Hello community,
I would like to exclude users or a group of users from my AD from some alerts.
For example, I have users who are part of the users of one of my partners but I don’t want to have alerts about them on a leak account for example.
Is this option available on the IDR console ?
Regards !
Hey Moctar,
Depending on the alert in IDR, when you go to close that alert you might see some available modification choices based on the alert itself and the user/endpoint that is associated with it in order to allow that activity from that user/endpoint in the future. Specifically for the account leaks, there is no ability to modify that alert for a particular user/account.
You cannot do much modification to the alerts based on User Behavior or Attacker Behavior. I think that the best you can do is to disable the alert and then build a new custom alert based on a query that excludes the groups you do not want to be alerted on.
Alerts are based on queries so the one you want is a NOT expression:
“A member was removed from a security-enabled” AND NOT “Executives”
I think this would be the only way to do what you want. I use this technqiue to prevent alerts on guest wifi devices by excluding the IP range. As long as you can parse a term for the users that you want excluded then you can build an alert that excludes them.