Forum Discussion

WayneD911's avatar
WayneD911
Copper Contributor
Sep 27, 2021

Suppressing Alerts generated by RMM software

I am hitting a bit of a brick wall with this and wondering if anyone had some advice on the best methodology to go down to fix it.

All our machines have an RMM tool on them that runs PowerShell, inventories the machine etc. This is LTSVC.exe. All of this behaviour is legitimate. We are testing Defender for Endpoint on a few machines in our environment and, unsurprisingly, this behaviour is generating a lot of incidents and alerts.

I'll use this as an example but there are plenty of these examples. The inventory gets a list of users by running "net1 user" .

 

If I look at the Alerts that are generating, and choose to make a suppression rule I get two options in the triggering IOC dropdown:

https://i.imgur.com/dSL30lq.png or https://i.imgur.com/od00gGk.png

 

I don't want to whitelist the command "net1 user" because what if a non legitimate tool runs it? I also don't want to whitelist the entire LTSVC.exe. What if someone pushes a malicious command out through it?

 

In plain English what I want to say in the suppression rule. "If LTSVC.EXE runs "net1 user" then that's fine. There doesn't seem to be a way to do this.

 

Anyone have any idea on the best way to achieve this, or am I going about this in entirely the wrong way?

  • WayneD911

    You are correct, there is not currently a way to specify a process parent/child in a suppression rule. We are tracking several feature improvements for suppression rules so I will add this request as well.
    Thanks,
    Jake Mowrer

Resources