The "Number of Rules" column was removed from the Events data grid

You may have been using the “Number of Rules” column on the Events page of the Admin Portal to identify UAC events that weren’t “covered” by a Rule (i.e., the metric was “0”, meaning there were no rules defined for that event). This column was removed with the addition of the new “Advanced” (Publisher & File Attribute) Rules features for reasons of accuracy and performance. Removing this metric will also make way for some new features that will be more useful, accurate, easy, and improve the grid's overall performance.

The first problem was with the addition of the "Advanced" (Publisher & File Attribute) Rules features, where the "Number of Rules" column was no longer accurate. The is because the "Number of Rules" metric was based on the MD5 hash of the event and how it matched up to MD5 hash Rules. A simple lookup of the hash values made the metric possible. With publisher & file attributes, calculating this number is much more complex and would negatively impact the performance of the Admin Portal.  

Why didn't it tell the whole story?

Another problem with the “Number of Rules” column was that the number could be misleading in certain circumstances. The metric displayed was calculated by looking at all of the rules in your system (when you loaded the grid). For example, an event might show a 1 (or more) even though a Rule only existed on a single machine, location, or company. This could then be misinterpreted to mean that a rule existed for everyone when it only affected a few computers. Essentially, only looking for Events with 0 rules would not guarantee that you would find all the events that weren’t “covered” by a rule.  

Will it be replaced?

Yes, it will be replaced in 2 phases with better features that will be far more useful in helping you find events that don't have corresponding rules.

Phase 1 - A new column on the Events grid will indicate whether the Event was covered by a Rule at the time the Event happened (instead of the moment that you open the data grid), which is much more accurate because it will take into account the parent Computer's hierarchy chain.

Phase 2 - A "detail view" for each Event that will give a "real-time" look as to how many Rules across your tenant would apply to this event and what level in the hierarchy it is on (taking into account the Publisher and file Attribute options).

These new features should allow you to find Events that are not covered by Rules and to create Rules as needed.

Note: Some features discussed here may change in functionality and scope as they are developed and finalized.