Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

ASR Logging for the Block settings

Copper Contributor

I'm trying to troubleshoot some office plugin which aren't functioning and I'm trying to determine whether it's the various Office block settings, which I've enumerated below. When Attack Surface Reduction blocks these events are they logged and if so where are those events located?


Block Win32 API calls from Office macros
Block JavaScript or VBScript from launching downloaded executable content
Block Office communication application from creating child processes
Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
3 Replies
I'm aware events are logged locally at Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational and I'm leveraging the Troubleshooting ASR rules documentation, but they are not helping me dig into the issue which is why I'm asking.




Have you checked in the dashboard Reports -> Attack Surface Reduction Rules?  This is typically where you audit within the console for audits/blocks and adding exclusions.

Hi dperusich,

Not sure if this helps, but if you go to the Hunting > Advanced hunting tab in the Defender portal and run this query:

| where ActionType contains "asr"

It will show all ASR events and whether they were blocked or audited, plus filename, folderpath etc. The default timescale is 7 days, but you can change this to 30 days.

It helped us identify issues and files/paths to add to our ASR exclusions list in Endpoint Manager/Intune.

You can also export the data, as it's easier to analyse in Excel, in my opinion.

I also found this, which may or may not be helpful: