I believe having a feature that can help an analyst quickly determine if a RMM is expected is if customers are able to provide a RMM whitelist. I was thinking that this functionality would be similar to the "expected VPNS/countries" in ITDR.

This would help the SOC scope on potential compromises by rapidly being able to identify known good RMM usage and can provide a threat hunting opportunity by hunting for RMMs not on the allow list.