Query for common (legit) remote management solutions

Reading the CISA alert on https://us-cert.cisa.gov/ncas/alerts/aa21-291a

just now and it leads me to this question - has someone put together a Defender for Endpoint/Sentinel query to inventory common remote management solutions (particularly those favored by ransomware operators)?  I know that I could leverage vulnerability management for this but I'd like to fashion a Sentinel detection for whenever something unexpected shows up in my environment.