When IT personal works with their normal account they often have to authenticate with a different account with higher privileges, such as a domain administrator.
In our environment this occurs on a daily basis. This triggers an IDR alert. I know I can allow for this action by modify and close. But do I really want to turn a blind eye to this behaviour? Without doing anything I feel we risk ignoring future relevant alerts because we have become used to these “false positives”.
What are your thoughts about this?
How have you handled the situation?
Hello! To start, how many alerts like this are you getting in a day? And what is your process to close them out? My point there being, are you actually investigating these as they pop up or are you simply closing them out? We definitely do not want alerts to be generated at such a high volume that users start to ignore them or close them out without thought. So we typically recommend that the best practice is to allow that behavior so that your alert volume stays manageable.
The best way to keep tabs on that behavior then is to create dashboards. IDR has pre-built cards for this exact scenario (docs). The dashboards leverage Log Search, so really anything coming in as an event source can be used to create a dashboard card. You can also schedule the dashboard to be exported on a regular cadence, so that you can regularly review the behavior.
Additionally, if a true attack was going on, typically they will be generating activity that would hit another alert (either before or after they gained control of one of your legitimate domain admin users), so allowing for this particular activity would not necessarily prevent you from seeing that sort of attack.
For the scenario you’re talking about, it might sense to disable investigations for the behavior alert responsible for the message. Since you still need visibility into domain admin authentications, you can create a custom alert which triggers on the behavior and posts to either a group chat webhook or insightconnect workflow. When the alert triggers, the user responds so you know it’s legit. It’ll make your life way easier if you don’t have to open all those alert emails, stare at the JSON to see who it was, assign it, then close it.