Device Attack Surface Reduction Rule Modification Procedure

This admin procedure will provide background information on modifying an existing attack surface reduction rule.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

Attack Surface Reduction

When protection on the endpoint is mentioned, the idea of a firewall blocking network access and an antivirus being able to block malicious files is what comes to mind. However, what happens when an application is not detected by a firewall rule, and is also not found to be malicious based on its file name/hash? In comes attack surface reduction rules; these work in a way to prevent the actions of an application which are commonly associated with malicious activity, such as credential stealing or executing a macro from an excel document. While the application may appear benign, the actions it performs speaks a different narrative.


Procedure Scope: Administrators

Required Group Membership: Admin.DeviceSecurity


Modifying Device Attack Surface Reduction Rules

  1. Navigate to Attack Surface Reduction – Intune, select the policy you wish to alter.
  2. Upon selecting the rule, scroll down to the Properties section; all the information of the rule will be displayed. 4 points of interest will be available to Edit. You can modify the sections as needed.
    1. Basics: Adjusts non-functional items of the rule, such as the Name of the rule.
    2. Assignments: Specifies which groups will be included or exempt from rule enforcement.
    3. Scope Tags: Specifies which administrators will have access to the viewing and altering this object.
    4. Configuration Settings: Depending on the Policy Type selected, the displayed security settings will differ; however, these are the security controls that are either enabled or disabled and applied to the associated devices specified in Assignments.
  3. The Sections will all have the same prompt for adjustments, either add, remove, or delete the setting and select Review + Save to finalize the changes.
  4. Once on the revisions page, if all the necessary adjustments look correct, select Save to finalize the modification process.

You're Finished!

You should have successfully modified the existing attack surface reduction rule that is being applied to the specific scope i.e., device control for USB restrictions, attack surface reduction rules for child process blocking, etc. For any other problems or questions, reach out to us!