Anatomy of an Alert

For alerts other than Amazon GuardDuty and Azure alerts, the Evidence tab displays the primary information about the alert’s current state and how it was generated. The top of the tab provides an overview of the alert, including the Alert Title, Priority, Assignee, Disposition, and Status. If you’re an MDR customer and the alert is managed by Rapid7, this tab also displays the Rapid7 managed tag, as well as any other tags that the Rapid7 SOC has added to the alert. The expandable sections provide information about how the alert was generated, including:

• Description and Recommendation - A brief description of the alert and recommendation(s) for triage.
• Process Tree - Details about the process that occurred when the alert was generated and the processes that occurred before and after.
• Rule Logic and Matched Data - Detection rule logic that generated the alert and the corresponding key-value payload data from your environment.
  • View the payload data as a table or in JSON format.
  • Select the Highlight matching keys and Filter matching keys toggles to quickly view the values that the detection rule alerted you to.
  • You can adjust your view using Show Rule Logic and Hide Rule Logic.
  • You can search the source IP address on IPHub by clicking the link in Payload.
  • You can analyze any additional IP addresses, domains, URLs, or file hashes by clicking the link in Payload.
  • You can view the detection_context field to assist with alert triage and investigation. Note, however, that this field is not available in Log Search.
  • Click View Log Entry in the alert payload to view the associated log entry in Log Search with the relevant log and time range selected.
    • When viewing the log entry, you can also search your logs to gain context about the alert and add log data to the investigation to save log entries of interest for later reference.
    • Keep in mind that it can take up to 5 minutes for log data to populate after the investigation is created due to user attribution.
• Related alerts - Details about additional alerts that were generated for the same organization including those based on actors.
• Users and Assets - Details about the users and assets associated with the alert. These details can be used to identify and locate the user or asset in the network or organization.

For GuardDuty alerts, the Evidence tab displays the same information as for other alerts, plus extra details specific to GuardDuty, including the following sub-tabs:

• Alert Overview - This tab displays information that is similar to a non-GuardDuty alert's Evidence tab, providing details about how and why the alert was generated.
• Impacted Principal - Displays details about the principal that initiated the alert, including user name, ARN, and account ID, as well as any role changes made by the principal during the action that generated the alert. For instructions on exploring impacted principal details, visit Explore Principal Insight.
• Impacted Resources - Displays details about the resources that are potentially impacted by the alert, including information collected from InsightCloudSec at the time the alert was triggered.
• Remediation, Scripts & Queries - Provides remediation steps as well as scripts and queries you can use to assist with remediation.
• AWS GuardDuty JSON - Displays the full JSON of the AWS GuardDuty alert object.

Explore Principal Insight

You can use the Principal Insight tool to explore IP addresses and AWS roles that are related to a given principal.

To use the Principal Insight tool:

1. Go to the Impacted Principal tab.
2. Click Principal Insight.
3. Pick an attribute to explore:
   • IP Address
     1. Click IP Address. A list of related IP addresses loads.
     2. Click an address in the list. A pop-up window containing details about the address loads.
     3. Optionally, click Fetch Related Principals. A list of AWS principals loads.
     4. Optionally, click a principal then Focus on this Principal to restart the workflow from the perspective of the selected principal.
   • Role
     1. Click Role. A list of related AWS principals loads.
     2. Click a principal then Focus on this Principal to restart the workflow from the perspective of the selected principal.

InsightIDR supports processing alerts for Azure Defender for Cloud (ADC) and Azure Kubernetes Service (AKS). For ADC and AKS alerts, the Evidence tab displays the same information as for other alerts, plus extra details specific to ADC and AKS, including the following sub-tabs:

• Alert Summary - This tab displays information that is similar to a non-ADC or non-AKS alert's Evidence tab, providing details about how and why the alert was generated.
• Impacted Resources - Displays details about the resources that are potentially impacted by the alert.
• Enrichment - Displays data related to the impacted resources collected from InsightCloudSec at the time the alert was triggered.
• Remediation - Provides remediation steps as well as scripts and queries you can use to assist with remediation.
• Azure Defender for Cloud JSON - Displays the full JSON of the ADC alert object.

The evasion tactics with which Endpoint Prevention interferes can correspond to the solution’s Prevention Engines. While the alert includes fields that are general to other InsightIDR alerts, the Endpoint Prevention engine's alerts include additional details that are more specific to the Prevention Engines rules.

These additional fields are unique to Endpoint Prevention alerts:

• Agent action - The action taken on the reported process or threat, based on the prevention group that the endpoint was assigned to during the time of the event.
• Process full path - The full path of the file that triggered the alert.
• Command line - The full command line of the process that triggered the alert.
• Event type - The category of the rule name, corresponding to the prevention engine.
• File hash - The SHA-256 hash of the file that triggered the alert.
• Host name - The host name of the endpoint that reported the alert.
• Certificate information - The certificate information of the file that triggered the alert, which is applicable for signed processes.
• PID - The process ID of the file that triggered the alert.
• PPID - The process ID of the parent process for the process that triggered the alert. Parent process full path - The full path of the parent process for the process that triggered the alert.
• Armor version - The underlying component version of Endpoint Prevention, referred to as Armor.
• Rule name - The name of the Endpoint Prevention rule responsible for the alert.
• User name - The user that executed the process, which triggered the alert.
• Prevention group - The name of the prevention group that the endpoint triggering the alert is assigned to.
• Local IP - The local IP of the endpoint reporting the event.
• Repeat counter - The number of similar events received in the last 24 hours.
• First received time - The server time when the first similar event was received.
• Additional info - Additional information regarding the endpoint action in the alert. Depending on the event type, different details display.
• Alert type specific details - Additional forensic information about the alert.
• Process hierarchy - All parent processes’ information about the triggered process, including PID, time created, hash, command line, and the user that created the process.