I have been testing out the new Agent Policies and I would like to see if you all can provide a tutorial on how to utilize these better? There isn’t much information in the help file and or in the new features. I have copied the template and asked for it to monitor. All I keep getting is Duplicate Handle, which continues to create events. Also, what makes these new Agent policies different than the Alerts–> Agent Operational alarms?
What version are you using? (OS, client, server, etc.)
I am using version 8 on Windows 2016
For the scenario you’re describing, what settings/configuration do you currently have in place?
I have been testing out the agent policies and have not been finding success in using them
What error messages or unexpected behavior are you seeing?
I’m getting too many alerts and want to make them more precise.
What have you tried so far?
I’ve tried copying the templates and made no changes, and continue to get overrun with alerts that are not that important. Would like a tutorial on how to utilize these policies better.
Got it, these are the new policies related to our extended LSASS Guardian capabilities applying to any process. In this case, it is monitoring the Agent process itself. You’re saying that you’re seeing Duplicate Handle events, are you willing to share some of the data from that event. I’m mostly interested in what account is duplicating the handle. Feel free to be vague so you’re not sharing specific account names.
‘Service Account for XYZ’, ‘The DC SYSTEM account’, etc.
I imagine it’s SYSTEM.
If not, it may be best to open a support ticket so we can see what you’re seeing and triage accordingly.
I understand I can make a support ticket to research further, however, just wanted to check here before.
I do think that you all need to provide a tutorial on how to best utilize these new features for the Process Guardian. Seems like a powerful policy that can do a lot of damage if not used correctly. I’d like to see how you all recommend deploying these policies. As I mentioned, the documentation on this new policy type is not very helpful from what I’ve seen.
We’ll look into the out of the box configuration for the templates. It should only be looking at attempts to suspend or terminate the process:
This is to further monitor/prevent our agent from being tampered with beyond existing hardening capabilities. These same controls can be extended to any other service running on your domain controllers, such as an EDR process, etc.
These capabilities previously only existed for the LSASS process, but with 8.0 it’s been extended to any process.
Confirmed this is expected activity and the resolution is to add the LocalSystemSid (NT AUTHORITY\SYSTEM) to the policy AD Perp exclude perp list. We will add this to the templates but for an existing install you will need to manually add to the policy derived from the template.
