question

BoopathiSubramaniam-6294 avatar image
0 Votes"
BoopathiSubramaniam-6294 asked BoopathiSubramaniam-6294 commented

Query related to Attack Surface Reduction

Hi team,

I am asked to implement Attack Surface Reduction using SCCM
1. If the below rules are enabled and deployed in Audit Mode then which log file in client to check whether rules enabled or not

a) Block credential stealing from the Windows local security authority subsystem
b) Use advanced protection against ransomware

  1. How to analyze the Event ID 1122 when rule fires in Audit-mode? is the events to be forwarded to centralized location for analysis

Please help to understand.

mem-cm-generalwindows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered BoopathiSubramaniam-6294 commented

Hi @BoopathiSubramaniam-6294

On one side of sccm, there may be no logs on the details of the reduction of the attack surface, more of endpoint protection.

Yes, you are right. It is suggested to check event viewer. When the user is performing an action that is not allowed as per rule, but set in Audit mode, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1122. The same action will be logged as Event ID 1121 if the rule is set to Block the action. In this case the user will also see a notification that the action has been blocked.

Here is the screenshot we could refer to:

142257-1021.png



If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1021.png (494.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

May we know the current status of the question? If there is any chance to try above suggestion? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

Thanks and regards,
Amanda

0 Votes 0 ·

Hello @Amandayou-MSFT

This helped me and accepted as answer. Thank you.

0 Votes 0 ·