Attack Surface Reduction Audits are Not Appearing in My Reports


I'm relatively new to Defender for Endpoint (P2), and am still trying to set up my environment. Following the instructions, I created a number of Attack Surface Reduction rules and set them to Audit mode. These have been in place for a couple weeks now and when I go to my Reports -> Security Report, I can see that my rules are generating Audit activity. 




That's great, except that when I drill into my Reports -> Attack Surface Reduction report, I only find details for one of my ASR rules. 




It doesn't seem to matter how I Group By or Filter this report, I only ever get details for one ASR rule.


What am I doing wrong?



5 Replies
This table of content always lacks the complete rule-set. Don’t ask my why. I guess it only consolidates the most recent.
I suggest you to use AdvancedThunting. You can build querys there, which explicitly queries for the certain audit-event.
You can review the results there also export them.
Cheers Axel
Thanks Axel. I'll look into that. I also opened a trouble ticket with MSFT yesterday and sent them some logs. I'll update if that turns up anything helpful.

@Dr_Snooze, just to give you an idea:

 | where ActionType startswith "Asr"
 | where ActionType contains "Audit"
 | where Timestamp > ago(30d)
 | extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
 | summarize EventCount=count() by ActionType
If you can believe it, that only gets me results for 2 policies. But both policies are now showing in my ASR report. ?!
To update this briefly, MSFT Support has identified this is a problem on their end. They implemented a fix, but I'm still looking at results for only 2 policies instead of the 16 I have set up. MSFT is still working on it, and I'll continue to update as I learn more.