01-27-2020 07:59 AM - edited 02-20-2020 09:12 PM
We have a "Cloud IOC: W32.WMIProcessCores.ioc" triggering.
It's a legit Microsoft SCCM inventory process.
I don't want to whitelist all "wmic.exe" paths or SHAs, only this specific command-line.
Any guidance?
Thanks,
Troy
01-27-2020 02:59 PM
Hi,
You can white list this specific path by adding below in your existing exclusion sets or new:
Under the exclusion set, Choose 'Path' and value = CSIDL_WINDOWS\System32\Wbem
02-10-2020 08:47 AM
Hello @tmbarnhart,
there is an open FR for this: AMP4E-I-1143
You may query your Cisco Representative to get frequently updated for this.
Greetings,
Thorsten
05-28-2020 06:53 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: