I got a question on the the Lateral Movement Local Credentials alert. In our environment we have a number of systems that are allowed to log on to certain other systems. For example:
System A is allowed to connect to System B, System C, System D via user root.
Is there a way to whitelist this behavior in InsightIDR? For example, I would only like to know when the system connects to a System other than System B, System C or System D.
Unfortunately, I could only find the option to either allow all local authentications from System A or to allow all authentications between assets for the user root.
I’m waiting to hear back regarding an upcoming feature that will definitely help with this, so I’ll edit this post when I hear back. As it stands right now, unfortunately, there isn’t a way to modify that current alert the way that you are hoping.
For a handful of systems, you could very easily create a custom alert that would fire off when the destination_local_account=“root” AND destination_asset NOT IIN [“system a”, “system b”, “system c”]
The obvious issue with this is if you have a bunch of systems that query would get pretty large and then you would have to maintain it should new systems need to be added or existing systems need to be removed. Once custom LEQL variables gets released this should be a lot easier to create and manage on the fly.