topic Re: Indication of Compromise Alerts Flooding my Outlook Inbox in Endpoint Security

Indication of Compromise Alerts Flooding my Outlook Inbox

richard.wing — Thu, 03 Mar 2022 15:08:01 GMT

Event Type: Cloud IOC

File: powershell.exe

File path: C:/Windows/system32/WindowsPowerShell/v1.0/powershell.exe

I get this alert for all CyberArk EPM Clients where the CyberArk EndPoint Management (EPM) Agent uses PowerShell scripts to implement CyberArk EPM Policies. It's blocking the C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\PASAgent\SFDP.dll from running. How to I stop Cisco Secure Endpoint from blocking it?

Re: Indication of Compromise Alerts Flooding my Outlook Inbox

Ken Stieers — Thu, 03 Mar 2022 15:43:20 GMT

You can mute it by opening one of the alerts and clicking on the bell.
Exclusions might work, but the Cloud IOCs are based on behavior that it looks at after the fact.

Re: Indication of Compromise Alerts Flooding my Outlook Inbox

Troja007 — Mon, 21 Mar 2022 12:59:04 GMT

Hello @richard.wing ,
we are aware of this issue and are working on a solution. Hopefully we will provide Cloud IOC exclusions soon. Today I cannot share any ETA for this, but you may ping your Cisco representative for details.

Until we provide this feature, please open a TAC case, so we can add an appropriate exclusion to the backend detection engine.
Greetings, Thorsten

Re: Indication of Compromise Alerts Flooding my Outlook Inbox

keitha — Mon, 21 Mar 2022 17:20:53 GMT

Deleted - mistaken dates

Re: Indication of Compromise Alerts Flooding my Outlook Inbox

Nicolai Borchorst — Tue, 22 Mar 2022 17:03:23 GMT

At the moment there is no way to create exclusions for Cloud IOC events. As mentioned by others the only thing you can do is create a TAC Case and provide them with as much information about the event as possible, e.g. filename, SHA-256 value, command line arguments etc. so they can reach out the development team to tune the events which happen globally... Yes, you heard correct. Cisco is unable to provide any kind of tuning or exclusion specifically for your organization, whatever they do back-end affects all Secure Endpoint customers globally.

I have a customer that develops powershell scripts that are run on their servers with Secure Endpoint installed. Almost any type of script is triggering a new Cloud IOC even though it's relatively harmless, one of the scripts would collect health information from the server.. I think we're on TAC Case number three for having Cisco tune these Cloud IOCs which seems pointless as they keep triggering a new event every time they create a new script. It typically takes Cisco weeks to do and all the cases we have opened always receive an initial response from the engineer saying exclusions are not possible. Not sure if they just can't be bothered and think they can get the case closed faster or maybe they simply don't now..

Re: Indication of Compromise Alerts Flooding my Outlook Inbox

Troja007 — Thu, 24 Mar 2022 13:24:32 GMT

Hello @Nicolai Borchorst ,
we are already working on this feature. Today I do not have an ETA for you to share here. You may ping your Cisco representative for details.

Greetings, Thorsten