amitschendel
commented
6 months ago Initially we didn't made those rules application profile dependent because of 2 things:
- We want this alert to fire even if we don't have an application profile, we don't have a mechanism like this in node-agent today.
- In my perspective, even if this is the behavior of the application, it's not a "good" practice, therefore I am okay with alerting and the user will need to choose between fixing the image or ignoring the alert.
cc: @slashben
matthyx
Overview
This PR changes behavior on two rules:
Both of the rules generated alerts on whitelisted processes. This causes many false positives for users who have good application profiles.
The change removes alerts for whitelisted processes, though this should be refined in the future when the rule information becomes available in the application profile therefore a full comparison of behavior can be done.
cc: @amitschendel