Creating exclusions to legacy detection rules in Insight IDR

Trying to see if someone has had success with either of these problems:

  1. Trying to create exclusions to legacy UBA detection rules such as account password reset by someone other than the user/admin, authentication attempt from a disabled account, Brute Force Domain account, etc.

  2. Trying to create queries for detection rule exclusions where allowed. When using Key-value pairs I want to specify multiple users. I have tried comma separation, colon separation, Not sure what special key treats each user as a different detection rule.

Appreciate the response in advance!

Hi Akash,

As far as I’m aware, you can’t do anything about your first problem. I’ve been waiting for the UBA rules to be migrated to the Detection Rules (as the banner on the UBA rule list shows), but I’ve been waiting for a while and there’s no timeline available according to the last ticket i raised about this. We have a problem where a lot of our devices create temporary local admin accounts as part of a valid process, but there’s no way to exclude these. We do have a workflow in insightConnet to automatically close the investigations this creates, but it doesn’t stop the alerts.

On your second issue, if I’m understanding you correctly, does this kind of thing work? This is an example from the Detection Rule setup.

      	IIN [
    	process.cmd_line ICONTAINS "\\sethc.exe"