Forum Discussion
Solved
Suppressing Alerts generated by RMM software
I am hitting a bit of a brick wall with this and wondering if anyone had some advice on the best methodology to go down to fix it. All our machines have an RMM tool on them that runs PowerShell, inv...
- WayneD911
You are correct, there is not currently a way to specify a process parent/child in a suppression rule. We are tracking several feature improvements for suppression rules so I will add this request as well.
Thanks,
Jake Mowrer
WayneD911
You should be able to create an alert suppression rule for this incident by selecting the command line and file name/file sha1 as parameter.
You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
File SHA1
File name - wildcard supported
Folder path - wildcard supported
IP address
URL - wildcard supported
Command line - wildcard supported
Reference - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide#suppress-an-alert-and-create-a-new-suppression-rule
You should be able to create an alert suppression rule for this incident by selecting the command line and file name/file sha1 as parameter.
You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
File SHA1
File name - wildcard supported
Folder path - wildcard supported
IP address
URL - wildcard supported
Command line - wildcard supported
Reference - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide#suppress-an-alert-and-create-a-new-suppression-rule