ASR Rule generating lot of noise

Copper Contributor

I'm looking to implement ASR Rules in our environment. so far all rules are working as expected except "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" and it's generating a lot of noise, shows me 2000+ results for the last 30 days when I use the below KQL query:

DeviceEvents
| where ActionType == 'AsrLsassCredentialTheftAudited'
 

I believe this is auditing every event when a process is attempting to get credentials from lsass.exe (I haven't seen a single suspicious process in my 50 test devices that are using the rule).

Is there a way to configure this ASR rule to detect and only audit/block suspicious/malicious processes? I'm using ConfigMgr to deploy ASR Rules btw.

Thanks in advance.

 
 

 

1 Reply
Hello there there is no option to configure the ASR rule to only block/audit malicious processes. ASR rule blocks/audit all processes which incorrectly try to obtain this info from the lsass service.