What is the difference between selecting benign and not applicable?
Congratulations on your first post and welcome to the Rapid7 Discussion Community! To answer your question, there currently isn’t anything in the platform that would be affected directly from an investigation that is marked with “Not Applicable”. Although maybe having a filter for dispositions might be beneficial, I’ll talk with some folks tomorrow about that and also verify if anything is on the roadmap.
In my opinion, the “Not Applicable” disposition is more for the UBA alerts that fire off based on initial activity, or standard activity routinely performed in an environment, etc (First Time Admin Action, First Ingress from Country, Account Leaks, Account Unlock, certain 3rd Party Alerts, etc). This is my personal breakdown of the dispositions:
Malicious - The Alert(s) was/were malicious
Benign - Activity seen by attackers in the wild, but for this specific investigation it was not malicious
Not Applicable - Not a security threat or malicious by nature, however, the activity is set to create an investigation and is being monitored by your IDR environment
Undecided - The investigating analyst is unsure and is either still investigating or needs assistance from another analyst to help make the determination
Thank you Stephen, this clears my fog.
Not a problem, always glad to help!
Can anyone clarify for me the following: in an alert that I choose the “Beging” option in the “Disposition” when I close the alert if it will serve for the IDR to realize that it is normal behavior?
hey Paulo, setting the disposition is not used to train or inform IDR of “normal behavior” in any way. It’s not the same as creating an exception rule for ABA alerts, or using the modify and close options for UBA alerts.
Thanks for your help.