Public Preview: Attack Surface Reduction (ASR) Rules Report 2.0 in Microsoft 365 Defender

[Guest OludeleOgunrinde]

Attack Surface Reduction (ASR) rules reporting was one of the first reports we completed as an end-to-end Endpoint Protection Platform (EPP) report several years ago. We are improving the ASR Rules report based on your feedback. These improvements will make the ASR Rules report easier to understand, enable, and configure in block mode. We invest in modern ASR rules because they provide strong prevention benefits for organizations.

 

 

 

Important note: This report is currently available to Public Preview customers.

 

 

 

To access the report (detection card, configuration card, and main report respectively), go to the M365D portal (security.microsoft.com) -> Reports ->:

 

1. Security report -> Devices -> ASR rule detections
   
2. Security report -> Devices -> ASR rule configuration
   
3. Reports -> attack surface reduction rules
   

 

Requirements:

 

• Protected devices have or later, or Windows server 2012 R2 (some rules are not applicable) or later.
  
• Your organization uses Microsoft Defender Antivirus with cloud–delivered protection enabled. See Use cloud-delivered protection.
  
• Microsoft Defender for Endpoint is in active mode.
  
• Engine version is 1.1.17300.4 or later.
  

 

Link: Enable attack surface reduction rules | Microsoft Docs

 

 

 

What is new with the ASR rules report 2.0?

 

1. Insightful summary cards: The new card experience provides summary information about ASR detection and configuration state in your digital estate. The detection card (figure 1) is divided into two sections, that is as shown below:
   

 

 

 

 

 

 

Figure 1: Detection card

 

 

 

The configuration card (Figure 2) also has top and bottom sections.

 

• The top section focuses on (Standard rules) which protect against common attack techniques. Moreover, the “Protect devices” button will show only full configuration details for the three rules, and customers can quickly take action to enable these rules.
  
• The bottom section surfaces six rules based on the number of unprotected devices per rule. The “View configuration” button surfaces all configuration details for all ASR rules. The “Add exclusion” button shows the add exclusion page with all detected file/process names listed for Security Operation Center (SOC) to evaluate.
  

 

 

 

 

 

 

Figure 2: Configuration card

 

 

1. Filters: A new capability to filter (Figure 3 and Figure 4) based on, date, device group, and includes a toggle to set “Standard protection” or all rules. This will allow users to streamline what they want to view in the report.
   

 

 

 

 

 

 

Figure 3: Detection filter

 

 

 

 

 

 

Figure 4: Detection filter flyout

 

 

 

1. New detection trend: The ASR rules report 2.0 includes small but insightful charts (Figure 5) to help the SOC team visualize how ASR detections are trending in their environments.
   

 

 

 

 

 

 

Figure 5: Detection trends

 

 

 

1. Search bar: A new search capability is added to the detection (Figure 6), configuration (Figure 7), and “Add exclusion” (Figure 8)
   landing pages. With this capability, you can search by using a file name, process name, or device ID.
   

 

 

 

 

Figure 6: Detection search bar

 

 

 

 

 

 

Figure 7: Configuration page search bar

 

 

 

 

 

 

Figure 8: Add exclusion page search bar

 

 

 

1. Actionable flyout: The “Detection” main page has a list of all detections (files/processes) in the last four weeks. By clicking any of the detections (Figure 9), an intuitive flyout with a drill down capability will surface on the right side of the page. The “Possible exclusion and impact” (Figure 9) section provides the impact of the file/process in your digital estate. Customers can click on “Go hunt” (Figure 9) which will open the Advanced Hunting query page (Figure 10). Also, the “Open file page” (Figure 9) will open Microsoft Defender for Endpoint (MDE) detection (Figure 11), and the “Add exclusion” (Figure 9) button is linked with the add exclusion main page.
   

 

 

 

 

 

 

Figure 9: Detection flyout

 

 

 

 

 

 

Figure 10: Advanced hunting page

 

 

 

 

 

 

Figure 11: MDE page

 

 

1. Device configuration state: The “configuration” main page has a detailed summary of all ASR rules for all onboarded MDE devices. Also, it has radio buttons (Rules – Figure 12) to select either Standard protection” or “All”. The image (Figure 12) below shows the “Device configuration overview” section on the page.
   

 

 

 

 

Figure 12: Device configuration overview section

 

 

 

 

 

1. Device configuration flyout: The flyout (Figure 13) displays the state of each MDE onboarded device in your environment. Also, the flyout surfaces a new category called warn mode. Furthermore, you can add the device to your policy in MEM through “Add policy” (Figure 13) button.
   

 

 

 

 

Figure 13: Device configuration overview section

 

 

 

1. Updated “Add exclusion” page: The page (Figure 14) has two buttons for actions that can be performed on any detected files (after selection). You can “Add exclusion” which will open the ASR policy page in MEM or “Get exclusion paths” which will download file paths in a CSV format.
   

 

 

 

 

 

 

Figure 14: Add exclusions page

 

 

 

1. Export of detections: The export button (Figure 15) will download 10,000 rows of the detections (CSV format) in your environment. Note, the ASR team is working on improving the number of downloadable rows.
   

 

 

 

 

Figure 15: Add exclusions page

 

 

 

Let us know what you think!

 

We are excited to bring a new ASR Rules report 2.0 to you. Try out the report and let us know what you think. Email: ASR_Report_Support@microsoft.com

 

Continue reading...