We have many investigations opening from what are ultimately benign that are triggered from agent and scanning activities. More specifically, investigations are created because of “MITRE ATT&CK” and “Privilege Escalation (TA0004) > Valid Accounts (T1078) > Domain Accounts (T1078.002)” behavior of these activities.
I have not been able to find a way to create exceptions for these because they are not tied to a detection rule. How can I create exceptions in this scenario?
Thanks,
Craíg
For any Legacy UBA rules, the only options for exceptions are the Modify and Close options when attempting to modify the status of an Investigation, it needs to be not closed to see the Modify and Close options, so if its already closed you need to re-open it first.
Not all UBA rules have exceptions, and not all exceptions are suitable for everyones needs - we do intend to migrate all Legacy UBA rules to regular Detection Rules in the future, this is a step by step process though as some rules have been already migrated, and others are poised to be migrated sooner, whilst some others have layered complexity that will take longer. I don’t have an ETA to share for the migration of this specific rule.
David