Defender Attack Surface Reduction rules are a useful way for any organisation looking to reduce paths available to a threat actor to perform attacks. However, what do you do for rules that have an impact on legitimate use cases? Microsoft have tools and reports that help assess the impact before implementing rules and these tools can also be referred to after implementation but monitoring these ad-hoc for changes in individual teams or new users requiring access can be a full-time task in itself.

What can be done to help? Never fear the security professionals are here.

For this solution you’ll need:

1) Microsoft Sentinel
2) A LogicApp
3) An empty Fairy Liquid bottle (not really. Everyone knows they last forever and therefore it is impossible to get an empty one)