cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11967
Views
6
Helpful
6
Replies

Managing Cloud IOC and Generic IOC Events - AMP for Endpoints

kgriffen
Level 1
Level 1

I was wondering how those in in the Amp for Endpoints Community deal with Generic IOC and Cloud IOC events.  The vast majority of events I get are a result of RMM tools (Kaseya, N-Able, Connectwise, etc.) used by MSPs to manage the workstations.  These tools are triggering Generic IOC or Cloud IOC regularly. 

 

Generic IOC:  We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool. 

 

Cloud IOC: We see this triggered mostly when the RMM tool (or GPO?) issues a netsh command to disable Windows Firewall.

 

We don't want to lose the functionality of these IOCs, but how can we whitelist certain behavior as being expected and OK?  The underlying executables are already GREEN, and I can "HIde" these alerts in the Inbox and Dashboard, although they still show on the report as "Compromised Devices", causing the client to be worried that a significant portion of their machines are "compromised".

 

I'm just wondering how you all manage this?

6 Replies 6

doylepaul
Level 1
Level 1

Hi, did you find a way to whitelist planned or known powershell usage?

 

I have a very similiar issue where some of the Wintel engineers use powershell or wmic to perform scheduled updates. I would like thses whitelisted and obviously any other powershell or wmic activity flagged.

 

Kind regards.

Shinku
Level 1
Level 1

Over 3000 views and many users reporting the same problem.. You can whitelist powershell for certain workstations (those that should be running it) but those exclusions do NOT work.

 

 

No solution provided from Cisco. This is unacceptable.

John.Pitner
Level 1
Level 1

I'm looking for an answer to the same question:

 

Generic IOC:  We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool. 

 

Would be nice to read a topic/post that is 3 years old and find a solution. Please provide a steps to remedy Cisco.

orbT
Level 1
Level 1

Has anyone found a solution to mute these Cloud IOC PowerShell events? I get so many of these alerts and I do not want to become desensitized. 

joljol
Level 1
Level 1

Facing the same issue. These are getting triggered weekly and I have been looking for a way to allow them. Stumbled upon this thread and I see that I am not alone.

dallong
Cisco Employee
Cisco Employee

Cloud-IOC's can now be defined as exclusions and applied to specific policies/groups you define.  More information in user guide.