Our Spring 2019 Update introduces several new whitelist capabilities. While there are many use cases for excluding detections from the results, the most common we heard from customers was the ability to still detect a specific Suspicious/Malicious finding although exclude it when it meets a given criteria. The following RocketApps now include whitelisting features:
- Advanced Breach Detection
- Cyber Terrorist Network Connections
- Malicious File Detection
- Suspicious Services
- Suspicious Tools
“It’s important to know that whitelisting can be performed in context as the MSP, a unique Customer or additionally at the Device level. When making any whitelist configuration at the MSP root level, all customers under management will inherit the change.”
It’s equally important to know that the alternative to whitelisting a detection is to disable the specific detection. This is also performed on any of the dashboard widgets where the gear is present.
Whitelisting Examples by RocketApp:
Advanced Breach Detection
This example illustrates the attack technique - querying of the registry.
Cyber Terrorist Network Connections
There are two examples listed below: the connection to China shows two red dots, indicating two threat intelligence sources have record of historical malicious activity.
The first example could be to white list a specific IP address that is an authorized connection in one of the monitored nation states. Secondly, if you would like to view only network connections to countries where threat intelligence sources are present, simply enable the "bad reputation connections". When finished, click update.
Malicious File Detections
While it is not common to white list a malicious file detection, there are some instances we've heard. When viewing the results, copy any of the "hashes or the file path".
Then paste it as such, then click 'create'.
FTP, Telnet & Bit Torrent are common services monitored by most. This example we still want to identify all FTP connections but exclude any authorized connections.
Copy the authorized destination IP address and paste. Then create.
It is very common for MSPs to use remote access, security and various administration tools although if a user or unauthorized visitor had deployed the tool, you would want to know.
Excluded paths can be configured using exact or common paths as such:
In short, we've introduced white listing capabilities to eliminate detections that are unauthorized. Keep in mind when performing a white list configuration at the MSP root level account when you login applies this across all managed customers.