Attack Surface Reduction Audits are Not Appearing in My Reports

Contributor

I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit mode. These have been in place for a couple weeks now and when I go to my Reports -> Security Report, I can see that my rules are generating Audit activity. 

 

Dr_Snooze_0-1657046483149.png

 

That's great, except that when I drill into my Reports -> Attack Surface Reduction report, I only find details for one of my ASR rules. 

 

Dr_Snooze_1-1657046586170.png

 

It doesn't seem to matter how I Group By or Filter this report, I only ever get details for one ASR rule.

 

What am I doing wrong?

 

Thanks,

5 Replies
Hi
This table of content always lacks the complete rule-set. Don’t ask my why. I guess it only consolidates the most recent.
I suggest you to use AdvancedThunting. You can build querys there, which explicitly queries for the certain audit-event.
You can review the results there also export them.
Cheers Axel
Thanks Axel. I'll look into that. I also opened a trouble ticket with MSFT yesterday and sent them some logs. I'll update if that turns up anything helpful.

@Dr_Snooze, just to give you an idea:

DeviceEvents 
 | where ActionType startswith "Asr"
 | where ActionType contains "Audit"
 | where Timestamp > ago(30d)
 | extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
 | summarize EventCount=count() by ActionType
If you can believe it, that only gets me results for 2 policies. But both policies are now showing in my ASR report. ?!
To update this briefly, MSFT Support has identified this is a problem on their end. They implemented a fix, but I'm still looking at results for only 2 policies instead of the 16 I have set up. MSFT is still working on it, and I'll continue to update as I learn more.