I need some assistance in configuring the Rapid7 alerts to not be triggered when authorized users do their jobs. I’m seeing alerts when I or my support team access the database for instance, which adds more work to our daily chores.
(whitelisting specific user/service account from specific alert)
For UBA rules you are limited to the modify and close options, for regular Detection Rules (formerly known as ABA rules) you have the exception rule feature to build appropriate exceptions based on Key Value pairs.
@david_smith1 basically we are getting alerts whenever our user trying to access service account for legitimate usage. FYI the alerts are Legacy UBA Detection Rules based.
Is there any other way rather than create exceptions on Key Value pairs?
For the Legacy UBA rules you cannot use KVP exceptions, your only options are to use the modify and close options which are presented when attempting to Close the open investigation