We are receiving frequent notifications in our environment related to excessive failed authentications. When we examine the evidence we can see that these failed notifications are for our Mac fleet and are using /usr/sbin/softwareupdate and/or /System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd. This does not seem to be any kind of indication of compromise.
We do not want to disable brute force notifications for these devices, but I would like to tune this alert and we would like to preserve a record of these events so we can determine a root cause. But we don’t need to investigate each of these alerts individually. What is the recommended approach for this kind of tuning.
For these Legacy UBA Detection the tuning is limited to the options presented when attempting to change the status of the Investigation and hitting the Allowlist and Close option.
The options listed here are the only exceptions which can be built.
We do intend to migrate this rule to a regular Detection Rule, which would then allow for the exception rule builder experience to be used.
Until this rule is migrated, if none of the allowlist and close options are viable, you could opt to re-create this rule using a Custom Detection Rule of your own, by leveraging the Asset Authentication logs, and crafting the rule to filter out these MacOS authkit failures.
Hey David, There is any schedule or something similar to track this migrations? We´re actually migrating some by ourselves, so… that info would allow us to save some efforts
@mmur_gt4e we are currently working on the next batch of UBA rules that are set to be migrated my colleague @jordan_bacher1 should have more to share this coming week!
