Inbox forward rule whitelist

Ive noticed some alerts have more extensive whitelisting options such as whitelisting certain alerts to specific users, but inbox forwarding rule does not. For example, we have a user that makes constant (non-malicious) inbox forwarding rules and we’d like to white list the alerts for the specific user, and not the alert as a whole. Any fix for this? thanks.

Hello! Just to clarify, are you referring to the “Attacker Technique - Suspicious Inbox Forwarding” rule? If so, for our Attacker Behavior Analytics rules you are able to create an exception that will prevent alerting based on criteria that you can define Modify ABA Detection Rules | InsightIDR Documentation