While working an incident in which a threat actor deployed RMM agents to live of the land, we came to the conclusion that it would probably be helpful to the SOC to have a note on the account of what the RMM solution of the MSP is.

For example, if the MSP uses Kaseya VSA as their primary RMM and Atera agents are deployed unexpectedly or start enumerating a domain remotely, it could be a indicator of compromise as the commands to not originate from the MSP's RMM.