A rule doesn't work as described, or doesn't block a file or process that it should (false negative) Get free access to academic journals There are four steps to troubleshooting these problems
thedongkinger | Discover
Use audit mode to test the rule.
Checking audited asr rules hey all, i wrote a kql query to check for asr rules being hit that are set to audited mode
Now if ido this kql query in advanced hunting i get no results However i find it weird that with 610 devices there are no hits. In this article, i want to break down the defender attack surface rules (asr rules) and show you what components each rule takes care of and overall, how they can minimize the attack surface. Microsoft defender’s attack surface reduction (asr) rules are critical for blocking malicious activities, but misconfigurations can leave gaps
Roy klooster’s asr rule inspector powershell script validates your asr rules’ enforcement status and provides a clear overview. Unfortunately, we can only query the azure ad device id and not the object id that we need to add the devices to groups, so we will need to use powershell modules or the graph api to look up the object id for a given device id. You can query attack surface reduction rule events from the deviceevents table in the advanced hunting section of the microsoft defender portal For example, the following query shows how to report all the events that have attack surface reduction rules as data source, for the last 30 days.
You can enable asr rules by configuring them in the endpoint security settings or by creating a dedicated asr policy
Explore each rule’s specific capabilities Download stock pictures of very loooong query no ad asr test on depositphotos
