Hello,
S-AesNotEnabled report the account “krbtgt_AzureAD” missing AES but it is false positive. We want to exempt this single account from the report, not the whole S-AesNotEnabled rule. I tried to add the samaccountname or distinguished name as exception, “Rule Item to handle”, but the report still shows it. Is there any way this account can be excluded?
Engine version: 3.3.0.12
Thanks!
Hi there,
Sadly the exception will not work for this rule due to the output not being directly in the risk and in the general user information section of the report.
I will add an item to the backlog for S-AesNotEnabled to enable this for a future release.
For now, you could potentially use the HoneyPot accounts feature if this account cannot be enabled for AES Authentication but be aware this excludes it from all detections.
Forgive me I haven’t done the research to see if it can be yet or not.
I will add an idea to the ideas portal if not already there to track this for the 4.0 release.
Cheers,
Joe