Update best-practices-attack-surface-reduction-rules.md

windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md

@@ -42,21 +42,61 @@ Before you roll out attack surface reduction rules in your organization, select
 
 As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. 
 
-## View reports in the Microsoft 365 security center
+## View reports from various sources in Microsoft
+
+### From the Microsoft 365 security center**
 
 In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!)
 
+To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP.
+
+### By Microsoft Defender ATP advanced hunting** 
+
+Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process.
+
+The **advanced hunting** tool enables the users to audit the **Of-the-last-30-days** data collected from various devices by Microsoft Defender ATP Endpoint Detection and Response (EDR). It facilitates proactive logging of any suspicious indicators and entities in the events that you explore. This tool provides flexibility in accessing data (without any restriction in category of data to be accessed). This flexibility enables the user to detect known threats and spot new threats.
+
+The reports for the ASR rules' events are generated by querying the **DeviceEvents** table.
+
+**Template of DeviceEvents table**
+
+DeviceEvents
+| where Timestamp > ago (30d)
+| where ActionType startswith "Asr" 
+| summarize EventCount=count () by ActionType
+
+### By Microsoft Defender ATP machine timeline
+
+Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope.
+
+Reports relating to ASR rule events can be generated for the preceding-6-months period on a specific endpoint or device. 
+
+**Summarized procedure to generate report**
+
+1. Log in to **Microsoft Defender Security Center** and navigate to the **Machines** tab.
+2. Choose a machine for which you want to view the reports of its ASR rule-related events.
+3. Click **Timeline** and choose the time range for which the report is to display data.
+
+
 ## Get the Power BI report template
 
 <!--The Power BI report templates are here: https://github.com/microsoft/MDATP-PowerBI-Templates-->
 
 ## Avoid policy conflicts
 
-If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
+If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
 
-Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:   
+Attack surface reduction (ASR) rules for MEM-managed devices now support a new behavior for merger of settings from different policies, to create a superset of policies for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. ASR rule merge behavior is as follows: 
 
-- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:  
+Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-managed devices support a new behavior in terms of merger of the settings of policies. This behavior is described below:
+
+- If two or more policies have multiple settings configured in each of them, the settings without a conflict are merged into the superset of the policies they are mapped to.
+- If two or more policies encounter a conflict over a single setting from the various settings they are configured with,  only that single setting with a conflict is held back from being merged into the superset of the policies. 
+- The bundle of settings as a whole are not held back from being merged into the superset because of the single conflict-affected setting.
+- The policy as a whole is not flagged as **being in conflict** because of one of its settings being conflict affected.
+  
+
+- ASR rules from the following profiles are evaluated for each device the rules apply to:  
     - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction).
     - Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
     - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules.