Audit Mode for Attack surface reduction rules in Intune \ Defender

Recently I enabled Audit mode on some Attack surface reduction rules for Essential 8

After a weeks worth of Auditing , I needed to track down what if anything had been audited. Per Microsoft blog : Recommendations for deploying the latest Attack surface reduction rules for maximum impact – Microsoft Security Blog

Audit mode will identify exploitable behavior use but will not block the behavior. With audit, if you have a line of business application utilizing a behavior that is exploitable, the invoking application can be identified, and an exclusion added.

You can review the audited events with Advanced hunting and Alert investigation in Windows Defender Security Center

Hunting requires building queries , however there is a pre-programmed report in that will do this already ( Blocked and Or Audited ) 

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)