Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is part of the Attack surface reduction rules deployment guide.
Testing attack surface reduction (ASR) rules is a critical step in your deployment. You need to determine if any ASR rules will block your line-of-business apps. By starting with a small, controlled group, you can limit potential work disruptions as you expand the deployment across your organization.
Note
Before you begin the testing phase of your ASR rules deployment, disable any related ASR rules that are currently enabled in Block or Warn mode (if applicable). For information about using the report to find enabled ASR rules, see Attack surface reduction rules reports.
As illustrated in the following diagram, begin your ASR rules deployment with ring 1.
Assess and evaluate rules before deployment
In Defender for Endpoint Plan 2, Microsoft Defender Vulnerability Management surfaces ASR rule–related security recommendations that can provide high-level impact indicators (for example, whether audit activity was observed across devices).
In the Microsoft Defender portal at https://security.microsoft.com, go to Exposure management > Recommendations (or directly to the Security recommendations page at https://security.microsoft.com/exposure-recommendations). On the Security recommendations page, select an ASR rule to open the details flyout, and then select the Devices tab. The User impact value shows the percentage of devices that can accept a new policy enabling the rule in block mode without adversely affecting productivity.
Note
To accurately assess the potential effect of an ASR rule before enabling it in Block or Warn mode, you must review Audit mode data and detailed reporting, such as the Attack surface reduction rule report or Advanced hunting data.
Step 1: Test all ASR rules in Audit mode
Note
As previously described, you can typically enable the standard protection rules in Block or Warn mode without testing.
Typically, enable all ASR rules in Audit mode at the same time so you can determine which rules are triggered by everyday business activities. Start with your ASR rule champions or devices in ring 1.
ASR rules in Audit mode don't affect users. But the rules generate logged events that you can evaluate.
If your organization has Microsoft Intune (included in subscriptions like Microsoft 365 E5 or available as an add-on), use the Attack surface reduction endpoint security policy in Intune to configure and distribute ASR rules in Audit mode. For instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies.
If you don't have Intune, other ASR rule deployment methods are available:
Tip
The deployment method you use for ASR rules doesn't affect reporting data, as long as the devices are enrolled in Defender for Endpoint.
Step 2: Review ASR rule data and assess impact
After ASR rules are deployed in Audit mode, review the triggered events to assess their effects and identify potential exclusions using some or all of the following methods:
In Defender for Endpoint Plan 2 or Microsoft Defender for Business, use the Attack surface reduction rules report in the Microsoft Defender portal. For complete information, see Attack surface reduction (ASR) rules report.
In Defender for Endpoint Plan 2, use Advanced hunting to find ASR rule events. For more information, see ASR rule events in Advanced Hunting.
In Defender for Endpoint Plan 2 or Defender for Business, use the Defender for Endpoint device timeline. For more information, see Microsoft Defender for Endpoint device timeline.
Otherwise, ASR rule events are available only in Windows Event Viewer on the local device. But you can use Windows Event Forwarding to centralize the ASR rule data collection.
Specifically, look for Event ID 1122 in the Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational log (events for rules in Audit mode). For a complete list of ASR rule event IDs and detailed steps, see View attack surface reduction events in Windows Event Viewer.
Step 3: Configure ASR rule exclusions
After you review ASR rule data from Audit mode, you might find that some ASR rules block legitimate business apps or activity (known as false positives). You can add exclusions to prevent ASR rules from evaluating the affected files or folders.
For an overview of supported exclusion types for ASR rules, see File and folder exclusions for ASR rules.
If you used an Attack surface reduction endpoint security policy in Microsoft Intune to deploy the ASR rules, use the same policy to configure ASR rule exclusions. For instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies.
If you used a different method to deploy the ASR rules, use the same method to configure ASR rule exclusions:
Tip
Rule exclusions are better than turning off rules or switching them back to Audit mode. Take advantage of Warn mode in available rules to limit disruptions without disabling the rule entirely. For more information, see Modes for ASR rules.
Related content
- Attack surface reduction (ASR) rules deployment guide
- Plan your attack surface reduction (ASR) rules deployment
- Enable attack surface reduction (ASR) rules
- Manage and monitor your attack surface reduction (ASR) rules deployment
- Attack surface reduction (ASR) rules report
- Troubleshoot attack surface reduction rules
- Attack surface reduction (ASR) rules reference