Oct 15 2020 12:49 AM
Hi,
I have a question on ASR rules. In the Security and Compliance - Reports section there is a nice overview of the rules with status of audit / blocked / not present etc. For 14 out of the 15 ASR rules.
"Block persistence through WMI event subscription" is not present in the list. I was wondering what the reason for this is. Microsoft provides some telemetry data for how many devices that could have this rule implemented without impacting user productivity - but I'm not seeing it when enabled in audit mode anywhere? Does anyone have any information on this? I have a Windows versions that should be compatible with the rule according to the docs.
Thanks,
Oct 27 2020 01:31 PM
Audit mode works for that specific rule - it's not clear if that is the answer to your question though.....
0= Disable
1=Enabled/Block
2= Audit mode
Oct 28 2020 12:20 AM
Hi and thank you.
My question is more on after audit mode is enabled, where can I see the number of events generated ?
"security.microsoft.com/reports" provides a nice overview of many of the ASR rules, but not not for "Block persistence through WMI event subscription". So how can I use the audit mode to evaluate the impact is my question :).
Oct 28 2020 06:13 AM - edited Oct 28 2020 06:15 AM
@sintra3000 That rule should audit in that portal as well - just yesterday saw this rule firing audits there. If it isn't - I would think that may be cause for a support ticket.