Alerts

As InsightIDR collects data from your environment, detection rules look for known threats, risks, and unusual actions. These detection rules can then trigger alerts, investigations, or other types of notifications when an event occurs that meets the detection rule logic. You can review the alerts created in InsightIDR to respond to potentially malicious behavior in your environment.

Looking for Custom Alerts?

Custom Alerts have been renamed to Basic Detection Rules. The alerts described in this topic are different from the Basic Detection Rules feature in Log Search.

Understand alerts

Alerts represent specific events in your security environment that could indicate a threat or anomaly.

When an alert is created, you can view it to understand its cause and take action on it, if necessary. For example, you can create a new investigation from the alert, add the alert to an existing investigation, or close the alert.

Note that alerts are not included in the MDR monthly rollup report.

How alerts are created

Alerts are created from ABA detection rules. InsightIDR automatically creates an alert when the Rule Action for an ABA detection rule is set to Creates Alert and a detection occurs.

As a Managed Detection and Response (MDR) customer, you can set the Creates Alert Rule Action for detection rules that are your organization's responsibility, and work with the Rapid7 SOC to set the Rule Action for managed detection rules. Read more about how to modify ABA detection rules that your organization manages.

InsightIDR creates alerts from ABA detection rules only. Alerts aren't created from UBA detection rules, and you can't create alerts manually.

Alerts in investigations

You can add alerts to investigations, which allows you to respond to the issue with all relevant context about the investigation in a single place.

Alerts and notable events

While alerts notify you about potentially suspicious activity, you might also want to be notified about behavior that is plausible, but uncommon (for example, if a user logs in from a location other than where they typically work). You can configure detection rules to create notable events, which–like alerts–can be added to an investigation to provide context. Read more about notable events.

View an alert’s details

You can view the alerts created in InsightIDR to understand the event the alert represents and the detection rule logic that generated it. InsightIDR provides alert details to allow you to gain helpful context during the alert triage process.

To view details for an alert:

  1. From the left menu, go to Alerts.
  2. Search for the alert that you want to view.
  3. Select the Alert Table tab.
  4. In the Actions column, click the Alert Details icon. The Alert Details panel opens with information about the alert.
Tips for the Alert Details panel

You can save time by taking certain actions directly on the Evidence tab of the Alert Details panel:

  • To get a direct link to the alert, click Actions > Copy Link. The link is copied to your clipboard, and you can use it to return to the alert later.
  • To view other alerts that were generated by the same detection rule and have the same actor and priority, click Actions > View Related Alerts. The related alerts display in a new tab.
  • To view the users and assets associated with this alert, click Actions > View Actors, and select a user or asset in the list. Information about the actor displays in a new tab.
  • To update the alert’s status, disposition, priority, and assignee, click the Edit button.
  • To create a new investigation with the alert, select Investigate > Create Investigation. Read more about creating an investigation from an alert.
  • To add the alert to an existing investigation, select Investigate > Add to Existing Investigation. Read more about adding an alert to an existing investigation.
  • If the alert is already part of an investigation, click the Go to Investigation button to view the investigation’s details.

Anatomy of an alert

Alert information is available on each of the tabs in the Alert Details panel.

Evidence

The Evidence tab displays the primary information about the alert’s current state and how it was generated. The top of the tab provides an overview of the alert, including the Alert Title, Priority, Assignee, Disposition, and Status. If you’re an MDR customer and the alert is managed by Rapid7, this tab also displays the Rapid7 managed tag, as well as any other tags that the Rapid7 SOC has added to the alert. The expandable sections provide information about how the alert was generated, including:

  • Description and Recommendation - A brief description of the alert and recommendation(s) for triage.
  • Process Tree - Details about the process that occurred when the alert was generated and the processes that occurred before and after.
  • Rule Logic and Matched Data - Detection rule logic that generated the alert and the corresponding key-value payload data from your environment.
    • View the payload data as a table or in JSON format.
    • Select the Highlight matching keys and Filter matching keys toggles to quickly view the values that the detection rule alerted you to.
    • Click Show Rule Logic and Hide Rule Logic to adjust your view.
    • Click View Log Entry in the alert payload to view the associated log entry in Log Search with the relevant log and time range selected.

Different Experience for AWS GuardDuty Alerts

As part of an open beta, we are currently experimenting with a new layout for Evidence. This new layout only appears for alerts generated by AWS GuardDuty. This new layout will continue to be revised over the coming months. When viewing an alert from GuardDuty, the Evidence tab contains four sub-tabs:

  • Alert Overview - This tab displays information that is similar to a non-Guard Duty alert's Evidence tab, providing details about how and why the alert was generated.
  • Impacted Resources - Displays details about the resources that are potentially impacted by the alert.
  • Remediation, Scripts & Queries - Provides remediation steps as well as scripts and queries you can use to assist with remediation.
  • AWS GuardDuty JSON - Displays the full JSON of the AWS GuardDuty alert object.
Exceptions

The Exceptions tab displays information about any exceptions that exist in the detection rule that generated the alert. The detection rule exceptions provide additional context around the intent behind the rule and can help indicate whether the resulting alert represents suspicious behavior.

