Advanced Breach Detection can be configured to whitelist certain commands that run repetitively but have changing command line parameters.
The ability to whitelist these commands should be done from the configuration screen of the app.
From the RocketCyber Dashboard locate the Advanced Breach Detection App Card
Click on Configure
When the configure screen appears, scroll down until you see the edit box titled Excluded CLI Commands
Enter the command that you want to whitelist in the box. You can use * (asterisk) as a wildcard character to substitute parameters that are specific or change periodically such as passwords or hostnames.
The following command is detected when a new user is added to the local administrator group. This might be a routine execution in the environment that you would want to exclude based on the user name being added.
net localgroup Administrators DESKTOP-22AZ0\MYADMIN /add
We want to whitelist this command whenever the user MYADMIN is added to the local group Administrators on any device. The following is the command that you would add to the Excluded CLI Commands.
net localgroup Administrators *\MYADMIN /add
When the command is executed the agent will use the wildcard to match any hostname in the command and therefore whitelist its detection.
Once you have entered the command in the Excluded CLI Commands box, click the Create or Update button to save the changes.
The agent will receive the new configuration and begin excluding the specified commands from being detected.