SOLVED

Suppressing Alerts generated by RMM software

%3CLINGO-SUB%20id%3D%22lingo-sub-2788061%22%20slang%3D%22en-US%22%3ESuppressing%20Alerts%20generated%20by%20RMM%20software%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2788061%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22%22%3EI%20am%20hitting%20a%20bit%20of%20a%20brick%20wall%20with%20this%20and%20wondering%20if%20anyone%20had%20some%20advice%20on%20the%20best%20methodology%20to%20go%20down%20to%20fix%20it.%3C%2FP%3E%3CP%20class%3D%22%22%3EAll%20our%20machines%20have%20an%20RMM%20tool%20on%20them%20that%20runs%20PowerShell%2C%20inventories%20the%20machine%20etc.%20This%20is%20LTSVC.exe.%20All%20of%20this%20behaviour%20is%20legitimate.%20We%20are%20testing%20Defender%20for%20Endpoint%20on%20a%20few%20machines%20in%20our%20environment%20and%2C%20unsurprisingly%2C%20this%20behaviour%20is%20generating%20a%20lot%20of%20incidents%20and%20alerts.%3C%2FP%3E%3CP%20class%3D%22%22%3EI'll%20use%20this%20as%20an%20example%20but%20there%20are%20plenty%20of%20these%20examples.%20The%20inventory%20gets%20a%20list%20of%20users%20by%20running%20%22net1%20user%22%20.%3C%2FP%3E%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22%22%3EIf%20I%20look%20at%20the%20Alerts%20that%20are%20generating%2C%20and%20choose%20to%20make%20a%20suppression%20rule%20I%20get%20two%20options%20in%20the%20triggering%20IOC%20dropdown%3A%3C%2FP%3E%3CP%20class%3D%22%22%3E%3CA%20href%3D%22https%3A%2F%2Fi.imgur.com%2FdSL30lq.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20ugc%20noreferrer%22%3Ehttps%3A%2F%2Fi.imgur.com%2FdSL30lq.png%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fi.imgur.com%2Fod00gGk.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20ugc%20noreferrer%22%3Ehttps%3A%2F%2Fi.imgur.com%2Fod00gGk.png%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22%22%3EI%20don't%20want%20to%20whitelist%20the%20command%20%22net1%20user%22%20because%20what%20if%20a%20non%20legitimate%20tool%20runs%20it%3F%20I%20also%20don't%20want%20to%20whitelist%20the%20entire%20LTSVC.exe.%20What%20if%20someone%20pushes%20a%20malicious%20command%20out%20through%20it%3F%3C%2FP%3E%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22%22%3EIn%20plain%20English%20what%20I%20want%20to%20say%20in%20the%20suppression%20rule.%20%22If%20LTSVC.EXE%20runs%20%22net1%20user%22%20then%20that's%20fine.%20There%20doesn't%20seem%20to%20be%20a%20way%20to%20do%20this.%3C%2FP%3E%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22%22%3EAnyone%20have%20any%20idea%20on%20the%20best%20way%20to%20achieve%20this%2C%20or%20am%20I%20going%20about%20this%20in%20entirely%20the%20wrong%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2810838%22%20slang%3D%22en-US%22%3ERe%3A%20Suppressing%20Alerts%20generated%20by%20RMM%20software%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2810838%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1167603%22%20target%3D%22_blank%22%3E%40WayneD911%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20correct%2C%20there%20is%20not%20currently%20a%20way%20to%20specify%20a%20process%20parent%2Fchild%20in%20a%20suppression%20rule.%20We%20are%20tracking%20several%20feature%20improvements%20for%20suppression%20rules%20so%20I%20will%20add%20this%20request%20as%20well.%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EJake%20Mowrer%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

I am hitting a bit of a brick wall with this and wondering if anyone had some advice on the best methodology to go down to fix it.

All our machines have an RMM tool on them that runs PowerShell, inventories the machine etc. This is LTSVC.exe. All of this behaviour is legitimate. We are testing Defender for Endpoint on a few machines in our environment and, unsurprisingly, this behaviour is generating a lot of incidents and alerts.

I'll use this as an example but there are plenty of these examples. The inventory gets a list of users by running "net1 user" .

 

If I look at the Alerts that are generating, and choose to make a suppression rule I get two options in the triggering IOC dropdown:

https://i.imgur.com/dSL30lq.png or https://i.imgur.com/od00gGk.png

 

I don't want to whitelist the command "net1 user" because what if a non legitimate tool runs it? I also don't want to whitelist the entire LTSVC.exe. What if someone pushes a malicious command out through it?

 

In plain English what I want to say in the suppression rule. "If LTSVC.EXE runs "net1 user" then that's fine. There doesn't seem to be a way to do this.

 

Anyone have any idea on the best way to achieve this, or am I going about this in entirely the wrong way?

4 Replies
@WayneD911
You should be able to create an alert suppression rule for this incident by selecting the command line and file name/file sha1 as parameter.

You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.

File SHA1
File name - wildcard supported
Folder path - wildcard supported
IP address
URL - wildcard supported
Command line - wildcard supported

Reference - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-wo...
best response confirmed by WayneD911 (New Contributor)
Solution
@WayneD911

You are correct, there is not currently a way to specify a process parent/child in a suppression rule. We are tracking several feature improvements for suppression rules so I will add this request as well.
Thanks,
Jake Mowrer

@Jake_Mowrer thanks for your response. In the meantime, would you advise that we just mark each individual alert as a false positive?

@WayneD911 yes definitely mark as FP and you can also open a support case and ask that our graders investigate tuning the detector. They may not be able to but it's worth a shot.

Jake