Good day.
We have created a custom detection rule for anyone who logs in from outside of the country. It works great and we created exceptions for certain users who work outside the country. Is there a way to add users to the exception rule, but with specific dates they are working outside of the country?
Sure, I think you would just need to include either a “timestamp” date or something similar along with the user so that it could know when to not trigger.
I am running into the same issue, I have an exception for a user, but when I do the ‘AND’ statement, it gives me an option for a timestamp, but does not have a date to another date. Example, user goes on travel from Monday - Friday. I couldn’t find an easy way to do that. Any Thoughts?
You cannot easily achieve this as Detection Rules aren’t natively time aware per se
You can hardcode it like this
timestamp CONTAINS-ANY [“2025-04-29”,“2025-04-30”,“2025-05-01”,“etc”]
David
Would you be willing to upload the configuration when complete? I had something similar with my previous MDR/SOC but don’t see a travel exception request in Rapid7.
Thanks,
Keith
I don’t know about handling it natively within detection rules, but you could do all this with your SOAR. For my example I will speak to InsightConnect, which is the SOAR that Rapid7 offers.
We utilize something called Global Artifacts. This is a reference database that you create. You can manually add in values to this, or you can have a workflow that adds and removes values from this list.
As a basic example I will assume you keep a CSV list of user, approved country, and travel dates.
You can upload this list to InsightConnect every X amount of time (daily, weekly, etc.), and then InsightConnect will treat it as an array, for each row, add that user, approved country, and travel dates to your Global Artifact.
Then you have a workflow setup that triggers when new Alerts are created. You can set your alert filter within the trigger itself, or you can have a decision to check if it is the alert rule you want to automate off of as the second step in your workflow.
It would then fetch the user associated with the alert, the country of the alert, and check the global artifact for a match.
We have a date time plugin that can be used to fetch the current time, and then you would do a check to see if this time is within the times listed in your global artifact.
There are countless other ways to do this within InsightConnect, but that is one way that it could be done.
To add on to what David said, you may be able to leverage a variable for that as well, and name it per individual or department, or however you’d like to organize it.
userScheduledDates is your variable, with the values like David provided
[“2025-05-06”,“2025-05-05”,etc…]
timestamp ICONTAINS-ANY [${userScheduledDates}]
You may need to experiment with a few things, such as the format for your timestamps, the key you are searching for the timestamp, and the logical operator used on the variable.
Further, inn this way, if you are searching a general key parameter whose value contains a few of the necessary insertion strings (timestamp, location, IP, etc all correlated under something like a “source_json.data.insertionStrings” key) you could set up a variable specific to, say, your CEO. That way, you could then set up an exception for your general purpose detection rule that focuses finitely on an individual user without compromising the detections across other users.
Your variable could be $ceoVacationSchedule = [“GREECE”,“2025-04-29”,“127.0.0.1”]
Then your exception for the detection could be something like
where((“source_json.data.insertionStrings” ICONTAINS-ALL [${ceoVacationSchedule}]) AND (“username” = “mycorp\CEOUser”))
I haven’t experimented with that, so your mileage may vary and you would need to find the keys applicable to your logsets.