Specify Primary MSP RMM for Enhanced Threat Detection
Marcel Pawlowski
While working an incident in which a threat actor deployed RMM agents to live of the land, we came to the conclusion that it would probably be helpful to the SOC to have a note on the account of what the RMM solution of the MSP is.
For example, if the MSP uses Kaseya VSA as their primary RMM and Atera agents are deployed unexpectedly or start enumerating a domain remotely, it could be a indicator of compromise as the commands to not originate from the MSP's RMM.
A
Alex Perrot
Great idea. This also needs to support multiple RMMs/tools per organization - for instance, macOS devices may use a different platform than Windows devices within the same organization.
T
Talbot Menear
I really like this idea, but I believe it needs the ability to be differentiated by organization where applicable.