Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11423
Views
6
Helpful
6
Replies

Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

kgriffen
Level 1
Level 1

‎12-03-2018 09:44 AM - edited ‎02-20-2020 09:07 PM

I was wondering how those in in the Amp for Endpoints Community deal with Generic IOC and Cloud IOC events.  The vast majority of events I get are a result of RMM tools (Kaseya, N-Able, Connectwise, etc.) used by MSPs to manage the workstations.  These tools are triggering Generic IOC or Cloud IOC regularly. 

 

Generic IOC:  We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool. 

 

Cloud IOC: We see this triggered mostly when the RMM tool (or GPO?) issues a netsh command to disable Windows Firewall.

 

We don't want to lose the functionality of these IOCs, but how can we whitelist certain behavior as being expected and OK?  The underlying executables are already GREEN, and I can "HIde" these alerts in the Inbox and Dashboard, although they still show on the report as "Compromised Devices", causing the client to be worried that a significant portion of their machines are "compromised".

 

I'm just wondering how you all manage this?

26 people had this problem
Labels:
0 Helpful
6 Replies 6

doylepaul
Level 1
Level 1

‎01-09-2019 05:26 AM

Hi, did you find a way to whitelist planned or known powershell usage?

 

I have a very similiar issue where some of the Wintel engineers use powershell or wmic to perform scheduled updates. I would like thses whitelisted and obviously any other powershell or wmic activity flagged.

 

Kind regards.

0 Helpful

Shinku
Level 1
Level 1

‎12-15-2020 10:36 AM

Over 3000 views and many users reporting the same problem.. You can whitelist powershell for certain workstations (those that should be running it) but those exclusions do NOT work.

 

 

No solution provided from Cisco. This is unacceptable.

John.Pitner
Level 1
Level 1

‎12-09-2021 07:35 AM

I'm looking for an answer to the same question:

 

Generic IOC:  We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool. 

 

Would be nice to read a topic/post that is 3 years old and find a solution. Please provide a steps to remedy Cisco.

0 Helpful

orbT
Level 1
Level 1

‎11-20-2022 09:11 PM

Has anyone found a solution to mute these Cloud IOC PowerShell events? I get so many of these alerts and I do not want to become desensitized. 

0 Helpful

joljol
Level 1
Level 1

‎05-01-2023 11:15 PM

Facing the same issue. These are getting triggered weekly and I have been looking for a way to allow them. Stumbled upon this thread and I see that I am not alone.

0 Helpful

dallong
Cisco Employee
Cisco Employee

‎05-12-2023 07:06 AM

Cloud-IOC's can now be defined as exclusions and applied to specific policies/groups you define.  More information in user guide.

Customers Also Viewed These Support Documents