Ask the Community
Groups
Excluding Commands using Wildcards in Advanced Breach Detection - Connect IT Community | Kaseya
<main> <article class="userContent"> <p> </p> <p>Advanced Breach Detection can be configured to whitelist certain commands that run repetitively but have changing command line parameters.</p> <p> </p> <p>The ability to whitelist these commands should be done from the configuration screen of the app.</p> <p> </p> <p>From the RocketCyber Dashboard locate the Advanced Breach Detection App Card</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/U7LANTJZPPFG/screen-shot-2022-06-14-at-11-42-43-am.png" alt="Screen_Shot_2022-06-14_at_11.42.43_AM.png" class="embedImage-img importedEmbed-img"></img></p> <p> </p> <p>Click on <strong>Configure</strong></p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/42IMXCGFOAUN/screen-shot-2022-06-14-at-11-44-23-am.png" alt="Screen_Shot_2022-06-14_at_11.44.23_AM.png" class="embedImage-img importedEmbed-img"></img></p> <p>When the configure screen appears, scroll down until you see the edit box titled <strong>Excluded CLI Commands</strong></p> <p>Enter the command that you want to whitelist in the box. You can use * (asterisk) as a wildcard character to substitute parameters that are specific or change periodically such as passwords or hostnames.</p> <p><strong>Example</strong></p> <p>The following command is detected when a new user is added to the local administrator group. This might be a routine execution in the environment that you would want to exclude based on the user name being added.</p> <p> </p> <pre class="code codeBlock" spellcheck="false" tabindex="0">net localgroup Administrators DESKTOP-22AZ0\MYADMIN /add</pre> <p> </p> <p>We want to whitelist this command whenever the user MYADMIN is added to the local group Administrators on any device. The following is the command that you would add to the Excluded CLI Commands.</p> <p> </p> <pre class="code codeBlock" spellcheck="false" tabindex="0">net localgroup Administrators *\MYADMIN /add</pre> <p> </p> <p>When the command is executed the agent will use the wildcard to match any hostname in the command and therefore whitelist its detection.</p> <p> </p> <p>Once you have entered the command in the Excluded CLI Commands box, click the <strong>Create or Update</strong> button to save the changes.</p> <p>The agent will receive the new configuration and begin excluding the specified commands from being detected.</p> <p> </p> <p> </p> </article> </main>