Query related to Attack Surface Reduction

Boopathi S 3,581 Reputation points
2021-10-20T13:02:26.477+00:00

Hi team,

I am asked to implement Attack Surface Reduction using SCCM

  1. If the below rules are enabled and deployed in Audit Mode then which log file in client to check whether rules enabled or not

a) Block credential stealing from the Windows local security authority subsystem
b) Use advanced protection against ransomware

  1. How to analyze the Event ID 1122 when rule fires in Audit-mode? is the events to be forwarded to centralized location for analysis

Please help to understand.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,977 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Amandayou-MSFT 11,141 Reputation points
    2021-10-21T06:52:01.317+00:00

    Hi @Boopathi S

    On one side of sccm, there may be no logs on the details of the reduction of the attack surface, more of endpoint protection.

    Yes, you are right. It is suggested to check event viewer. When the user is performing an action that is not allowed as per rule, but set in Audit mode, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1122. The same action will be logged as Event ID 1121 if the rule is set to Block the action. In this case the user will also see a notification that the action has been blocked.

    Here is the screenshot we could refer to:

    142257-1021.png


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.