ASR rule - Block persistence through WMI event subscription

sintra3000 · ‎Oct 15 2020

Hi,

I have a question on ASR rules. In the Security and Compliance - Reports section there is a nice overview of the rules with status of audit / blocked / not present etc. For 14 out of the 15 ASR rules.

"Block persistence through WMI event subscription" is not present in the list. I was wondering what the reason for this is. Microsoft provides some telemetry data for how many devices that could have this rule implemented without impacting user productivity - but I'm not seeing it when enabled in audit mode anywhere? Does anyone have any information on this? I have a Windows versions that should be compatible with the rule according to the docs.

Thanks,

Vytas_Boyev · ‎Oct 27 2020

Audit mode works for that specific rule - it's not clear if that is the answer to your question though.....

0= Disable

1=Enabled/Block

2= Audit mode

sintra3000 · ‎Oct 28 2020

@Vytas_Boyev

Hi and thank you.

My question is more on after audit mode is enabled, where can I see the number of events generated ?

"security.microsoft.com/reports" provides a nice overview of many of the ASR rules, but not not for "Block persistence through WMI event subscription". So how can I use the audit mode to evaluate the impact is my question :).

Vytas_Boyev · ‎Oct 28 2020

@sintra3000 That rule should audit in that portal as well - just yesterday saw this rule firing audits there. If it isn't - I would think that may be cause for a support ticket.

ASR rule - Block persistence through WMI event subscription

ASR rule - Block persistence through WMI event subscription

Re: ASR rule - Block persistence through WMI event subscription

Re: ASR rule - Block persistence through WMI event subscription

Re: ASR rule - Block persistence through WMI event subscription

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

ASR rule - Block persistence through WMI event subscription