Defend exclusion by parent signature?

I recently ran into an issue where Defend is triggering on suspicious activity. Unfortunately, the suspicious activity is due to a legitimate software install that is adding itself to the windows defender exclusions directory via subprocessing powershell to add the entry. What this ends up meaning is that i can add powershell as a trusted application to allow the install, which isn't really what i want.

My question is, is there a way for me to add an exclusion or trusted application where the exclusion is basically if the parent of the application causing a specific malicious trigger has a specific validated signature then allow it? Otherwise i need to jump through hoops every time i want to update this specific software.

1 Like

From Elastic Security to Endpoint Security

Defend is triggering on suspicious activity

Hi @FranklinFurter. You can create an Endpoint Alert Exception on any field that Endpoint sends in the alert. If process.parent.code_signature or process.parent.Ext.code_signature are present, you can use them in exceptions.

When trusting signers, make sure to also check trusted: true as a nested condition paired with subject_name. A file can have multiple signers. Nested checks ensure that the two fields are validated as a tuple.

1 Like

Thanks, I'll check that out. I was under the impression that the alert exception was simply not creating an alert on the elastic server side but would still stop the process on the client side. That's not the case then?

Rule exceptions are as you describe. Endpoint Exceptions are processed on-Endpoint before potentially generating any alerts or blocking behavior.

Related discussion.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.