sync: auto-sync from HOWARD-HOME at 2026-07-07 11:01:18
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-07 11:01:18
This commit is contained in:
@@ -108,6 +108,46 @@ installed, hook, network, events`, plus `extensions:[{id,args,order}]`.
|
||||
the extension id via `GET /Extensions` (e.g. `Host Isolation [Win/Linux]`) and test on
|
||||
an ACG-internal box first.
|
||||
|
||||
## Alert Suppression Rules (verified live 2026-07-07)
|
||||
|
||||
Suppress a false-positive detection so it stops firing (and stops triggering any
|
||||
attached auto-response like `isolate-host`). LoopBack models are API-reachable:
|
||||
|
||||
| Op | Method/path |
|
||||
|---|---|
|
||||
| List rules | `GET /SuppressionRules` (`[id, alertId, name, versionCount, description, organizationId, locationId, active, deleted]`) |
|
||||
| Count | `GET /SuppressionRules/count` |
|
||||
| Match criteria (per rule) | `GET /SuppressionRules/{id}/versions` → `[{id, suppressionRuleId, name, description, metadata:{...}}]` |
|
||||
|
||||
**`metadata`** is the full match-field map; each key is `{value, active, display, dataType,
|
||||
operator}`. A field participates in the match ONLY when `active:true`; all active fields are
|
||||
**AND**-ed. Available fields (`display`): Alert Type, Item Type, Organization Name, Location
|
||||
Name, Hostname, IP Address, Name, File Path, File SHA1, File SHA256, File Signature Issuer,
|
||||
**Process Command Line**, AV Threat Name, Operating System, Threat Status, Severity, Rule
|
||||
Name, EPP Type, Threat Category, Process Owner, Process Owner UID, AV Hits, Parent Process
|
||||
Name, Grand Parent Process Name.
|
||||
|
||||
**Scoping guidance (learned from the vwp-qbs RMM false-positive incident):** the tightest
|
||||
safe suppression matches on **Process Command Line** (a unique fingerprint of the exact
|
||||
script) plus **Grand Parent Process Name** (the launching agent, e.g. `gururmm-agent.exe`).
|
||||
That trusts one exact known-good automation without blinding a whole binary. NEVER suppress
|
||||
on `Name`/`File Path`/`File SHA*` of a LOLBin (powershell/rundll32/etc.) alone — it disables
|
||||
the rule for that binary everywhere. Add `Rule Name` to limit to one rule; add `Hostname`/
|
||||
`Organization Name`/`Location Name` to limit scope (empty `organizationId`/`locationId` on the
|
||||
rule = fleet-wide, gated by the metadata match). **Do NOT blanket-whitelist an RMM agent as
|
||||
grandparent by itself** — the RMM is a SYSTEM-level RCE channel and the top MSP attack path;
|
||||
whitelisting all of it blinds EDR exactly where it matters.
|
||||
|
||||
**Create — CONSOLE-observed, API create RUN-unverified.** Console flow: open the alert →
|
||||
**Create Suppression Rule** → check the desired Match fields → Save. This POSTs a
|
||||
`SuppressionRule` (carrying `alertId`, `name`, `description`, `organizationId`, `locationId`,
|
||||
`active`) plus a version whose `metadata` has the chosen fields flipped to `active:true`. To
|
||||
replicate via API, POST `/SuppressionRules` then the version to `/SuppressionRules/{id}/
|
||||
versions` with that metadata shape — verify the exact envelope on the next real create (build
|
||||
→ read back via the GET above → delete if wrong) before relying on it. Example on this tenant:
|
||||
rule `e4dd55bf-…` (name "Exfiltration Over HTTP Protocol", alertId `5d5f39b1-…`) matches
|
||||
Process Command Line + Grand Parent = `gururmm-agent.exe`.
|
||||
|
||||
## Deployment (not a REST call)
|
||||
|
||||
The agent installs by running the binary on the endpoint:
|
||||
|
||||
Reference in New Issue
Block a user