Hello everyone,
Recently, we implemented ASR (Attack Surface Reduction) rules in audit mode across approximately 3000 workstations, and upon review, we observed a significant number of detection actions on the Microsoft Defender for Endpoint (MDE) portal. As part of our ongoing efforts to bolster cybersecurity measures, we are actively seeking a robust methodology or procedural framework to systematically analyze these detections.
Our ultimate goal is to transition these ASR rules from audit mode to block mode without causing disruptions to end-users. We are keen on adopting a streamlined approach that ensures a seamless transition, safeguarding our systems effectively.
Your insights and guidance would be highly valuable to our team.
Hello everyone,
Recently, we implemented ASR (Attack Surface Reduction) rules in audit mode across approximately 3000 workstations, and upon review, we observed a significant number of detection actions on the Microsoft Defender for Endpoint (MDE) portal. As part of our ongoing efforts to bolster cybersecurity measures, we are actively seeking a robust methodology or procedural framework to systematically analyze these detections.
Our ultimate goal is to transition these ASR rules from audit mode to block mode without causing disruptions to end-users. We are keen on adopting a streamlined approach that ensures a seamless transition, safeguarding our systems effectively.
Actually we don't want to enable the warn mode since the end-user will call the HelpDesk Team for each issue.
Your insights and guidance would be highly valuable to our team.