cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Attack Surface Reduction Audits are Not Appearing in My Reports

Dr_Snooze
Brass Contributor

‎Jul 05 2022 11:46 AM

‎Jul 05 2022 11:46 AM

Attack Surface Reduction Audits are Not Appearing in My Reports

I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit mode. These have been in place for a couple weeks now and when I go to my Reports -> Security Report, I can see that my rules are generating Audit activity. 

 

Dr_Snooze_0-1657046483149.png

 

That's great, except that when I drill into my Reports -> Attack Surface Reduction report, I only find details for one of my ASR rules. 

 

Dr_Snooze_1-1657046586170.png

 

It doesn't seem to matter how I Group By or Filter this report, I only ever get details for one ASR rule.

 

What am I doing wrong?

 

Thanks,

1,980 Views
0 Likes
7 Replies
Reply
7 Replies
aexlz

‎Jul 07 2022 04:57 AM

‎Jul 07 2022 04:57 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

Hi
This table of content always lacks the complete rule-set. Don’t ask my why. I guess it only consolidates the most recent.
I suggest you to use AdvancedThunting. You can build querys there, which explicitly queries for the certain audit-event.
You can review the results there also export them.
Cheers Axel
0 Likes
Reply
Dr_Snooze

‎Jul 07 2022 08:10 AM

‎Jul 07 2022 08:10 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

Thanks Axel. I'll look into that. I also opened a trouble ticket with MSFT yesterday and sent them some logs. I'll update if that turns up anything helpful.
0 Likes
Reply
aexlz

‎Jul 07 2022 10:16 AM

‎Jul 07 2022 10:16 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

@Dr_Snooze, just to give you an idea:

DeviceEvents 
 | where ActionType startswith "Asr"
 | where ActionType contains "Audit"
 | where Timestamp > ago(30d)
 | extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
 | summarize EventCount=count() by ActionType
0 Likes
Reply
Dr_Snooze

‎Jul 07 2022 11:44 AM

‎Jul 07 2022 11:44 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

If you can believe it, that only gets me results for 2 policies. But both policies are now showing in my ASR report. ?!
1 Like
Reply
Dr_Snooze

‎Jul 11 2022 10:32 AM

‎Jul 11 2022 10:32 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

To update this briefly, MSFT Support has identified this is a problem on their end. They implemented a fix, but I'm still looking at results for only 2 policies instead of the 16 I have set up. MSFT is still working on it, and I'll continue to update as I learn more.
1 Like
Reply
Dr_Snooze

‎Sep 08 2022 11:21 AM

‎Sep 08 2022 11:21 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

Still working on it...
0 Likes
Reply
Dr_Snooze

‎Sep 13 2022 10:34 AM

‎Sep 13 2022 10:34 AM

Re: Attack Surface Reduction Audits are Not Appearing in My Reports

Okay. I finally got this resolved. I had to reach out to Microsoft Support. They did some back end tinkering and I started getting results for more audits. Note that if you aren't generating any audits, then you won't see anything on your run. Hope that helps someone else.

Thanks again to everyone!
1 Like
Reply