Override by service name mask in "Security Monitoring: A service was created on a member server" rule

[Aleksey-Maksimov]

Hello.

For the "Security Monitoring: A service was created on a member server" rule, we ask you to add the ability to add override by service name mask.

There are some standard applications that periodically create a temporary service on the system. For example, there is such a backup system "Veeam Backup & Replication v12". When this software backs up virtual machines in a Hyper-V cluster with "application aware processing" enabled, a temporary "VeeamVssSupport" service is created in the Windows virtual systems. We have hundreds of virtual machines and we can get hundreds of such alerts:

Alert: Security Monitoring: A service was created on a member server
Source: Microsoft Windows Server 2016 Standard
Path: KOM-SRV158.holding.com
Description: Event Description: A service was installed in the system.

Service Name:  VeeamVssSupport
Service File Name:  C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe
Service Type:  user mode service
Service Start Type:  auto start
Service Account:  LocalSystem

Resolution state: New

Thank you.

[Aleksey-Maksimov]

Here is the confirmation that the service is created each time: https://forums.veeam.com/veeam-backup-replication-f2/veeamvsssupport-service-installing-every-time-a-backup-runs-t38062.html