswith “Asr”
| summarize EventCount=count() by ActionType

 

 

 

AH_Query_full.png

 

The above shows that 187 events were registered for AsrLsassCredentialTheft (102 for Blocked and 85 for Audited), 2 events for AsrOfficeChildProcess (1 for Audited and 1 for Block) and 8 events for AsrPsexecWmiChildProcessAudited.

 

Now, let us say that you want to focus on the AsrOfficeChildProcess rule, and get details on the actual files and processes involved. We just need to change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.).

 

 

 

DeviceEvents 
| where (ActionType startswith “AsrOfficeChild”)   
| extend RuleId=extractjson(“$Ruleid”, AdditionalFields, typeof(string))
| project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

 

 

 

ASR_Query_2.png

 

The cool thing about advanced hunting is that you can shape the queries to your liking, so that you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.

 

Microsoft Defender ATP machine timeline

An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender ATP machine timeline. You can view all the collected events of a device, for the past 6 months, in the Microsoft Defender Security Center, by going to the Machines list, select a given machine, and then click on the Timeline tab.

 

Pictured below is a screenshot of the Timeline view of these events on a given endpoint.  From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline.

 

MachineTimeline.png

 

 

#2 How to troubleshoot ASR rules?

 

The first and most immediate way is to check locally, on a Windows device, which ASR rules are enabled (and their configuration) is by using the PowerShell cmdlets.

Nevertheless, we will show you other sources of information that Windows offers, to troubleshoot ASR rules’ impact and operation.

 

#2.1 Querying which rules are active

One of the easiest ways to determine if ASR rules are already enabled—and, if so, which ones—is through a PowerShell cmdlet, Get-MpPreference.

 

Here is an example:

posh_1.png

As you can see, there are multiple ASR rules active, with different configured actions.

 

To expand the above information on ASR rules, you can use the properties AttackSurfaceReductionRules_Ids and/or AttackSurfaceReductionRules_Actions.

 

Example:

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

posh_2.png

The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured).

 

The next step is then to list the actual actions (Block or Audit) that each rule is configured with.

 

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

posh_3.png

As you can see from the above output, mapping rules to actions via PowerShell can be a bit of a pain. You can do it manually, by copying and pasting both above results into an Excel file, but that’s not the easiest way of achieving our end goal (knowing which rules are enabled and their specific actions).

 

Don’t forget to always map the above results with the available list of rules!

 

To simplify your ASR rules troubleshooting in PowerShell, we have made a quick and dirty sample script that helps you map rules and actions in an easy way. Just pull the script from this GitHub repo.

 

Here is a small example of what the above script might output.

posh_4.png

 

Update 23/05/2020

Based on the above code, a MS colleague (Hermann Maurer), created a nice GUI both for reporting and setting ASR rules!

 

Here's how it looks:

ASR_Rules_Posh_GUI.jpg

Very slick! Files are available in his Github repo.  

 

All-in-all, although PowerShell is an important auditing/reporting mechanism to have, there are alternative ways, more streamlined ones, of checking your machine’s and estate’s current ASR rule configurations, such as the ones showed at the beginning of the blog in part 2 of this blog series, in the “How can I get a report on ASR rules?” section.

 

#2.2 Querying blocking and auditing events

 

Windows Event Viewer

ASR rule events can be viewed within the Windows Defender log.

To access it, open Windows Event Viewer, and browse to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational.

eventviewer1.png

 

Microsoft Defender Malware Protection Logs

You can also view rule events through the Microsoft Defender Antivirus dedicated command-line tool, called mpcmdrun.exe, that can be used to manage and configure, as well as automate tasks if needed.

 

You can find this utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from an elevated command prompt (i.e. run as Admin).

 

To generate the support information, type MpCmdRun.exe -getfiles. After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in C:\ProgramData\Microsoft\Windows Defender\Support.

mpcmdrun.png

 

Extract that archive and you will have many files available for troubleshooting purposes.

The most relevant files are:

  • MPOperationalEvents.txt - This file contains same level of information found in Event Viewer for Windows Defender’s Operational log.
  • MPRegistry.txt – In this file you will be able to analyze all the current Windows Defender configurations, from the moment the support logs were captured.
  • MPLog-***.txt – This log contains more verbose information about all the actions/operations of the Windows Defender.

Looking into MPOperationalEvents.txt, we find the same sort of information we found before when we blocked Word from launching a child process.

 

mpregistry.png

 

Within another file, called MPRegistry.txt, you will find a section called “Windows Defender Exploit Guard\ASR”, where you can doublecheck what rules are active and see their configurations.

mpregistry2.png

 

In the above screenshot we can see rule “Block all Office applications from creating child processes” (D4F940AB-401B-4EFC-AADC-AD5F3C50688A) is enabled with a value of 2, which means Audit.

 

We hope you have found part 3 of our blog series about demystifying ASR rules helpful! Please let us know if you have any questions in the comments section.

 

As always, you can find all the blogs in the series here.

 

Our 4th and final post will be coming out shortly, stay tuned!

 

António and Rob

Program Managers @microsoft Defender ATP Product Group

7 Comments
Occasional Visitor

Great work Antonio! Technical but easy to understand!

Keep up the great work mate!

 

@Ggaspar Thanks! Yeah, it's always a challenge to balance deep technical info, while being of value for every person, their level of knowledge and experience with the actual topic.

Let me know what else you would like to see in this, or future, blog posts!

Occasional Contributor

Hi Antonio,

If I go to the M365 Security Center I get 0 Devices on the configuration tab (compared to your 1st screenshot). I do however see exclusions and detections. I can also hunt in Defender ATP so there seems to be underlying data. Am I missing a configuration to see data on the Configuration tab? (My devices are MDATP and Intune enrolled).

Regards

Pieter

Respected Contributor

why is there securitycenter.microsoft.com and security.microsoft.com? are there any plans to consolidate these?

@Dean Gross securitycenter.microsoft.com is the portal for Microsoft Defender ATP, while security.microsoft is the portal for Microsoft Threat Protection.

MTP will be the defacto product that will encompass all of the existing M365 Security Workloads (MDATP, AATP, OATP and MCAS).

 

So yes, MDATP portal will be migrated to MTP soon.

 

More info here:

 

Dive deep into Microsoft Threat Protection: See how we defend against threats like | SECO20

https://www.youtube.com/watch?v=NogNroy0FSM

 

Announcing Microsoft Threat Protection

https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/announcing-microsoft-threat-p...

 

Microsoft Threat Protection

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection?view=o365-wo...

 

Turn on Microsoft Threat Protection

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-enable?view=o365-worldwide

@PHancke Known bug. It should be fixed soon.

Occasional Contributor

This is great, but I just dont understand why ASR detects files that ATP itself is loading. I have the following messages in my timeline:

 

Microsoft.AppV.AppvClientComConsumer.ni.dll was blocked by ASR using rule "loading non-Microsoft signed binary"
Microsoft.PowerShell.Commands.Management.ni.dll was blocked by ASR using rule "loading non-Microsoft signed binary"
System.Management.Automation.ni.dll was blocked by ASR using rule "loading non-Microsoft signed binary"

 

Which all are loaded by ..\Windows Defender Advanced Threat Protection\SenseIR.exe 

 

I'm not sure if this is Insider Build Related but I am perplexed either way why a security product is using unsigned DLLs . I guess i need to exclude SenseIR.exe from the ASR rules? Or am I missing something? Thanks in advance to anyone with some insight.