We want to apply the ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' with exceptions for a trusted executable as the source app. However, it looks like the exceptions list only applies to the detected file, which is always lsass.exe.
Is there a way to effect an allow-list for this rule?
This is and will always be lsass.exe, because this process is accessed from other apps to enumerate users. Even though you see thousand of alerts there, you can put this on block most times. Not being able to enumerate users via lsass.exe does not stop 99 of 100 apps to work properly. Test it out with on device in advance.