Hi everyone,
I´m trying to exclude an specific subnet for every alert or investigation, I can´t find anything in the documentation.
Is there a way to completely ignore desired addresses?
Thanks in advance.
Regards
What is the alert in question? There is no global investigation exception however for ABA rules you can create per rule exceptions, and for UBA rules you can utilize the allowlist and close options.
What is the IP range exactly? We do have the concept of Unmanaged IP ranges via IDR settings IP Addresses | InsightIDR Documentation
David
Hi David, thanks for replying, I tried to put the range into the Unmanaged IP ranges but I still receive investigations.
The range I want to exclude is 10.10.X.0/24.
The problem is that it is a Community Threat rule (no UBA or ABA), so I can´t modify it neither.
Thanks again.
A Community threat alert is a UBA alert, and its unique in that there are no allowlist options to modify the community threat, your options are are to:
- Stop following the community threat causing this false positive
- Copy and create your own community threat (removing the false positive IOC)
- Leave the investigation open (it won’t continue to fire but it will continue to append the behavior to the open investigation for specific actors)
- Do nothing and allow the false positives to fire
One thing to note we are in the process of slowly migrating our UBA to ABA rules, which would allow for more granular exceptions to be made like what you are requesting. But we have no ETA to share at this time on when these specific UBA rules will be migrated.
David