Alerts

Every moment InsightIDR is running, it finds and collects thousands of threats from all of its assets and endpoints. However, massive numbers of activities will cause alarm or set off alerts even though they are not high profile threats, which can quickly lead to burnout for the Security team investigating these alerts.

MDR Customers

Alert Settings changes can be made upon request; please reach out to your Customer Advisor.

Understand Different Kinds of Alerts

Alerts arrive to you in the form of an email with an incident number and short description to inform you of notable events and suspicious behavior captured by InsightIDR.

There are several different kinds of alerts and alert settings available:

Notable Events

Notable events do not generate alerts or investigations.

As a part of InsightIDR’s User Behavior Analytics (UBA), the solution monitors and baselines each and every user’s activity, establishing a pattern for which asset(s) the user owns, which assets they access, where they log in remotely from, and other actions.

Some notable events help identify user anomalies from this baseline, such as "New Asset Logon" or "First Time Ingress from Country." Other notable events are effectively low fidelity alerts, such as "Account Lockout" or "Virus Alert." It is expected that almost any network will experience a large number of notable events on any given day. This prevents InsightIDR from flooding the end user with alerts.

Instead, notable events are automatically added to Investigation Timelines when a user is involved in a “real” alert to provide additional context. This helps analysts better contextualize the behavior without these notable events going completely unobserved.

Example Use Case

The alert "Bruteforce — Domain Account" truly indicates that an employee John Doe was locked out of his account because he was the target of a bruteforce attempt.

This unique, two-tiered detection system flags anomalous events and includes them in investigations without overwhelming security incident response teams with false positives. Notable events are the events that fall between expected behavior and alert-worthy behavior.

You can change the default Rule Action on the Detection Rules page.

Built-In Alerts

InsightIDR checks for the following incidents when creating an alert:

Alert Name

Description

Account created

A new account has been created.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. However, the baseline ages out after 90 days of no authentications for restricted asset authentications.

Account enabled

A previously disabled user account has been re-enabled by an administrator.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. However, the baseline ages out after 90 days of no authentications for restricted asset authentications.

Account leak

Indicates that some account names in your environment are present in credential dumps from external data breaches of other websites or other external sources. InsightIDR generates this alert if accounts in your environment match what is out in the public domain. This does not mean that the credentials present in the public domain match those used in your environment, but they may if the user reused the same password on these third-party sites as used for your environment. Based on your company's password policy and age of the leak data, these alerts may be considered low-fidelity and more informational.

Account locked

An account has been locked.

Account password reset

A user resets the password for an account.

Account privilege escalated

An administrator has assigned a higher level of privileges to the account.

Account received suspicious link

A user has received an email containing a link flagged by the community or threat feeds.

Account unlocked

A previously locked user account has been unlocked by an administrator.

Account visits suspicious link

A user has accessed a link url on the tracked threat list.

Advanced malware alert

An advanced malware system has generated an alert.

Application authentication - new source

A permitted user is authenticating to an application from a new source asset.

Application authentication - new user

A new user is authenticating to an application.

Authentication attempt from disabled account

A disabled user attempted to access an asset.

Denylisted application authentication

A user is authenticating to an application that you previously indicated they were not allowed to access.

Denylisted authentication

A user is authenticating to a system that you previously indicated they were not allowed to access.

Brute force - asset

Many different accounts are attempting to authenticate to the same asset.

Brute force - domain account

A domain account has failed to authenticate to the same asset excessively.

Domain Accounts require 100 failed authentications to a single account within a one hour period before triggering this alert.

Brute force - local account

A local account has failed to authenticate to the same asset excessively.

Local Accounts require 100 failed authentications to a single account within a one hour period before triggering this alert.

Detection evasion - event log deletion

A user has deleted event logs on an asset.

Detection evasion - local event log deletion

A local account has deleted event logs on an asset.

Exploit mitigated

An exploit has been mitigated in a process.

First ingress authentication from country

An account has connected to the network for the first time.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

First time admin action

A user has performed an admin action.

Flagged hash on asset

A flagged process hash has started running on an asset for the first time.

