Every moment InsightIDR is running, it finds and collects thousands of threats from all of its assets and endpoints. However, massive numbers of activities will cause alarm or set off alerts even though they are not high profile threats, which can quickly lead to burnout for the Security team investigating these alerts.
Alert Settings changes can be made upon request; please reach out to your Customer Advisor.
Understand Different Kinds of Alerts
Alerts arrive to you in the form of an email with an incident number and short description to inform you of notable events and suspicious behavior captured by InsightIDR.
There are several different kinds of alerts and alert settings available:
Notable behaviors do not generate alerts or investigations.
As a part of InsightIDR’s User Behavior Analytics (UBA), the solution monitors and baselines each and every user’s activity, establishing a pattern for which asset(s) the user owns, which assets they access, where they log in remotely from, and other actions.
Some notable behaviors help identify user anomalies from this baseline, such as "New Asset Logon" or "First Time Ingress from Country." Other notable behaviors are effectively low fidelity alerts, such as "Account Lockout" or "Virus Alert." It is expected that most any network will experience a large number of such notable behaviors on any given day. This prevents InsightIDR from flooding the end user with alerts.
Instead, notable behaviors are automatically added to Investigation Timelines when a user is involved in a “real” alert to provide additional context. This helps analysts better contextualize the behavior without these notable behaviors going completely unobserved.
Example Use Case
The alert "Bruteforce — Domain Account" truly indicates that an employee John Doe was locked out of his account because he was the target of a bruteforce attempt.
This unique, two-tiered detection system flags anomalous events and includes them in investigations without overwhelming security incident response teams with false positives. Notable behaviors are the events that fall between expected behavior and alert-worthy behavior.
You can change the default Alerts and Notable Behaviors on the Alerts setting page.
You can also utilize Attacker Behavior Analytics (ABA).
Not seeing alerts when you know you should? Check out understanding new alerts.