Share via

Audit and monitor removable devices from intune

A.Elrayes 186 Reputation points
2024-09-24T08:07:27.9733333+00:00

Hello Team,

I'm configuring an ASR rule to audit removable devices as the following:

USB ASR

USB reusable settings

I need to know how to get these audits, I didn't find anything related to this policy in the surface attack reduction reports.

Thanks,

Alaa ELrayes

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,043 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
198 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hardikbhai Velani 75 Reputation points
    2024-09-24T08:23:49.1533333+00:00

    To view audits for the Attack Surface Reduction (ASR) rule configuring removable devices, follow these steps:

    Method 1: Windows Event Viewer

    1. Open Event Viewer (Windows key + R, type eventvwr).
    2. Navigate to Windows Logs > Microsoft-Windows-Defender/Operational.
    3. Filter events by ID 1123 (ASR rule triggered) or ID 1124 (ASR rule blocked).
    4. Look for events related to the removable device audit.

    Method 2: Windows Defender Advanced Threat Protection (ATP)

    1. Access the Windows Defender ATP portal.
    2. Go to Reports > Advanced threat protection > Device incidents.
    3. Filter incidents by Rule = Removable device.
    4. Review incident details.

    Method 3: PowerShell

    1. Run PowerShell as an administrator.
    2. Use the Get-WinEvent cmdlet to query Defender events:
    
Get-WinEvent -LogName Microsoft-Windows-Defender/Operational | Where-Object {$_.ID -eq 1123 -or $_.ID -eq 1124} | Select-Object -ExpandProperty Message
    1. Pipe output to a file for easier analysis.

    Surface Attack Reduction Reports

    Ensure you're checking the correct report:

    1. Go to Reports > Surface attack reduction.
    2. Select the desired time range.
    3. Look for Removable device audits.

    Verify:

    • ASR rule is enabled and configured correctly.
    • Removable device audit is enabled in the ASR rule.
    • Windows Defender is up-to-date.

    If you still can't find audits:

    • Check event log retention policies.
    • Verify Defender logging is enabled.
    • Consult Microsoft documentation.

    For further assistance or clarification.

    Additional resources:

    • Microsoft Docs: Configure Attack Surface Reduction
    • Microsoft Docs: Review Windows Defender Advanced Threat Protection reports
    • Windows Security Blog: Attack Surface Reduction rules

    [24/09, 1:52 pm] Meta AI: To view audits for the Attack Surface Reduction (ASR) rule configuring removable devices, follow these steps:

    Method 1: Windows Event Viewer

    1. Open Event Viewer (Windows key + R, type eventvwr).
    2. Navigate to Windows Logs > Microsoft-Windows-Defender/Operational.
    3. Filter events by ID 1123 (ASR rule triggered) or ID 1124 (ASR rule blocked).
    4. Look for events related to the removable device audit.

    Method 2: Windows Defender Advanced Threat Protection (ATP)

    1. Access the Windows Defender ATP portal.
    2. Go to Reports > Advanced threat protection > Device incidents.
    3. Filter incidents by Rule = Removable device.
    4. Review incident details.

    Method 3: PowerShell

    1. Run PowerShell as an administrator.
    2. Use the Get-WinEvent cmdlet to query Defender events:
    
Get-WinEvent -LogName Microsoft-Windows-Defender/Operational | Where-Object {$_.ID -eq 1123 -or $_.ID -eq 1124} | Select-Object -ExpandProperty Message
    1. Pipe output to a file for easier analysis.

    Surface Attack Reduction Reports

    Ensure you're checking the correct report:

    1. Go to Reports > Surface attack reduction.
    2. Select the desired time range.
    3. Look for Removable device audits.

    Verify:

    • ASR rule is enabled and configured correctly.
    • Removable device audit is enabled in the ASR rule.
    • Windows Defender is up-to-date.

    If you still can't

  2. ZhoumingDuan-MSFT 13,080 Reputation points Microsoft Vendor
    2024-09-25T06:00:36.4066667+00:00

    @A.Elrayes,Thanks for posting in Q&A.

    From your description, I know you want to get audits about ASR policy in Intune.

    Based on my research, if you have E5 reporting subscription and can access to the Microsoft 365 Defender portal, audit events for covered access will appear in advanced hunting reports.

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-device-control-capabilities-to-manage-removable-storage/ba-p/3664726

    If this report still not meet your requirement, and I didn't find any information about it, due to the limitation of Q&A, it is suggested that you open an online case to get more help.

    https://learn.microsoft.com/en-us/mem/get-support

    Thanks for your understanding and hope everything goes well with you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.