Flagged process on asset

A flagged process name has started running on an asset for the first time.

Harvested credentials

Multiple accounts are attempting to authenticate to a single, unusual location.

Honey file accessed

A honey file was accessed on a shared file server.

Honey user authentication

There was an attempt to log in using a honey user account.

Honeypot access

There was an attempt to connect to a network honeypot.

Ingress from account whose password never expires

An account with a password that never expires has accessed the network from an external location.

Ingress from community threat

A user has logged in to the network using an IP address that is part of a currently tracked threat.

Ingress from disabled account

A disabled user has logged in to the network or a monitored cloud service.

Ingress from domain admin

A domain administrator account has accessed the network from an external location.

Ingress from service account

A service account has accessed the network from an external location.

Ingress from threat

A user has accessed the network from an IP address on the threat list.

Kerberos privilege elevation exploit

A user has exploited the Windows Kerberos Vulnerability CVE-2014-6324 to elevate their privileges.

Lateral movement - administrator impersonation

A user has authenticated to an administrator account.

Lateral movement - domain credentials

A domain account has attempted to access several new assets in a short period of time.

This alert is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.

Lateral movement - local credentials

A local account has attempted to access several assets in a short period of time.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Lateral movement - service account

A service account is authenticating from a new source asset.

This alert is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.

Lateral movement - watched user impersonation

A user has authenticated to a watched user's account.

LDAP admin added

A user has been added to a privileged LDAP group.

Local honey credential privilege escalation attempt

Local honey credential privilege escalation attempt.

Malicious hash on asset

A malicious hash was found on an asset.

Multiple country authentications

A user has accessed the network from many different countries in a short period of time.

Multiple organization authentications

A user has accessed the network from multiple external organizations too quickly.

Network access for threat

A user has accessed a domain or IP address on the tracked threat list.

New asset logon

A user is authenticating to a new asset.

New assets authenticated

A user has accessed a significant number of new assets in a short time.

This alert is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.

New local user account created

An account has created a new local user account.

New AWS Region Detected

Activity in a specific AWS region has been seen for the first time.

New AWS EC2 Instance Family Detected

An EC2 instance family was launched for the first time.

New AWS Service

An AWS Service was used for the first time.

Password set to never expire

A user's password has been set to never expire.

Protocol poisoning detected

Poisoning of a network protocol has been detected.

Remote file execution detected

Remote file execution has been detected.

Remote honey credential authentication attempt

Remote honey credential authentication attempt.

Restricted asset authentication - new source

A permitted user is authenticating to a restricted asset from a new source asset.

This alert is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.

Restricted asset authentication - new user

A new user is authenticating to a restricted asset.

This alert is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.

Spear phishing URL detected

A user visited a potential phishing domain.

Third party alert - AWS GuardDuty

AWS GuardDuty has detected suspicious or malicious activity.

Third party alert - carbon black response

Carbon black response has detected suspicious or malicious activity.

Virus alert

A virus has been found on an asset.

Wireless multiple country authentications

A user has logged onto the network using a mobile device from too many countries in a short period of time.

Wireless multiple organization authentications

A user has logged onto the network with a wireless device from a large number of distinct organizations too quickly.

Zone policy violation

A user has violated a network zone policy configured in InsightIDR.

Built-in alerts during baseline period

An asset or user can be placed in a baselining period while InsightIDR learns about its behavior.

Baseline is a temporary state, it is not permanent. It usually starts when a specific user or asset is created in the InsightIDR database. It is set to 21 days after a user has been created, and 14 days after for an asset.

Notable events and custom alerts are not affected by the baseline. However, the following built-in alerts will not generate during baselining period:

Alert NameEffect during baselining period
Lateral movement - domain credentialsNot generated if user or destination asset is in baselining period.
Lateral movement - service accountNot generated if any user, source, or destination assets are in baselining period.
New assets authenticatedNot generated if user is in baselining period.
Restricted asset authentication - new sourceNot generated if any user, source, or destination assets are in baselining period.
Restricted asset authentication - new userNot generated if either user or asset are in baselining period.

Other Resources

You can also utilize Attacker Behavior Analytics (ABA).