Sep 27 2021 04:49 AM
I am hitting a bit of a brick wall with this and wondering if anyone had some advice on the best methodology to go down to fix it.
All our machines have an RMM tool on them that runs PowerShell, inventories the machine etc. This is LTSVC.exe. All of this behaviour is legitimate. We are testing Defender for Endpoint on a few machines in our environment and, unsurprisingly, this behaviour is generating a lot of incidents and alerts.
I'll use this as an example but there are plenty of these examples. The inventory gets a list of users by running "net1 user" .
If I look at the Alerts that are generating, and choose to make a suppression rule I get two options in the triggering IOC dropdown:
https://i.imgur.com/dSL30lq.png or https://i.imgur.com/od00gGk.png
I don't want to whitelist the command "net1 user" because what if a non legitimate tool runs it? I also don't want to whitelist the entire LTSVC.exe. What if someone pushes a malicious command out through it?
In plain English what I want to say in the suppression rule. "If LTSVC.EXE runs "net1 user" then that's fine. There doesn't seem to be a way to do this.
Anyone have any idea on the best way to achieve this, or am I going about this in entirely the wrong way?
Sep 28 2021 09:24 PM
Oct 04 2021 02:34 PM
SolutionOct 04 2021 03:02 PM
@Jake_Mowrer thanks for your response. In the meantime, would you advise that we just mark each individual alert as a false positive?
Oct 04 2021 08:01 PM
Oct 04 2021 02:34 PM
Solution