The rule is useful but is raising a lot of false positives for us due to one service account I would like to exclude from the rule. This does not though seem to be possible for these rules?
@J1m,
Since that is a UBA rule, there is not currently a way to create exceptions from the detection rules area. However, if you go to the investigations page, find the investigation, in the upper right corner where it says âstatusâ (the status must be open, so reopen the investigation in order to do this if itâs closed already) and choose âModify and Closeâ. The next screen you will see a dropdown with available Alert Modification options, which hopefully contain one that allows you to essentially whitelist that service account from that alert type:
Iâve uploaded some screenshots from my lab, please be aware that I did not use the lateral movement service account as I didnât have that, but this was a lateral movement administrator impersonation alert. Also, just for disclaimer, if you whitelist that service account from the lateral movement service account alerts, you do create a potential blind spot if that service account is ever compromised, just an fyi.
Many thanks. I was able to select the option âAllow this user to access this asset from any sourceâ.
This will stop the false positives while still being able to trigger genuine incidents if this service account was abused to try to access other assets.
No worries and yes that modification should do the trick for you! On a side note, if you ever need to periodically review the alert modifications that youâve created, go to your Detection Rules tab in IDR, then click over to âAlert Modificationsâ, and review what you have. You can review all at once or choose to filter via alert type (Alert Rules in the product), or search for them specifically! If a rule modification doesnât apply anymore, delete it and it will remove the modification.