We have some endpoint security applications that are triggering the built-in rule Suspicious Lsass Process Access. They are using Powershell to access the lsass process. I created a rule exception using the field process.parent.name to not alert when it was one of the security products triggering the alert. The alerts are still generated despite the rule exceptions. I am wondering if a rule exception can only use the fields shown in the alert details, of which process.parent.name is not included.
2 Likes
@bbreer we are seeing similar, thanks for posting.
I can confirm that rule exceptions only work with fields shown in the alert details and adherence to ECS (elastic common schema).
I posted about same rule triggering from a verified MSFT process and at face value seems suspicious.
1 Like