Attack surface reduction (ASR) rules report

Applies to:

Platforms:

  • Windows

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The attack surface reduction (ASR) rules report provides information about the attack surface reduction rules that are applied to devices in your organization. This report also provides information about:

  • detected threats
  • blocked threats
  • devices that aren't configured to use the standard protection rules to block threats

Additionally, this report provides an easy-to-use interface that enables you to:

  • View threat detections
  • View the configuration of the ASR rules
  • Configure (add) exclusions
  • Easily activate basic protection by enabling the three most recommended ASR rules with a single toggle
  • Drill down to gather detailed information

For more information about individual attack surface reduction rules, see Attack surface reduction rules reference.

Prerequisites

Important

For Windows Server 2012 R2 and Windows Server 2016 to appear in the Attack surface reduction rules report, these devices must be onboarded using the modern unified solution package. For more information, see New functionality in the modern unified solution for Windows Server 2012 R2 and 2016.

Report access permissions

To access the Attack surface reduction rules report in the Microsoft 365 Security dashboard, the following permissions are required:

Permission type Permission Permission display name
Application Machine.Read.All 'Read all machine profiles'
Delegated (work or school account) Machine.Read 'Read machine information'

To assign these permissions:

  1. Sign in to Microsoft 365 Defender using account with Security administrator or Global administrator role assigned.
  2. In the navigation pane, select Settings > Endpoints > Roles (under Permissions).
  3. Select the role you'd like to edit.
  4. Select Edit.
  5. In Edit role, on the General tab, in Role name, type a name for the role.
  6. In Description type a brief summary of the role.
  7. In Permissions, select View Data, and under View Data select Attack surface reduction.

For more information about user role management, see Create and manage roles for role-based access control.

To navigate to the summary cards for the attack surface reduction rules report

  1. Open Microsoft 365 Defender portal.
  2. In the left panel, clickReports, and in the main section, under Reports select Security report.
  3. Scroll down to Devices to find the Attack surface reduction rules summary cards.

The summary report cards for ASR rules are shown in the following figure.

Shows the ASR rules report summary cards

ASR rules report summary cards

The ASR rules report summary is divided into two cards:

ASR rules detections summary card

Shows a summary of the number of detected threats blocked by ASR rules.

Provides two 'action' buttons:

  • View detections - opens the Attack surface reduction rules > main Detections tab
  • Add exclusions - Opens the Attack surface reduction rules > main Exclusions tab

Shows the ASR rules report summary detections card.

Clicking on the ASR rules detections link at the top of the card also opens the main Attack surface reduction rules Detections tab.

ASR rules configuration summary card

The top section focuses on three recommended rules, which protect against common attack techniques. This card shows current-state information about the computers in your organization that have the following Three (ASR) standard protection rules set in Block mode, Audit mode, or off (not configured).The Protect devices button will show full configuration details for only the three rules; customers can quickly take action to enable these rules.

The bottom section surfaces six rules based on the number of unprotected devices per rule. The "View configuration" button surfaces all configuration details for all ASR rules. The "Add exclusion" button shows the add exclusion page with all detected file/process names listed for Security Operation Center (SOC) to evaluate. The Add exclusion page is linked to Microsoft Endpoint Manager (MEM).

Provides two 'action' buttons:

  • View configuration - opens the Attack surface reduction rules > main Detections tab
  • Add exclusions - Opens the Attack surface reduction rules > main Exclusions tab

Shows the ASR rules report summary configuration card.

Clicking on the ASR rules configuration link at the top of the card also opens the main Attack surface reduction rules Configuration tab.

Simplified standard protection option

The configuration summary card provides a button to Protect devices with the three standard protection rules. At minimum, Microsoft recommends that you enable these three attack surface reduction standard protection rules:

To enable the three standard protection rules:

  1. Select Protect devices. The main Configuration tab opens.
  2. On the Configuration tab, Basic rules automatically toggles from All rules to Standard protection rules enabled.
  3. In the Devices list, select the devices for which you want the standard protection rules to apply, and then select Save.

This card has two other navigation buttons:

  • View configuration - Opens the Attack surface reduction rules > main Configuration tab.
  • Add exclusions - Opens the Attack surface reduction rules > main Exclusions tab.

Clicking on the ASR rules configuration link at the top of the card also opens the main Attack surface reduction rules Configuration tab.

Attack surface reduction rules main tabs

While the ASR rules report summary cards are useful for getting quick summary of your ASR rules status, the main tabs provide more in-depth, information with filtering and configuration capabilities:

Search capabilities

Search capability is added to Detection, Configuration, and Add exclusion main tabs. With this capability, you can search by using device ID, file name, or process name.