You can also create new exceptions on this tab for key-value pairs that are relevant to the specific alert. Read more about creating detection rule exceptions.

MITRE ATT&CK

The MITRE ATT&CK tab includes the MITRE ATT&CK tactic mapped to the detection rule that generated the alert. The MITRE ATT&CK tactic helps direct you to other areas in your environment that might be compromised by the threat, if the alert represents suspicious activity.

Read more about which ABA detection rules map to which MITRE ATT&CK tactics.

Monitor and triage alerts

To locate the alerts whose details you want to view, you can apply filters and create queries that narrow your view to only the alerts that are relevant. You can also choose which columns display in the tables on the Alert Table and Data Stacking tabs.

Additionally, you can save your view as a workspace, allowing you to go back to your search and selected table columns later. For example, you might create a workspace for table views that you use often.

Understand the alerts table and data stacking

You can view alerts on two tabs:

  • Alert Table - This tab displays each alert on its own row.
  • Data Stacking - This tab groups alerts based on identical values in one or more table columns, and displays the Count of alerts in that group.

As you triage alerts, you switch between both views, depending on the information that you want to consume. The Alert Table tab is useful when you want to get more detail on a single alert. The Data Stacking tab is useful when you want to group alerts that are similar, for example, to determine which alerts are related.

Search for alerts

To narrow your view of alerts on the Alert Table and Data Stacking tabs, you can apply filters or create a query to return only the alerts that are relevant.

To search for alerts:

  1. From the left menu, go to Alerts.
  2. Apply one or more optional filters to narrow the list of alerts:
    • Date Range - Filter for alerts that occurred within a specific time period.
    • Not Included in an Investigation - Filter for alerts that are not included in an investigation.
    • MDR Responsibility - Filter for alerts that are the responsibility of the Rapid7 MDR SOC or your organization.
    • Priority - Filter for alerts with the priority you select.
    • Status - Filter for alerts with the status you select.
    • Alert Name - Filter for alerts with a specific alert name.
    • Assignee - Filter for alerts that are assigned to a specific user.
    • Disposition - Filter for alerts with the disposition you select.
    • Event Type - Filter for alerts based on event type.
  3. Optionally, enter a query using Log Entry Query Language (LEQL) in the query bar, and click the Apply button.
  4. Review the alerts on the Alert Table and Data Stacking tabs. Both tabs update based on the filters you apply.

Edit table layouts

You can choose which columns display on the Alerts Table and Data Stacking tabs, which allows you to focus your view to only relevant information. The available table columns are sourced from the event sources and corresponding keys that InsightIDR supports.

To choose the table columns that display:

  1. From the left menu, go to Alerts.
  2. Select the Alert Table tab or Data Stacking tab, depending on the information that you want to view. The table columns you choose reflect only on the tab you're viewing.
  3. Click the Edit Table button.
  4. On the left, expand the groups in the Keys section, and click Select next to the individual keys to display as columns in the table.
  5. Optionally, drag the keys in the order that you want the columns to display.
  6. Optionally, click the Show and Hide icons to limit which selected keys are visible in the table.
  7. Click the Apply Selection button. The keys you selected display as columns on the Alerts Table tab or Data Stacking tab.
Tips for the table editor

Edit table layouts more efficiently with these tips:

  • To save a group of table columns for later, click the Save as Layout button in the upper right, and enter a Group Name to identify the column layout later.
  • To apply a saved column layout, expand the Saved Layouts section, and click Select next to the column layout to apply. You can continue to add or remove keys from the column layout as needed.
  • To return the column layout to its default state, click the Restore to Default button in the lower left.

Save your view as a workspace

After applying filters and queries and adjusting the table columns displayed on the Alert Table and Data Stacking tabs, you might want to save your view so that you can return to a specific list of alerts later. To save your view, you can create a workspace, which gives you the option to save the attributes you applied to the alerts.

To save a workspace:

  1. From the left menu, go to Alerts.
  2. Apply filters or enter a query to narrow your view.
  3. On the Alert Table and Data Stacking tabs, edit the table columns to display the information that you want to view.
  4. Above the table, click the Save as Workspace button.
  5. In the Name field, enter a descriptive workspace name, which is used to identify the workspace later.
  6. Optionally, in the Description field, enter a brief description of the workspace.
  7. Below Includes, select the attributes to save in the workspace.
  8. Click the Save button. The workspace is saved.

To apply a saved workspace:

  1. From the left menu, go to Alerts.
  2. Above the table click, the Saved Workspaces button.
  3. Click Run next to the workspace that you want to apply. The settings in the workspace are applied to your view.

To return to the default workspace:

  1. From the left menu, go to Alerts.
  2. Above the table click, the Saved Workspaces button.
  3. Click the Restore to Default button in the lower left. The alerts page returns to its default view.