1 ACCEPTED SOLUTION
Accepted Solutions
@Anonymous
The best option for both this and your Runs Malicious File By Reputation Service question will be to adjust the app rule on the log decoder that is source of the alert.
In the log decoder config menu find the "outbound from unsigned appdata directory" rule and add the meta for your known-good apps/processes to these. Using your Citadel Team details as an example, you could add:
&& (not(filename.src='Citadel Team.exe' && param.src begins 'Citadel Team.exe'))
Note that I am purposefully excluding the sha256 value here, as that will change after any upgrade to citadel team, as well as leaving out much of the launch arguments because I don't know whether those will remain consistent.
I am also not including the source directory, but I believe there is some explicit appdata meta that gets created in these events....in context.src possibly? I cannot find this in my lab at the moment, but I expect you'll have some good examples to draw from.
@Anonymous
The best option for both this and your Runs Malicious File By Reputation Service question will be to adjust the app rule on the log decoder that is source of the alert.
In the log decoder config menu find the "outbound from unsigned appdata directory" rule and add the meta for your known-good apps/processes to these. Using your Citadel Team details as an example, you could add:
&& (not(filename.src='Citadel Team.exe' && param.src begins 'Citadel Team.exe'))
Note that I am purposefully excluding the sha256 value here, as that will change after any upgrade to citadel team, as well as leaving out much of the launch arguments because I don't know whether those will remain consistent.
I am also not including the source directory, but I believe there is some explicit appdata meta that gets created in these events....in context.src possibly? I cannot find this in my lab at the moment, but I expect you'll have some good examples to draw from.
