12-03-2018 09:44 AM - edited 02-20-2020 09:07 PM
I was wondering how those in in the Amp for Endpoints Community deal with Generic IOC and Cloud IOC events. The vast majority of events I get are a result of RMM tools (Kaseya, N-Able, Connectwise, etc.) used by MSPs to manage the workstations. These tools are triggering Generic IOC or Cloud IOC regularly.
Generic IOC: We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool.
Cloud IOC: We see this triggered mostly when the RMM tool (or GPO?) issues a netsh command to disable Windows Firewall.
We don't want to lose the functionality of these IOCs, but how can we whitelist certain behavior as being expected and OK? The underlying executables are already GREEN, and I can "HIde" these alerts in the Inbox and Dashboard, although they still show on the report as "Compromised Devices", causing the client to be worried that a significant portion of their machines are "compromised".
I'm just wondering how you all manage this?
01-09-2019 05:26 AM
Hi, did you find a way to whitelist planned or known powershell usage?
I have a very similiar issue where some of the Wintel engineers use powershell or wmic to perform scheduled updates. I would like thses whitelisted and obviously any other powershell or wmic activity flagged.
Kind regards.
12-15-2020 10:36 AM
Over 3000 views and many users reporting the same problem.. You can whitelist powershell for certain workstations (those that should be running it) but those exclusions do NOT work.
No solution provided from Cisco. This is unacceptable.
12-09-2021 07:35 AM
I'm looking for an answer to the same question:
Generic IOC: We see these triggered regularly by known good copies of powershell executing a valid, non-harmful, command that is spawned by the RMM tool.
Would be nice to read a topic/post that is 3 years old and find a solution. Please provide a steps to remedy Cisco.
11-20-2022 09:11 PM
Has anyone found a solution to mute these Cloud IOC PowerShell events? I get so many of these alerts and I do not want to become desensitized.
05-01-2023 11:15 PM
Facing the same issue. These are getting triggered weekly and I have been looking for a way to allow them. Stumbled upon this thread and I see that I am not alone.
05-12-2023 07:06 AM
Cloud-IOC's can now be defined as exclusions and applied to specific policies/groups you define. More information in user guide.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide