Why was the "Number of Rules" column removed from the Events data grid?
You may have been using the “Number of Rules” column on the Events page of the Admin Portal to identify UAC events that weren’t “covered” by a Rule (i.e. the metric was “0” meaning there were no rules defined for that event). This column was removed with the addition of the new “Advanced” (Publisher & File Attribute) Rules features for reasons of accuracy and performance. Removal of this metric will also make way some new features that will be more useful, accurate, easy, and will improve the performance of the grid.
The first problem was that with the addition of the "Advanced" (Publisher & File Attribute) Rules features, the "Number of Rules" column was no longer accurate since the "Number of Rules" metric was based on the MD5 hash of the event and how it matched up to MD5 hash Rules. It was a simple lookup of the hash values that made the metric possible. With publisher & file attributes, calculating this number is much more complex and would negatively impact the performance of the Admin Portal.
The "Number of Rules" column also didn't tell the whole story.
Another problem with the “Number of Rules” column in general was that the number could potentially be misleading in certain circumstances. The metric displayed was calculated looking at all of the rules in your system (at the moment you loaded the grid). As an example an event might show a 1 (or more) even though a Rule only existed on a single machine, location or company. This could then then be misinterpreted to mean that a rule existed for everyone when in actuality it only effected a few computers. Essentially, only looking for Events with 0 rules would not guarantee that you would really find all the events that weren’t “covered” by a rule.
Will it be replaced?
Yes, it will be replaced in 2 phases with better features that will be far more useful in helping you to find events that don't have corresponding rules.
Phase 1 - A new column on the Events grid will indicate whether the Event was covered by a Rule at the time the Event happened (instead of the moment that you open the data grid) which is much more accurate because it will take into account the parent Computer's hierarchy chain.
Phase 2 - A "detail view" for each Event that will give a "real-time" look as to how many Rules across your tenant would apply to this event and what level in the hierarchy it is on (taking into account the Publisher & File Attribute options).
These new features should give you the same ability to find Events that are not covered by Rules and to create Rules as needed.
Note: Some features discussed here may change in exact functionality and scope as they are developed and finalized.