Forum Discussion

07Kingslayer's avatar
07Kingslayer
Copper Contributor
Jun 06, 2023

ASR Rule generating lot of noise

I'm looking to implement ASR Rules in our environment. so far all rules are working as expected except "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" and it's generating a lot of noise, shows me 2000+ results for the last 30 days when I use the below KQL query:

DeviceEvents
| where ActionType == 'AsrLsassCredentialTheftAudited'
 

I believe this is auditing every event when a process is attempting to get credentials from lsass.exe (I haven't seen a single suspicious process in my 50 test devices that are using the rule).

Is there a way to configure this ASR rule to detect and only audit/block suspicious/malicious processes? I'm using ConfigMgr to deploy ASR Rules btw.

Thanks in advance.

 
 

 

microsoft defender for endpoint
threat hunting

1 Reply

  • Ildrosos's avatar
    Ildrosos
    MCT
    Aug 01, 2023
    Hello there there is no option to configure the ASR rule to only block/audit malicious processes. ASR rule blocks/audit all processes which incorrectly try to obtain this info from the lsass service.

Resources