Alerts

The Alerts experience is currently available to Managed Detection and Response (MDR) customers only.

As InsightIDR collects data from your environment, detection rules look for known threats, risks, and unusual actions. These detection rules can then trigger alerts, investigations, or other types of notifications when an event occurs that meets the detection rule logic. As an MDR customer, you can review the alerts created in InsightIDR to respond to potentially malicious behavior in your environment.

Looking for Custom Alerts?

Custom Alerts have been renamed to Basic Detection Rules. The alerts described in this topic are different from the Basic Detection Rules feature in Log Search.

Understand alerts

Alerts represent specific events in your security environment that could indicate a threat or anomaly.

When an alert is created, you can view it to understand its cause and take action on it, if necessary. For example, you can create a new investigation from the alert, add the alert to an existing investigation, or close the alert.

Note that alerts are not included in the MDR monthly rollup report.

How alerts are created

Alerts are created from ABA detection rules. InsightIDR automatically creates an alert when the Rule Action for an ABA detection rule is set to Creates Alert and a detection occurs.

As an MDR customer, you can set the Creates Alert Rule Action for detection rules that are custom or contextual. You can work with the Rapid7 SOC (Security Operations Center) to set the Rule Action for managed detection rules. Read more about how to modify detection rules.

InsightIDR creates alerts from ABA detection rules only. Alerts aren't created from UBA detection rules, and you can't create alerts manually.

Alerts in investigations

You can add alerts to investigations, which allows you to respond to the issue with all relevant context about the investigation in a single place.

Alerts and notable events

While alerts notify you about potentially suspicious activity, you might also want to be notified about behavior that is plausible, but uncommon (for example, if a user logs in from a location other than where they typically work). You can configure detection rules to create notable events, which–like alerts–can be added to an investigation to provide context. Read more about notable events.

Configure email notifications

You can configure InsightIDR to send an email notification when an alert is created or updated. To enable email notifications, you can create Log Pattern basic detection rules that trigger from events in alert audit log, which is captured by the InsightIDR Alerts log in Log Search.

View an alert’s details

You can view the alerts created in InsightIDR to understand the event the alert represents and the detection rule logic that generated it. InsightIDR provides alert details to allow you to gain helpful context during the alert triage process.

To view details for an alert:

  1. From the left menu, go to Alerts.
  2. Search for the alert that you want to view.
  3. Select the Alert Table tab.
  4. In the Actions column, click the Alert Details icon. The Alert Details panel opens with information about the alert. Read more about alert information.
Tips for the Alert Details panel

You can save time by taking certain actions directly on the Evidence tab of the Alert Details panel:

  • To get a direct link to the alert, click Actions > Copy Link. The link is copied to your clipboard, and you can use it to return to the alert later.
  • To view other alerts that were generated for the same organization click the Related Alerts dropdown. You can switch between views showing all related alerts for the organization or all related alerts in that organization, based on actor, by using the Include Actor toggle. Click View to open the alerts in a new tab.
  • To display information about the user or asset associated with an alert, click the Users and Assets dropdown.
  • To update the alert’s status, disposition, priority, and assignee, click the Edit button.
  • To create a new investigation with the alert, select Investigate > Create Investigation. Read more about creating an investigation from an alert.
  • To add the alert to an existing investigation, select Investigate > Add to Existing Investigation. Read more about adding an alert to an existing investigation.
  • If the alert is already part of an investigation, click the Go to Investigation button to view the investigation’s details.

Monitor and triage alerts

To locate the alerts whose details you want to view, you can apply filters and create queries that narrow your view to only the alerts that are relevant. You can also choose which columns display in the tables on the Alert Table and Data Stacking tabs.

Additionally, you can save your view as a workspace, allowing you to go back to your search and selected table columns later. For example, you might create a workspace for table views that you use often.

Understand the alerts table and data stacking

You can view alerts on two tabs:

  • Alert Table - This tab displays each alert on its own row.
  • Data Stacking - This tab groups alerts based on identical values in one or more table columns, and displays the Count of alerts in that group.

As you triage alerts, you switch between both views, depending on the information that you want to consume. The Alert Table tab is useful when you want to get more detail on a single alert. The Data Stacking tab is useful when you want to group alerts that are similar, for example, to determine which alerts are related.

Search for alerts

To narrow your view of alerts on the Alert Table and Data Stacking tabs, you can apply filters or create a query to return only the alerts that are relevant.

