We've noted our findings after a couple of years auditing #Windows #Defender Attack Surface Reduction events. Hopefully it will help anyone considering block mode. Being able to use the credential stealing/lsass rule was the surprise for me. medium.com/palantir/microsof…

5:30 PM · Jan 11, 2021

12
143
323
Replying to @duff22b
Your team's work is some of the best resources on the net thank you
1
1
17
Replying to @duff22b @cglyer
"These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events." As always the good stuff requires more $$$.
1
0
2
These do get logged to the Microsoft-Windows-Windows Defender/Operational log, so you can pull those back into a centralized logging platform like Graylog or ELK. We did most of ours in Graylog before we had MDATP, and summarizing count across thousands of devices was so helpful
0
0
3
Replying to @duff22b
0
0
1
Replying to @duff22b
Awesome post 👏 thans for sharing.
0
0
1
Replying to @duff22b @TheWMIGuy
Awesome read! Thanks a lot!
0
0
1
Replying to @duff22b @tifkin_
I just want to say thank you to Palantir. Thank you for keep pushing out great blog posts. 💪👍
0
0
5
Replying to @duff22b
Thanks for sharing! As it is tradition with Palantir, amazing material.
0
0
2
Replying to @duff22b
This is a great post mate! Probably a interesting read for the #MEM #MEMCM #msintune folks configuring this too!
0
0
2