01-27-2020 07:59 AM - edited 02-20-2020 09:12 PM
We have a "Cloud IOC: W32.WMIProcessCores.ioc" triggering.
It's a legit Microsoft SCCM inventory process.
I don't want to whitelist all "wmic.exe" paths or SHAs, only this specific command-line.
Any guidance?
Thanks,
Troy
01-27-2020 02:59 PM
Hi,
You can white list this specific path by adding below in your existing exclusion sets or new:
Under the exclusion set, Choose 'Path' and value = CSIDL_WINDOWS\System32\Wbem
02-10-2020 08:47 AM
Hello @tmbarnhart,
there is an open FR for this: AMP4E-I-1143
You may query your Cisco Representative to get frequently updated for this.
Greetings,
Thorsten
05-28-2020 06:53 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide