WayneD911
New Contributor

‎Sep 27 2021 04:49 AM

‎Sep 27 2021 04:49 AM

Suppressing Alerts generated by RMM software

I am hitting a bit of a brick wall with this and wondering if anyone had some advice on the best methodology to go down to fix it.

All our machines have an RMM tool on them that runs PowerShell, inventories the machine etc. This is LTSVC.exe. All of this behaviour is legitimate. We are testing Defender for Endpoint on a few machines in our environment and, unsurprisingly, this behaviour is generating a lot of incidents and alerts.

I'll use this as an example but there are plenty of these examples. The inventory gets a list of users by running "net1 user" .

 

If I look at the Alerts that are generating, and choose to make a suppression rule I get two options in the triggering IOC dropdown:

https://i.imgur.com/dSL30lq.png or https://i.imgur.com/od00gGk.png

 

I don't want to whitelist the command "net1 user" because what if a non legitimate tool runs it? I also don't want to whitelist the entire LTSVC.exe. What if someone pushes a malicious command out through it?

 

In plain English what I want to say in the suppression rule. "If LTSVC.EXE runs "net1 user" then that's fine. There doesn't seem to be a way to do this.

 

Anyone have any idea on the best way to achieve this, or am I going about this in entirely the wrong way?

383 Views
0 Likes
4 Replies
Reply
AnuragSrivastava

‎Sep 28 2021 09:24 PM

‎Sep 28 2021 09:24 PM

Re: Suppressing Alerts generated by RMM software

@WayneD911
You should be able to create an alert suppression rule for this incident by selecting the command line and file name/file sha1 as parameter.

You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.

File SHA1
File name - wildcard supported
Folder path - wildcard supported
IP address
URL - wildcard supported
Command line - wildcard supported

Reference - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-wo...
0 Likes
Reply
best response confirmed by WayneD911 (New Contributor)
Jake_Mowrer

‎Oct 04 2021 02:34 PM

‎Oct 04 2021 02:34 PM

Solution

Re: Suppressing Alerts generated by RMM software

@WayneD911

You are correct, there is not currently a way to specify a process parent/child in a suppression rule. We are tracking several feature improvements for suppression rules so I will add this request as well.
Thanks,
Jake Mowrer
0 Likes
Reply
WayneD911

‎Oct 04 2021 03:02 PM

‎Oct 04 2021 03:02 PM

Re: Suppressing Alerts generated by RMM software

@Jake_Mowrer thanks for your response. In the meantime, would you advise that we just mark each individual alert as a false positive?

0 Likes
Reply
Jake_Mowrer

‎Oct 04 2021 08:01 PM

‎Oct 04 2021 08:01 PM

Re: Suppressing Alerts generated by RMM software

@WayneD911 yes definitely mark as FP and you can also open a support case and ask that our graders investigate tuning the detector. They may not be able to but it's worth a shot.

Jake
0 Likes
Reply
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE