195642-asr-detections.txt
Hi All -
My security recommendations are full of "Implement ASR"... etc within Microsoft Security. I see the huge benefit here so I started the process. I enabled all GUID's that I could find and placed them into audit mode. I then created a custom view within Event Viewer on several PC's to monitor detections. Links below for reference:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide
I implemented these via GPO and Event Viewer has a ton of entries. To me, a bunch of false positives and even after reading all of the documentation, I don't know exactly what to whitelist without potentially adding vulnerabilities. Attached are the majority of entries within several computers and they all look to be false positives. For the ones that mention a registry entry, would they actually block anything or is it just informational? If they block something, how would I know what to make an exception on? A lot mention lsass.exe and spoolsv.exe which I know are required for end users to work, but I also know they can be vulnerable. What would these do if in block mode instead of audit?
I appreciate any help as I am just learning ASR and while there is documentation on it, it is not where it needs to be. If someone could provide more resources for me to understand this better, much appreciated!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 57.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
