Closed mschilt closed 2 years ago
Its pretty difficult to build whitelists for this search.
Normally you configure your Defender Exclusions either via Group Policy or via SCCM. Both result in a ton of repeating registry changes.
Whitelisting based on the registry path is possible in theory but the list will get long and you will get an alert per endpoint once anything changes.
How about joining a subsearch by Registry.process_guid and adding the process field so we could whitelist based on the process ?
Hi @mschilt ,
thanks for the feedback will check this one.
The updated version of this detection was already released. v3.34.0
I will close now this issue thanks
Its pretty difficult to build whitelists for this search.
Normally you configure your Defender Exclusions either via Group Policy or via SCCM. Both result in a ton of repeating registry changes.
Whitelisting based on the registry path is possible in theory but the list will get long and you will get an alert per endpoint once anything changes.
How about joining a subsearch by Registry.process_guid and adding the process field so we could whitelist based on the process ?