Share via

ASR rules in audit mode - where is the auditing recorded?

Matt Pollock 256 Reputation points
2023-08-01T10:11:33.9933333+00:00

Hello,

I am testing an Attack Surface Reduction rule in Intune that controls removable storage device access, in line with the article below:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs-1

Having configured the policy rules and configured auditing as per the instructions, I am struggling to find where the results of the policy invocations/audit results are stored.

I assumed that the audit logs would be present in the M365 Defender portal under:

Reports > Attack surface reduction rules > detections

However I filter the list of detections, or the rules in the filters, I cannot see the rule I have created, nor any evidence of the policies being triggered when viewing the audit results for the affected devices.

User's image

At this point I'm thinking there are steps not covered in the article that would allow visibility of the new ASR rule and/or audit results that I have not undertaken?

Can anyone please advise?

Many Thanks

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,515 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,570 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 12,916 Reputation points MVP
    2023-08-01T10:25:55.04+00:00

    You should see Rule in the ASR reports, which particular rule triggers audit or block. It is also might be that you do the activity which does not create anything.

    User's image

    0 comments
  2. Matt Pollock 256 Reputation points
    2023-08-01T13:19:29.7+00:00

    OK, the best I've been able to find so far is in a different area of "Reports" within Defender:

    Device Control > Device Control > Filter

    There's still no listing for any of the device control policies I have created in ASR, however I can see audit entries for the events when the policies were triggered on the test machines, by choosing one of the generic policy filter options:

    User's image

    0 comments
  3. Andrew Blumhardt 9,956 Reputation points Microsoft Employee
    2023-08-03T03:49:02.5+00:00

    I think there is some confusion, bad/repeated use of the ASR term. The report is for the traditional ASR rules (no device control here). MDE also refers to ASR in reference to Device Control and other device hardening features. I believe Device Control will be found in the device activity log and the AH logs.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.