MDATP - ASR Audit mode & Validating settings at client level

Frequent Contributor

Hi All, I posted this under a comparison between MDATP & Symantec, but thinking more about this it needs it's own thread.

We are setting ASR rules to Audit only to start with and making sure that we understand what needs to be added so that we don't inadvertanly break things as we enforce the rules.


Some tips for others that might help?

Reviewing the Audit log details from the Event Viewer looks like a big time suck, it's easier to do this from the Advanced Hunting console in either the Defender or the Threat Protection console using something like this:  

  1. DeviceEvents
  2. //Define which machine you are targetting - |where DeviceName startswith "name_of_device"
  3. |where ActionType startswith "Asr" or ActionType startswith "Exp"

The neat part of this is that you can now download this in a much easier to read spreadsheet/csv format

The other aspect I am investigating is how to run an assurance test to validate/check on the actual device that you are getting the correct settings that are required (this is tedious) so there are some tools that can help:

  1. HardeningAuditor tool - looks brilliant, although has focused on the Australian ASD guides for 1709, so needs some updating -
  2. Microsofts Security Compliance Tool -

 Next step is to see if it's possible to upload/import the resulting security into Intune as a new baseline perhaps, we'll see as we dig into this area



Socially distancing Dave ;)

1 Reply

Thanks a lot for sharing this @David Caddick 


I have my ASR rules set to audit mode now and slowly tweaking it to get it right before I start in block mode.