Hi.
We are leveraging the RMM detection rule however how can I run a search in Log Search for all RMM tools ran in my enviornment?
I am trying to use the Rule Logic but it’s not working:
from(
** event_type**
** IN [**
** “process_start_event”,**
** “local_service_installed”**
** ]**
)
where(
** SUBQUERY(“Remote Management Tools”)**
)
That is because SUBQUERY is not a supported feature of log search, essentially a subquery is a method we use to have dynamic lists of data, that update or a regular basis via our backend.
If you ask support we could provide a snapshot of the current subquery, however it would come with the caveat that this is subject to change and we cannot expose the subquery contents directly to end users currently.
David
Will that feature “subquery” eventually be available to customers for their own use cases in the near future?
Not in the near future no
David
Is the RMM list constantly updated? Also, if I wanted a list of RMM tools being monitored do I have to open a support case?
It wouldn’t be updated as frequently as some other SUBQUERIES, but we can’t guarantee or share the frequency of the updates currently.
Yes you would open a support case for that.
David
Thanks