Alert Modification "Allow impersonation"

Hello everyone,

we had an investigation where a user authenticated as an administrator. This is normal behaviour. We used “Close and Modify” to close the investigation.

Now we have an Alert Modification which “Allows m.mustermann to access accounts for Max Mustermann.”
If I click on “Max Mustermann” it shows me a number of associated accounts like “admin-mm”, mm-admin" …

Can I assume that the user "m.mustermann is able to login into each account for the identity “Max Mustermann”? Means he can login from m.mustermann to admin-mm and from m.mustermann to mm-admin without raising an alert?

Is is possible to configure the alert modification that it raise no alert for user change m.mustermann to admin-mm and all other accounts associated with this user are alerted?

Hope you can help bringt some light in the Dark.
Best Regards
Elisabeth

Hey!

Maybe you can convert it into a Custom Detection Rule in order to detect “impersonations” and be able to make exclusions based in variables or whatever.

Regards!