Using LogMeIn Rescue Generates an Investigation

Hi, I am the PM for XDR:   

It looks like the XDR behavior detection is accurately triggering the detection and creating the investigation. 

To address these and other 'noise' where a suspect activity is being performed for legitimate reasons we will be adding custom suppression rules so that the admin can triage the detection and set a rule to suppress notification for the specific activity going forward.

I expect that customer defined suppression of detections will be available in the product this summer/fall.

Hi, I am the PM for XDR:   

It looks like the XDR behavior detection is accurately triggering the detection and creating the investigation. 

To address these and other 'noise' where a suspect activity is being performed for legitimate reasons we will be adding custom suppression rules so that the admin can triage the detection and set a rule to suppress notification for the specific activity going forward.

I expect that customer defined suppression of detections will be available in the product this summer/fall.

Thank you very much for the update!

Karl_Ackerman 

I found this dated thread on my search for a means to suppress some of the investigations that are started upon detection of our remote management tools (SCCM in combination with PsExec to start a command shell) which, despite having excluded PsExec on our management PC's, always triggers an investigation.

A separate ruleset to suppress them would be a great feature. Do you (or anyone who is reading this) know if this feature is still in the making?

This work was deferred when we started work on adding additional sources for security alerts for the Managed Detection and Response product. Now that that work is complete this is back on the roadmap and expected late this calendar year.  I am currently the product manager for Network Detection and Response, and will forward this to the PM for the XDR features. Stephen McKay. stephen.mckay@sophos.com