To view audits for the Attack Surface Reduction (ASR) rule configuring removable devices, follow these steps:
Method 1: Windows Event Viewer
- Open Event Viewer (Windows key + R, type
eventvwr
). - Navigate to
Windows Logs
>Microsoft-Windows-Defender/Operational
. - Filter events by
ID 1123
(ASR rule triggered) orID 1124
(ASR rule blocked). - Look for events related to the removable device audit.
Method 2: Windows Defender Advanced Threat Protection (ATP)
- Access the Windows Defender ATP portal.
- Go to
Reports
>Advanced threat protection
>Device incidents
. - Filter incidents by
Rule
=Removable device
. - Review incident details.
Method 3: PowerShell
- Run PowerShell as an administrator.
- Use the
Get-WinEvent
cmdlet to query Defender events:
Get-WinEvent -LogName Microsoft-Windows-Defender/Operational | Where-Object {$_.ID -eq 1123 -or $_.ID -eq 1124} | Select-Object -ExpandProperty Message
- Pipe output to a file for easier analysis.
Surface Attack Reduction Reports
Ensure you're checking the correct report:
- Go to
Reports
>Surface attack reduction
. - Select the desired time range.
- Look for
Removable device
audits.
Verify:
- ASR rule is enabled and configured correctly.
- Removable device audit is enabled in the ASR rule.
- Windows Defender is up-to-date.
If you still can't find audits:
- Check event log retention policies.
- Verify Defender logging is enabled.
- Consult Microsoft documentation.
For further assistance or clarification.
Additional resources:
- Microsoft Docs: Configure Attack Surface Reduction
- Microsoft Docs: Review Windows Defender Advanced Threat Protection reports
- Windows Security Blog: Attack Surface Reduction rules
[24/09, 1:52 pm] Meta AI: To view audits for the Attack Surface Reduction (ASR) rule configuring removable devices, follow these steps:
Method 1: Windows Event Viewer
- Open Event Viewer (Windows key + R, type
eventvwr
). - Navigate to
Windows Logs
>Microsoft-Windows-Defender/Operational
. - Filter events by
ID 1123
(ASR rule triggered) orID 1124
(ASR rule blocked). - Look for events related to the removable device audit.
Method 2: Windows Defender Advanced Threat Protection (ATP)
- Access the Windows Defender ATP portal.
- Go to
Reports
>Advanced threat protection
>Device incidents
. - Filter incidents by
Rule
=Removable device
. - Review incident details.
Method 3: PowerShell
- Run PowerShell as an administrator.
- Use the
Get-WinEvent
cmdlet to query Defender events:
Get-WinEvent -LogName Microsoft-Windows-Defender/Operational | Where-Object {$_.ID -eq 1123 -or $_.ID -eq 1124} | Select-Object -ExpandProperty Message
- Pipe output to a file for easier analysis.
Surface Attack Reduction Reports
Ensure you're checking the correct report:
- Go to
Reports
>Surface attack reduction
. - Select the desired time range.
- Look for
Removable device
audits.
Verify:
- ASR rule is enabled and configured correctly.
- Removable device audit is enabled in the ASR rule.
- Windows Defender is up-to-date.
If you still can't