topic Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints in Endpoint Security

Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

kgriffen — Fri, 21 Feb 2020 05:07:09 GMT

I was wondering how those in in the Amp for Endpoints Community deal with Generic IOC and Cloud IOC events. The vast majority of events I get are a result of RMM tools (Kaseya, N-Able, Connectwise, etc.) used by MSPs to manage the workstations. These tools are triggering Generic IOC or Cloud IOC regularly.

Generic IOC: We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool.

Cloud IOC: We see this triggered mostly when the RMM tool (or GPO?) issues a netsh command to disable Windows Firewall.

We don't want to lose the functionality of these IOCs, but how can we whitelist certain behavior as being expected and OK? The underlying executables are already GREEN, and I can "HIde" these alerts in the Inbox and Dashboard, although they still show on the report as "Compromised Devices", causing the client to be worried that a significant portion of their machines are "compromised".

I'm just wondering how you all manage this?

Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

doylepaul — Wed, 09 Jan 2019 13:26:48 GMT

Hi, did you find a way to whitelist planned or known powershell usage?

I have a very similiar issue where some of the Wintel engineers use powershell or wmic to perform scheduled updates. I would like thses whitelisted and obviously any other powershell or wmic activity flagged.

Kind regards.

Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

Shinku — Tue, 15 Dec 2020 18:36:03 GMT

Over 3000 views and many users reporting the same problem.. You can whitelist powershell for certain workstations (those that should be running it) but those exclusions do NOT work.

No solution provided from Cisco. This is unacceptable.

Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

John.Pitner — Thu, 09 Dec 2021 15:35:19 GMT

I'm looking for an answer to the same question:

Generic IOC: We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool.

Would be nice to read a topic/post that is 3 years old and find a solution. Please provide a steps to remedy Cisco.

Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

orbT — Mon, 21 Nov 2022 05:11:09 GMT

Has anyone found a solution to mute these Cloud IOC PowerShell events? I get so many of these alerts and I do not want to become desensitized.

Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

joljol — Tue, 02 May 2023 06:15:44 GMT

Facing the same issue. These are getting triggered weekly and I have been looking for a way to allow them. Stumbled upon this thread and I see that I am not alone.

Re: Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

dallong — Fri, 12 May 2023 14:06:23 GMT

Cloud-IOC's can now be defined as exclusions and applied to specific policies/groups you define. More information in user guide.