Rediģēt

Enable your attack surface reduction (ASR) rules deployment

  • Attiecas uz: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2

This article is part of the Attack surface reduction (ASR) rules deployment guide.

After testing ASR rules in Audit mode, transition them to Block or Warn mode, starting with your first deployment ring.

Diagram of the steps to implement ASR rules: transition from Audit to Block mode, then expand to additional rings.

Step 1: Transition ASR from Audit to Block

  1. After you determine all required exclusions for rules in Audit mode, start setting some rules to Block or Warn mode. Start with the rule with the fewest triggered events. For instructions, see Configure attack surface reduction (ASR) rules and exclusions.

  2. Review ASR rule activity. Also review feedback from your champions.

  3. Refine exclusions or create new exclusions as necessary.

Tip

Rule exclusions are better than turning off rules or switching them back to Audit mode.

Take advantage of the Warn mode in available rules to limit disruptions. Warn mode enables you to capture triggered events and view potential disruptions without actually blocking user access (they can click through the warning notification). For more information, see ASR rule modes.

Step 2: Expand deployment to ring n + 1

When you're confident you correctly configured ASR rules for ring 1, you can widen the scope of your deployment to the next ring (ring n + 1).

The deployment process for each subsequent ring is:

  1. Enable ASR rules in Audit mode.

  2. Review ASR rule activity.

  3. Create exclusions as necessary.

  4. Review ASR rule activity and refine exclusions.

  5. Set rules to Block mode.

  6. Review ASR rule activity.

  7. Create exclusions as necessary.

  8. Disable problematic rules or switch them back to Audit mode.

Related content

  • Last updated on