Add alert exclusion for "grandfather" process

We have an agent on our Linux servers that will spawn a shell and then that shell will spawn a process that creates an alert. This agent is trusted software on the host, and I have added it to the whitelist. The problem is from the specific alert, there is no way to exclude the agent process (which is the parent of the parent process).

Is there anyway to exclude the agent process when it is the parent of the parent process that alerts?

1 Like

I'm still looking for guidance on this. We have instances of alerts being generated by our vulnerability scanning agent on a host. The agent will spawn a shell, that shell will spawn another process, which will spawn the process that is alerted on. So the agent is 3 degrees separated by the alert which means when I look at the log for the alert the agent is not present, but if I look at the "Analyze Event" I can see the agent in the process tree. I have whitelisted the agent executable but that has not helped.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.