Disposition Status Definitions

What is the difference between selecting benign and not applicable?

1 Like

@scott_oviatt,

Congratulations on your first post and welcome to the Rapid7 Discussion Community! To answer your question, there currently isn’t anything in the platform that would be affected directly from an investigation that is marked with “Not Applicable”. Although maybe having a filter for dispositions might be beneficial, I’ll talk with some folks tomorrow about that and also verify if anything is on the roadmap.

In my opinion, the “Not Applicable” disposition is more for the UBA alerts that fire off based on initial activity, or standard activity routinely performed in an environment, etc (First Time Admin Action, First Ingress from Country, Account Leaks, Account Unlock, certain 3rd Party Alerts, etc). This is my personal breakdown of the dispositions:

Malicious - The Alert(s) was/were malicious

Benign - Activity seen by attackers in the wild, but for this specific investigation it was not malicious

Not Applicable - Not a security threat or malicious by nature, however, the activity is set to create an investigation and is being monitored by your IDR environment

Undecided - The investigating analyst is unsure and is either still investigating or needs assistance from another analyst to help make the determination

2 Likes

Thank you Stephen, this clears my fog.

1 Like

Not a problem, always glad to help!

Hi,
Can anyone clarify for me the following: in an alert that I choose the “Beging” option in the “Disposition” when I close the alert if it will serve for the IDR to realize that it is normal behavior?

Thanks.

hey Paulo, setting the disposition is not used to train or inform IDR of “normal behavior” in any way. It’s not the same as creating an exception rule for ABA alerts, or using the modify and close options for UBA alerts.

David

1 Like

Thanks for your help.

Hi,
Is there a choice of filtering by disposition (OR) creating a dashboard based on disposition.

1 Like

Hey @lakshmikanth,

Thank you for your first post and welcome to the discussion forum!! To answer your question, currently, you can’t filter by disposition. As far as the dashboards go, they are currently only tied to log search logs, but word on the street is that is changing soon. I’ll throw the idea for the disposition filter to the team as it’s a solid thought! Thank you!

1 Like

Okay, Thanks! @SDavis

Not a problem, glad to help! Just a side note, if you use the Investigations RestfulAPI, you can sort and search by the disposition:

Yeah Thanks!, we are already using apis for creating custom dashboards for IDR investigations. Just wanted to check if there’s that option in the platform.

No worries, I’ll ask around and see if it’s on the roadmap

Sure, Thanks!