I’m wondering if it’s possible to whitelist a user if the detection rule only generates notable events? In our environment, the UBA “Account Impersonation” is set to a notable event. We have a lot of admins that impersonate from their personal account to their admin account, hence generating tons of these notable events. Is there a way to whitelist these users without changing the UBA to “Create Investigation”, then wait until the investigation is being generated and then whitelisting it using the allowlist & close option?
currently the only allowlisting options for our UBA rules are the allowlist and close options.
For this rule
The first time a user account authenticates to an administrator account, this alert will always trigger. However, each time this triggers, you should close the incident with “allow this user to access this asset” and IDR will link legitimate user accounts to their corresponding administrator accounts and avoid alerting for this pairing in the future.
We have plans to migrate our UBA ruleset over time, with that, once this rule is migrated you will be able to avail of the ABA Rule Exception builder which also works proactively instead of just reactively allowing these rules to be created ahead of the alert firing.