Shows the ASR rules report search feature.

Shows the ASR rules report search feature on the configuration tab.

Filtering

Filtering provides a way for you to specify what results are returned:

  • Date enables you to specify a date range for data results.
  • Filters

Shows the ASR rules report filtering feature

Attack surface reduction rules main detections tab

  • Audit Detections Shows how many threat detections were captured by rules set in Audit mode.
  • Blocked Detections Shows how many threat detections were blocked by rules set in Block mode.
  • Large, consolidated graph Shows blocked and audited detections.

Shows the ASR rules report main detections tab, with _Audit detections_ and _Blocked detections_ outlined.

The graphs provide detection data over the displayed date range, with the capability to hover over a specific location to gather date-specific information.

The bottom section of the report lists detected threats - on a per-device basis - with the following fields:

Field name Definition
Detected file The file determined to contain a possible or known threat
Detected on The date the threat was detected
Blocked/Audited? Whether the detecting rule for the specific event was in Block or Audit mode
Rule Which rule detected the threat
Source app The application that made the call to the offending "detected file"
Device The name of the device on which the Audit or Block event occurred
Device group The Active Directory group to which the device belongs
User The machine account responsible for the call
Publisher The company that released the particular .exe or application

For more information about ASR rule audit and block modes, see Attack surface reduction rule modes.

Actionable flyout

The "Detection" main page has a list of all detections (files/processes) in the last 30 days. Select on any of the detections to open with drill-down capabilities.

Shows the ASR rules report main detections tab flyout

The Possible exclusion and impact section provides impact of the selected file or process. You can:

  • Select Go hunt which opens the Advanced Hunting query page
  • Open file page opens Microsoft Defender for Endpoint (MDE) detection
  • The Add exclusion button is linked with the add exclusion main page.

The following image illustrates how the Advanced Hunting query page opens from the link on the actionable flyout:

Shows the (ASR) rules report main detections tab flyout link opening Advanced Hunting

For more information about Advanced hunting, see Proactively hunt for threats with advanced hunting in Microsoft 365 Defender

Attack surface reduction rules main Configuration tab

The ASR rules main Configuration tab provides summary and per-device ASR rules configuration details. There are three main aspects to the Configuration tab:

Basic rules Provides a method to toggle results between Basic rules and All Rules. By default, Basic rules is selected.

Device configuration overview Provides a current snapshot of devices in one of the following states:

  • All exposed Devices (devices with missing prerequisites, rules in Audit mode, misconfigured rules, or rules not configured)
  • Devices with rules not configured
  • Devices with rules in audit mode
  • Devices with rules in block mode

The lower, unnamed section of the Configuration tab provides a listing of the current state of your devices (on a per-device basis):

  • Device (name)
  • Overall configuration (Whether any rules are on or all are off)
  • Rules in block mode (the number of rules per-device set to block)
  • Rules in audit mode (the number of rules in audit mode)
  • Rules turned off (rules that are turned off or aren't enabled)
  • Device ID (device GUID)

These elements are shown in the following figure.

Shows the ASR rules report main configuration tab

To enable ASR rules:

  1. Under Device, select the device or devices for which you want to apply ASR rules.
  2. In the flyout window, verify your selections and then select Add to policy.

The Configuration tab and add rule flyout are shown in the following image.

[NOTE!] If you have devices that require that different ASR rules be applied, you should configure those devices individually.

Shows the ASR rules fly-out to add ASR rules to devices

Attack surface reduction rules Add exclusions tab

The Add exclusions tab presents a ranked list of detections by file name and provides a method to configure exclusions. By default, Add exclusions information is listed for three fields:

  • File name The name of the file that triggered the ASR rules event.
  • Detections The total number of detected events for named file. Individual devices can trigger multiple ASR rules events.
  • Devices The number of devices on which the detection occurred.

Shows the ASR rules report add exclusions tab

Important

Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files are allowed to run, and no report or event will be recorded. If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.

When you select a file, a Summary & expected impact fly out opens, presenting the following types of information:

  • Files selected The number of files you've selected for exclusion
  • (number of) detections States the expected reduction in detections after adding the selected exclusion(s). The reduction in detections is represented graphically for Actual detections and Detections after exclusions
  • (number of) affected devices States the expected reduction in devices that report detections for the selected exclusions.

The Add exclusion page has two buttons for actions that can be used on any detected files (after selection). You can:

  • Add exclusion which will open Microsoft Endpoint Manager (MEM) ASR policy page. For more information, see: MEM in "Enable ASR rules alternate configuration methods."
  • Get exclusion paths which will download file paths in a csv format

Shows the ASR rules report add exclusions tab flyout impact summary

See also