To search for alerts:

  1. From the left menu, go to Alerts.
  2. Apply one or more optional filters to narrow the list of alerts:
    • Date Range - Filter for alerts that occurred within a specific time period.
    • Not Included in an Investigation - Filter for alerts that are not included in an investigation.
    • Alert Category - Filter for alerts that are managed by the Rapid7 MDR SOC or are custom and contextual alerts.
    • Priority - Filter for alerts with the priority you select.
    • Status - Filter for alerts with the status you select.
    • Alert Name - Filter for alerts with a specific alert name.
    • Assignee - Filter for alerts that are assigned to a specific user.
    • Disposition - Filter for alerts with the disposition you select.
    • Event Type - Filter for alerts based on event type.
  3. Optionally, enter a query using Log Entry Query Language (LEQL) in the query bar, and click the Apply button.
  4. Review the alerts on the Alert Table and Data Stacking tabs. Both tabs update based on the filters you apply.

Edit table layouts

You can choose which columns display on the Alerts Table and Data Stacking tabs, which allows you to focus your view to only relevant information. The available table columns are sourced from the event sources and corresponding keys that InsightIDR supports.

To choose the table columns that display:

  1. From the left menu, go to Alerts.
  2. Select the Alert Table tab or Data Stacking tab, depending on the information that you want to view. The table columns you choose reflect only on the tab you're viewing.
  3. Click the Edit Table button.
  4. On the left, expand the groups in the Keys section, and click Select next to the individual keys to display as columns in the table.
  5. Optionally, drag the keys in the order that you want the columns to display.
  6. Optionally, click the Show and Hide icons to limit which selected keys are visible in the table.
  7. Click the Apply Selection button. The keys you selected display as columns on the Alerts Table tab or Data Stacking tab.
Tips for the table editor

Edit table layouts more efficiently with these tips:

  • To save a group of table columns for later, click the Save as Layout button in the upper right, and enter a Group Name to identify the column layout later.
  • To apply a saved column layout, expand the Saved Layouts section, and click Select next to the column layout to apply. You can continue to add or remove keys from the column layout as needed.
  • To return the column layout to its default state, click the Restore to Default button in the lower left.

Save your view as a workspace

After applying filters and queries and adjusting the table columns displayed on the Alert Table and Data Stacking tabs, you might want to save your view so that you can return to a specific list of alerts later. To save your view, you can create a workspace, which gives you the option to save the attributes you applied to the alerts.

To save a workspace:

  1. From the left menu, go to Alerts.
  2. Apply filters or enter a query to narrow your view.
  3. On the Alert Table and Data Stacking tabs, edit the table columns to display the information that you want to view.
  4. Above the table, click the Save as Workspace button.
  5. In the Name field, enter a descriptive workspace name, which is used to identify the workspace later.
  6. Optionally, in the Description field, enter a brief description of the workspace.
  7. Below Includes, select the attributes to save in the workspace.
  8. Click the Save button. The workspace is saved.

To apply a saved workspace:

  1. From the left menu, go to Alerts.
  2. Above the table click, the Saved Workspaces button.
  3. Click Run next to the workspace that you want to apply. The settings in the workspace are applied to your view.

To return to the default workspace:

  1. From the left menu, go to Alerts.
  2. Above the table click, the Saved Workspaces button.
  3. Click the Restore to Default button in the lower left. The alerts page returns to its default view.

Export alerts from Data Stacking to a CSV file

If you need to save alert data for later, you can export a CSV file that captures the information displayed on Data Stacking tab.

The exported CSV file contains only the information visible in the table, so make sure to adjust your view to include all of the data that you want to export.

To export alerts:

  1. From the left menu, go to Alerts.
  2. Optionally, apply filters or enter a query to narrow your view to only the alerts that you want to export.
  3. Optionally, on the Data Stacking tab, edit the table columns to display the information that you want to export.
  4. (Important) Scroll to the bottom of the table to ensure all alerts from your query are included in the CSV file. InsightIDR includes only alerts that have been loaded in the table (for example, if the filters return 1000 alerts but only 200 have been loaded, only those 200 alerts are included in the CSV file).
  5. Above the table, click the Export to CSV button. A confirmation message displays.
  6. Click Export. InsightIDR begins preparing the CSV file, and you can download it when it's ready.

View the alert audit log

No data displaying in the audit log?

To view the audit log, you need access to the InsightIDR Alerts log. Read more about managing access to logs and log sets in the Insight Platform documentation. Contact your Platform Administrator for questions about your permissions.

The alert audit log includes a detailed chronological view of every action taken in relation to the alert, when the action was taken, and by which user. The audit log can help contribute to strengthened security reporting and compliance within your organization.

To view an alert’s audit log:

  1. From the left menu, go to Alerts.
  2. Search for the alert with the audit log that you want to view.
  3. In the Actions column, click the Alert Details icon.
  4. Click the Audit Log tab.
  5. On the left, apply filters to locate the audit log entries that you want to view.
  6. On the right, expand each audit log entry to view its details.

To query the alert audit log in Log Search:

  1. From the left menu, go to Log Search.
  2. Select the Audit Logs log set with the InsightIDR Alerts log. Read about Event Types and Keys to understand which keys are available to use in your query.