Block attacks with attack surface reduction
The Attack surface reduction rules card provides an overview of the deployment of rules across your devices.
The top bar on the card shows the total number of devices that are in the following deployment modes:
- Block mode – devices with at least one rule configured to block detected activity
- Audit mode – devices with no rules set to block detected activity, but has at least one rule set to audit detected activity
- Off – devices with all ASR rules turned off
The lower part of this card shows settings by rule across your devices. Each bar indicates the number of devices that are set to block or audit detection or have the rule completely turned off.
The chart at the top of this screenshot shows a timeline of detections that were blocked or audited. The table at the bottom lists the most recent detections. Use the following information on the table to understand the nature of the detections:
- Detected file – the file, typically a script or a document, whose contents triggered the suspected attack activity
- Rule – name describing the attack activities the rule is designed to catch
- Source app – the application that loaded or executed content triggering the suspected attack activity. This could be a legitimate application, such as web browser, an Office application, or a system tool like PowerShell.
- Publisher – the vendor that released the source app
When you're done with a link, use the Back arrow in your browser to come back to this page.