cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ASR Logging for the Block settings

dperusich
Copper Contributor

‎Apr 28 2023 12:04 PM

‎Apr 28 2023 12:04 PM

ASR Logging for the Block settings

I'm trying to troubleshoot some office plugin which aren't functioning and I'm trying to determine whether it's the various Office block settings, which I've enumerated below. When Attack Surface Reduction blocks these events are they logged and if so where are those events located?

 

Block Win32 API calls from Office macros
Block JavaScript or VBScript from launching downloaded executable content
Block Office communication application from creating child processes
Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
686 Views
0 Likes
3 Replies
Reply
3 Replies
dperusich

‎Apr 28 2023 12:20 PM

‎Apr 28 2023 12:20 PM

Re: ASR Logging for the Block settings

I'm aware events are logged locally at Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational and I'm leveraging the Troubleshooting ASR rules documentation, but they are not helping me dig into the issue which is why I'm asking.

Thanks!

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?vi...
0 Likes
Reply
rockyte

‎May 07 2023 04:44 AM - edited ‎May 07 2023 04:45 AM

‎May 07 2023 04:44 AM - edited ‎May 07 2023 04:45 AM

Re: ASR Logging for the Block settings

@dperusich 

 

Have you checked in the dashboard Reports -> Attack Surface Reduction Rules?  This is typically where you audit within the console for audits/blocks and adding exclusions.

1 Like
Reply
GI472

‎May 18 2023 08:06 PM - edited ‎May 18 2023 08:07 PM

‎May 18 2023 08:06 PM - edited ‎May 18 2023 08:07 PM

Re: ASR Logging for the Block settings

Hi dperusich,

Not sure if this helps, but if you go to the Hunting > Advanced hunting tab in the Defender portal and run this query:

DeviceEvents
| where ActionType contains "asr"

It will show all ASR events and whether they were blocked or audited, plus filename, folderpath etc. The default timescale is 7 days, but you can change this to 30 days.

It helped us identify issues and files/paths to add to our ASR exclusions list in Endpoint Manager/Intune.

You can also export the data, as it's easier to analyse in Excel, in my opinion.

I also found this, which may or may not be helpful:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?vi...

0 Likes
Reply