[Feature] - ASR Rule Redundancy

[PatrickQuinane]

Is your feature request related to a problem? Please describe.
We currently use ASR Rule "Block credential stealing from the Windows local security authority subsystem". We have been having a number of detections against this rule on svchost.exe, which we don't want to create an exclusion for, as this is dangerous, but we also believe it could be causing performance issues on the device.

Describe the solution you'd like
Microsoft states on [their documentation for this rule](Block credential stealing from the Windows local security authority subsystem) that if you have LSA Protection enabled, this ASR rule is not required. LSA Protection is enabled by default on all Windows 11 22H2 devices anyways. I believe the corresponding Intune policy is RunAsPPL.

Please let me know if you would like any further information/documentation.

[SkipToTheEndpoint]

Hi @PatrickQuinane

I'm going to take this one away and try and get some clarification/input from some folks on this, primarily because the docs say that with LSA protection enabled, it should show as "Not Applicable", but that's not the behaviour I'm seeing across multiple tenants:

It's worth noting that the LSASS rule is noisy and generally has lots of false positives, as mentioned in this blog by Nathan McNulty. I can also confirm I see various hits for this rule and svchost.exe in my ASR report, without any noticeable impact.