Forum Discussion
Defender for Endpoint ASR Rules lsass.exe
Hello everybody, I have follow issues. I have configure a ASR Rule on the Endpoint Manager but the problem is that I get in my company over 400 Block Detection in the Defender Portal in one week ...
Did all the devices already apply the new policy?
Apart from that: lsass.exe creates a lot of noise and you do not necessarily block someone from doing his job, because you set the policy to blocked.
Tons of apps just enumerate lsass.exe but does not really require it.
Check out:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem
As long as nobody complains, I would continue with "Block".
Apart from that: lsass.exe creates a lot of noise and you do not necessarily block someone from doing his job, because you set the policy to blocked.
Tons of apps just enumerate lsass.exe but does not really require it.
Check out:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem
As long as nobody complains, I would continue with "Block".
SCOM is one that uses excessive permissions
