I'm looking to implement ASR Rules in our environment. so far all rules are working as expected except "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" and it's generating a lot of noise, shows me 2000+ results for the last 30 days when I use the below KQL query:
| where ActionType == 'AsrLsassCredentialTheftAudited'
I believe this is auditing every event when a process is attempting to get credentials from lsass.exe (I haven't seen a single suspicious process in my 50 test devices that are using the rule).
Is there a way to configure this ASR rule to detect and only audit/block suspicious/malicious processes? I'm using ConfigMgr to deploy ASR Rules btw.