Jul 05 2022 11:46 AM
I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit mode. These have been in place for a couple weeks now and when I go to my Reports -> Security Report, I can see that my rules are generating Audit activity.
That's great, except that when I drill into my Reports -> Attack Surface Reduction report, I only find details for one of my ASR rules.
It doesn't seem to matter how I Group By or Filter this report, I only ever get details for one ASR rule.
What am I doing wrong?
Thanks,
Jul 07 2022 04:57 AM
Jul 07 2022 08:10 AM
Jul 07 2022 10:16 AM
@Dr_Snooze, just to give you an idea:
DeviceEvents
| where ActionType startswith "Asr"
| where ActionType contains "Audit"
| where Timestamp > ago(30d)
| extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
| summarize EventCount=count() by ActionType
Jul 07 2022 11:44 AM
Jul 11 2022 10:32 AM
Sep 08 2022 11:21 AM
Sep 13 2022 10:34 AM