Unfortunately, we can only query the azure ad device id and not the object id that we need to add the devices to groups, so we will need to use powershell modules or the graph api to look up the object id for a given device id. You can query attack surface reduction rule events from the deviceevents table in the advanced hunting section of the microsoft defender portal In this article, i want to break down the defender attack surface rules (asr rules) and show you what components each rule takes care of and overall, how they can minimize the attack surface.
゚ nico | you either get it or you don’t … | Instagram
Microsoft defender’s attack surface reduction (asr) rules are critical for blocking malicious activities, but misconfigurations can leave gaps
Roy klooster’s asr rule inspector powershell script validates your asr rules’ enforcement status and provides a clear overview.
I am looking for an advanced hunting query or any other way to find all devices which are not configured with (ideally a particular) asr rule I have configured an asr rule to all devices to block a rule but some devices are still exposed. When you use attack surface reduction rules you might run into issues, such as A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
There are four steps to troubleshooting these problems Use audit mode to test the rule. You can enable asr rules by configuring them in the endpoint security settings or by creating a dedicated asr policy Explore each rule’s specific capabilities
Download stock pictures of very loooong query no ad asr test on depositphotos
If you have an app that simply enumerates lsass, but has no real impact in functionality, there's no need to add it to the exclusion list By itself, this event log entry doesn't necessarily indicate a malicious threat.
