Apr 13 2020 01:50 AM
Hi All, I posted this under a comparison between MDATP & Symantec, but thinking more about this it needs it's own thread.
We are setting ASR rules to Audit only to start with and making sure that we understand what needs to be added so that we don't inadvertanly break things as we enforce the rules.
Some tips for others that might help?
Reviewing the Audit log details from the Event Viewer looks like a big time suck, it's easier to do this from the Advanced Hunting console in either the Defender or the Threat Protection console using something like this:
The neat part of this is that you can now download this in a much easier to read spreadsheet/csv format
The other aspect I am investigating is how to run an assurance test to validate/check on the actual device that you are getting the correct settings that are required (this is tedious) so there are some tools that can help:
Next step is to see if it's possible to upload/import the resulting security into Intune as a new baseline perhaps, we'll see as we dig into this area
Regards,
Socially distancing Dave ;)
May 18 2020 11:33 PM
Thanks a lot for sharing this @David Caddick
I have my ASR rules set to audit mode now and slowly tweaking it to get it right before I start in block mode.