Views:

Symptoms

  • Alerts triggered by Endpoint Sensor indicating "Deny access permission via ICACLS" for an internal application.
  • Alerts persist despite exceptions set in the Standard Endpoint Protection policy.

Root Cause

These alerts are generated by TrendAI Vision One™'s Endpoint Sensor detecting behavior-based events related to permission changes executed by the ICACLS command. Exceptions configured only in the Endpoint Protection policy do not suppress alerts originating from TrendAI Vision One™'s Detection Model Management or Behavior Monitoring components.

Resolution

Follow the steps below to fully suppress these alerts in TrendAI Vision One™:

1. Add an Exception in Detection Model Management

  1. Log in to the TrendAI Vision One™ console.
  2. Navigate to Detection Model Management from the main menu.
  3. Click on the Exceptions tab.
  4. Click Add to create a new exception.
  5. Enter a descriptive Exception Name (e.g., "InternalApp ICACLS Exception").
  6. Configure the Match Criteria:
    • Identify the exact Event Name that triggers the alert by reviewing the alert details in Workbench.
    • Set Event Type to match the alert type (commonly DETECTION for behavior alerts).
    • Specify additional criteria such as the file path or process name to narrow the exception (e.g., path containing C:\Program Files\internalapp\bin\app.exe).
  7. Save the exception.

For more details, see the Detection Model Management.

2. Configure Exceptions in Behavior Monitoring Policy

  1. Go to Policy Management in the TrendAI Vision One™ console.
  2. Select the relevant policy applied to the affected endpoints.
  3. Navigate to the Behavior Monitoring section.
  4. Click the Exceptions tab.
  5. Add the internal application executable path (e.g., C:\Program Files\internalapp\bin\app.exe) to the exceptions list.
  6. Save and apply the policy.

Refer to the detailed steps in the Configuring Behavior Monitoring Rules and Exceptions guide.

3. Verify the Exception Effectiveness

  1. Monitor the alerts in the TrendAI Vision One™ Workbench after applying the above changes.
  2. Confirm that new alerts related to the specified ICACLS deny access events no longer appear.
 
  • Exceptions must be configured both at the Detection Model Management level and within Behavior Monitoring to fully suppress these alerts.
  • If alerts persist, double-check the exact alert details and adjust the match criteria accordingly.
Keywords: icacls deny access alert, endpoint sensor alert suppression, detection model management exception, behavior monitoring exceptions setup, internal application alert suppression, permission change alert resolution, trend vision one exceptions, internal app alert exception