Every moment InsightIDR is running, it finds and collects thousands of threats from all of its assets and endpoints. However, massive numbers of activities will cause alarm or set off alerts even though they are not high profile threats, which can quickly lead to burnout for the Security team investigating these alerts.
Understand Different Kinds of Alerts
Alerts arrive to you in the form of an email notification with an incident number and short description to inform you of the suspicious behavior captured by InsightIDR.
You may receive email alerts when InsightIDR detection rules or Custom Alerts match data in your environment and trigger an investigation.
If you do not want to be notified when detection occurs, but would like to be able to review event activity when investigating an incident, you have the option to track notable events
Notable events do not generate alerts or investigations.
Notable events are the events that fall between expected behavior and alert-worthy behavior. You can choose to track notable events for Attacker Behavior Analytics (ABA) and User Behavior Analytics (UBA) detection rules by modifying the rule action.
As a part of InsightIDR’s User Behavior Analytics (UBA), the solution monitors and baselines each and every user’s activity, establishing a pattern for which asset(s) the user owns, which assets they access, where they log in remotely from, and other actions.
Some notable events help identify user anomalies from this baseline, such as "New Asset Logon" or "First Time Ingress from Country." Other notable events are effectively low fidelity alerts, such as "Account Lockout" or "Virus Alert." It is expected that almost any network will experience a large number of notable events on any given day. This prevents InsightIDR from flooding the end user with alerts.
Instead, notable events are automatically added to Investigation Timelines when a user is involved in a “real” alert to provide additional context. This helps analysts better contextualize the behavior without these notable events going completely unobserved.
Example Use Case
The alert "Bruteforce — Domain Account" truly indicates that an employee John Doe was locked out of his account because he was the target of a bruteforce attempt.
This unique, two-tiered detection system flags anomalous events and includes them in investigations without overwhelming security incident response teams with false positives.