Every moment InsightIDR is running, it finds and collects thousands of threats from all of its assets and endpoints. However, massive numbers of activities will cause alarm or set off alerts even though they are not high profile threats, which can quickly lead to burnout for the Security team investigating these alerts.
Alert Settings changes can be made upon request; please reach out to your Customer Advisor.
Understand Different Kinds of Alerts
Alerts arrive to you in the form of an email with an incident number and short description to inform you of notable events and suspicious behavior captured by InsightIDR.
There are several different kinds of alerts and alert settings available:
Notable events do not generate alerts or investigations.
As a part of InsightIDR’s User Behavior Analytics (UBA), the solution monitors and baselines each and every user’s activity, establishing a pattern for which asset(s) the user owns, which assets they access, where they log in remotely from, and other actions.
Some notable events help identify user anomalies from this baseline, such as "New Asset Logon" or "First Time Ingress from Country." Other notable events are effectively low fidelity alerts, such as "Account Lockout" or "Virus Alert." It is expected that almost any network will experience a large number of notable events on any given day. This prevents InsightIDR from flooding the end user with alerts.
Instead, notable events are automatically added to Investigation Timelines when a user is involved in a “real” alert to provide additional context. This helps analysts better contextualize the behavior without these notable events going completely unobserved.
Example Use Case
The alert "Bruteforce — Domain Account" truly indicates that an employee John Doe was locked out of his account because he was the target of a bruteforce attempt.
This unique, two-tiered detection system flags anomalous events and includes them in investigations without overwhelming security incident response teams with false positives. Notable events are the events that fall between expected behavior and alert-worthy behavior.
You can change the default Rule Action on the Detection Rules page.
InsightIDR checks for the following incidents when creating an alert:
A new account has been created.
A previously disabled user account has been re-enabled by an administrator.
Indicates that some account names in your environment are present in credential dumps from external data breaches of other websites or other external sources. InsightIDR generates this alert if accounts in your environment match what is out in the public domain. This does not mean that the credentials present in the public domain match those used in your environment, but they may if the user reused the same password on these third-party sites as used for your environment. Based on your company's password policy and age of the leak data, these alerts may be considered low-fidelity and more informational.
An account has been locked.
Account password reset
A user resets the password for an account.
Account privilege escalated
An administrator has assigned a higher level of privileges to the account.
Account received suspicious link
A user has received an email containing a link flagged by the community or threat feeds.
A previously locked user account has been unlocked by an administrator.
Account visits suspicious link
A user has accessed a link url on the tracked threat list.
Advanced malware alert
An advanced malware system has generated an alert.
Application authentication - new source
A permitted user is authenticating to an application from a new source asset.
Application authentication - new user
A new user is authenticating to an application.
Authentication attempt from disabled account
A disabled user attempted to access an asset.
Denylisted application authentication
A user is authenticating to an application that you previously indicated they were not allowed to access.
A user is authenticating to a system that you previously indicated they were not allowed to access.
Brute force - asset
Many different accounts are attempting to authenticate to the same asset.
Brute force - domain account
A domain account has failed to authenticate to the same asset excessively.
Brute force - local account
A local account has failed to authenticate to the same asset excessively.
Detection evasion - event log deletion
A user has deleted event logs on an asset.
Detection evasion - local event log deletion
A local account has deleted event logs on an asset.
An exploit has been mitigated in a process.
First ingress authentication from country
An account has connected to the network for the first time.
First time admin action
A user has performed an admin action.
Flagged hash on asset
A flagged process hash has started running on an asset for the first time.
Flagged process on asset
A flagged process name has started running on an asset for the first time.
Multiple accounts are attempting to authenticate to a single, unusual location.
Honey file accessed
A honey file was accessed on a shared file server.
Honey user authentication
There was an attempt to log in using a honey user account.
There was an attempt to connect to a network honeypot.
Ingress from account whose password never expires
An account with a password that never expires has accessed the network from an external location.
Ingress from community threat
A user has logged in to the network using an IP address that is part of a currently tracked threat.
Ingress from disabled account
A disabled user has logged in to the network or a monitored cloud service.
Ingress from Privileged Account
A domain admin, enterprise admin, schema admin, administrator or backup operator account has accessed the network from an external location.
Ingress from service account
A service account has accessed the network from an external location.
Ingress from threat
A user has accessed the network from an IP address on the threat list.
Kerberos privilege elevation exploit
A user has exploited the Windows Kerberos Vulnerability CVE-2014-6324 to elevate their privileges.
Lateral movement - administrator impersonation
A user has authenticated to an administrator account.
Lateral movement - domain credentials
A domain account has attempted to access several new assets in a short period of time.
Lateral movement - local credentials
A local account has attempted to access several assets in a short period of time.
Lateral movement - service account
A service account is authenticating from a new source asset.
Lateral movement - watched user impersonation
A user has authenticated to a watched user's account.
LDAP admin added
A user has been added to a privileged LDAP group.
Local honey credential privilege escalation attempt
Local honey credential privilege escalation attempt.
Malicious hash on asset
A malicious hash was found on an asset.
Multiple country authentications
A user has accessed the network from many different countries in a short period of time.
Multiple organization authentications
A user has accessed the network from multiple external organizations too quickly.
Network access for threat
A user has accessed a domain or IP address on the tracked threat list.
New asset logon
A user is authenticating to a new asset.
New assets authenticated
A user has accessed a significant number of new assets in a short time.
New local user account created
An account has created a new local user account.
New AWS Region Detected
Activity in a specific AWS region has been seen for the first time.
New AWS EC2 Instance Family Detected
An EC2 instance family was launched for the first time.
New AWS Service
An AWS Service was used for the first time.
Password set to never expire
A user's password has been set to never expire.
Protocol poisoning detected
Poisoning of a network protocol has been detected.
Remote file execution detected
Remote file execution has been detected.
Remote honey credential authentication attempt
Remote honey credential authentication attempt.
Restricted asset authentication - new source
A permitted user is authenticating to a restricted asset from a new source asset.
Restricted asset authentication - new user
A new user is authenticating to a restricted asset.
Spear phishing URL detected
A user visited a potential phishing domain.
Third party alert - AWS GuardDuty
AWS GuardDuty has detected suspicious or malicious activity.
Third party alert - carbon black response
Carbon black response has detected suspicious or malicious activity.
A virus has been found on an asset.
Wireless multiple country authentications
A user has logged onto the network using a mobile device from too many countries in a short period of time.
Wireless multiple organization authentications
A user has logged onto the network with a wireless device from a large number of distinct organizations too quickly.
Zone policy violation
A user has violated a network zone policy configured in InsightIDR.
Built-in alerts during baseline period
An asset or user can be placed in a baselining period while InsightIDR learns about its behavior.
Baseline is a temporary state, it is not permanent. It usually starts when a specific user or asset is created in the InsightIDR database. It is set to 21 days after a user has been created, and 14 days after for an asset.
Notable events and custom alerts are not affected by the baseline. However, the following built-in alerts will not generate during baselining period:
|Alert Name||Effect during baselining period|
|Lateral movement - domain credentials||Not generated if user or destination asset is in baselining period.|
|Lateral movement - service account||Not generated if any user, source, or destination assets are in baselining period.|
|New assets authenticated||Not generated if user is in baselining period.|
|Restricted asset authentication - new source||Not generated if any user, source, or destination assets are in baselining period.|
|Restricted asset authentication - new user||Not generated if either user or asset are in baselining period.|