Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is part of the Attack surface reduction rules deployment guide.
After you fully deploy attack surface reduction (ASR) rules, you need processes to monitor and respond to ASR rules-related activity. This article describes how to review ASR rule reports and troubleshoot issues as the final step of your ASR rules deployment.
Keep up with ASR rule reports and data
Any threat protection solution produces some false positives (legitimate files identified as threats) and false negatives (threats that aren't detected). For more information, see Address false positives/negatives in Microsoft Defender for Endpoint.
Consistent, regular review of ASR rule reports and data is important to maintain your deployment and keep up with emerging threats. Schedule reviews of ASR rule events at a frequency that keeps pace with reported events. Depending on the size of your organization, reviews might be hourly, daily, or continuously.
For more information, see Monitor attack surface reduction (ASR) rule activity.
Troubleshoot ASR rules
To troubleshoot ASR rules, see Troubleshoot attack surface reduction rules.