Anatomy of an Alert

For alerts other than Amazon GuardDuty, Azure, Endpoint Detection, and Google Cloud Platform (GCP) Security Command Center (SCC) alerts, the Evidence tab may include the following sections:

• Process Tree - Details about the process that occurred when the alert was generated and the processes that occurred before and after.
• Description and Recommendation - A brief description of the alert and recommendation(s) for triage.
• Rule Logic and Matched Data - Detection rule logic that generated the alert and the corresponding key-value payload data from your environment.
  • View the payload data as a table or in JSON format.
  • Select the Highlight matching keys and Filter matching keys toggles to quickly view the values that the detection rule alerted you to.
  • You can adjust your view using Show Rule Logic and Hide Rule Logic.
  • You can search the source IP address on IPHub by clicking the link in Payload.
  • You can analyze any additional IP addresses, domains, URLs, or file hashes by clicking the link in Payload.
  • You can view the detection_context field to assist with alert triage and investigation. Note, however, that this field is not available in Log Search.
  • Click View Log Entry in the alert payload to view the associated log entry in Log Search with the relevant log and time range selected.
    • When viewing the log entry, you can also search your logs to gain context about the alert and add log data to the investigation to save log entries of interest for later reference.
    • Keep in mind that it can take up to 5 minutes for log data to populate after the investigation is created due to user attribution.
    • For relevant detection rules, you can review the AI-suggested disposition and the reason this decision was reached.
• Related Indicators of Compromise (IoC) - A specific artifact, such as an IP address, file hash, domain, or process name, identified within the alert that signals potential malicious activity or a known threat actor’s behavior.
• Anomaly Data Transfer (ADT) - The Anomalous Data Transfer (ADT) rule dynamically derives a baseline for each asset in your environment based on its active periods over 30 days. Every hour, the rule will detect network activity that is anomalously high in comparison to the baseline. This process reduces millions of network connections into a few detections that will alert you according to your Rule Action settings.
• Intrusion Detection System (IDS) - An application that monitors for malicious activity and policy violations on your network. When configuring this event source in SIEM (InsightIDR), the IDS data is attributed to the user and asset details page and allows you to search through the data. However, it does not produce alerts.
• Related Threats - Images from the risk that is associated with the alert.

For GuardDuty alerts, the Evidence tab displays the same information as for other alerts, plus extra details specific to GuardDuty, including the following sub-tabs:

• Alert Overview - This tab displays information that is similar to a non-GuardDuty alert’s Evidence tab, providing details about how and why the alert was generated.
• Impacted Principal - Displays details about the principal that initiated the alert, including user name, ARN, and account ID, as well as any role changes made by the principal during the action that generated the alert.
  • Principal Insights - Use Principal Insights to explore IP addresses and AWS roles that are related to a given principal. For instructions on exploring impacted principal details, visit Explore Principal Insight.
  • View in Log Search - Opens Log Search, displaying log entries from multiple sources, related to the activity of the specific principal in your cloud environment. This provides a chronological overview of the principal’s activity that generated the alert. Read more about Log Search .
• Impacted Resources - Displays details about the resources that are potentially impacted by the alert, including information collected from Cloud Security (InsightCloudSec)](https://docs.rapid7.com/insightcloudsec/ ) at the time the alert was triggered.
• Enrichment - Displays data related to the impacted resources collected from Cloud Security (InsightCloudSec)](https://docs.rapid7.com/insightcloudsec/ ) at the time the alert was triggered. The following data types are collected from Cloud Security (InsightCloudSec):
  • Harvested resources cloud attributes 
  • Threat findings relevant to the inquired resource 
  • Security insights relevant to the inquired resource 
  • Resource Vulnerabilities 
  • Attack Path 
  • Application context regarding the specified resource
  • Permissions and actions (in case the resource is a principal)
  • Related resource (attack pattern analysis) data
• Remediation, Scripts & Queries - Provides remediation steps as well as scripts and queries you can use to assist with remediation. Remediation options aligned with industry standards and best practices are labeled as Rapid7 Recommended, based on the context of the incident.
• AWS GuardDuty JSON - Displays the full JSON of the AWS GuardDuty alert object.

Explore Principal Insight

You can use the Principal Insight tool to explore IP addresses and AWS roles that are related to a given principal.

To use the Principal Insight tool:

1. Go to the Impacted Principal tab.
2. Click Principal Insight.
3. Pick an attribute to explore:
   • IP Address
     1. Click IP Address. A list of related IP addresses loads.
     2. Click an address in the list. A pop-up window containing details about the address loads.
     3. Optionally, click Fetch Related Principals. A list of AWS principals loads.
     4. Optionally, click a principal then Focus on this Principal to restart the workflow from the perspective of the selected principal.
   • Role
     1. Click Role. A list of related AWS principals loads.
     2. Click a principal then Focus on this Principal to restart the workflow from the perspective of the selected principal.

SIEM (InsightIDR) supports processing alerts for Azure Defender for Cloud (ADC) and Azure Kubernetes Service (AKS). For ADC and AKS alerts, the Evidence tab displays the same information as for other alerts, plus extra details specific to ADC and AKS, including the following sub-tabs:

• Alert Summary - This tab displays information that is similar to a non-ADC or non-AKS alert’s Evidence tab, providing details about how and why the alert was generated.
• • Impacted Principal - Displays details about the principal that initiated the alert, including user name, ARM, and account ID, as well as any role changes made by the principal during the action that generated the alert.
    • Principal Insights - Use Principal Insights to explore IP addresses and Azure roles that are related to a given principal. For instructions on exploring impacted principal details, visit Explore Principal Insight.
    • View in Log Search - Opens Log Search, displaying log entries from multiple sources, related to the activity of the specific principal in your cloud environment. This provides a chronological overview of the principal’s activity that generated the alert. Read more about Log Search .
• Impacted Resources - Displays details about the resources that are potentially impacted by the alert.
• Enrichment - Displays data related to the impacted resources collected from Cloud Security (InsightCloudSec) (https://docs.rapid7.com/insightcloudsec/ ) at the time the alert was triggered. The following data types are collected from Cloud Security (InsightCloudSec):
  • Harvested resources cloud attributes 
  • Threat findings relevant to the inquired resource 
  • Security insights relevant to the inquired resource 
  • Resource Vulnerabilities 
  • Attack Path 
  • Application context regarding the specified resource
  • Permissions and actions (in case the resource is a principal)
  • Related resource (attack pattern analysis) data
• Remediation, Scripts & Queries - Provides remediation steps as well as scripts and queries you can use to assist with remediation.
• Azure Defender for Cloud JSON - Displays the full JSON of the ADC alert object.

The actions Endpoint capabilities take correspond to the Endpoint Detection rules you have configured. While the alert includes fields that are general to other SIEM (InsightIDR) alerts, Endpoint Detection alerts include additional details that are specific to Endpoint Detection rules.

These additional fields are unique to Endpoint Detection alerts:

• Agent action - The action taken on the reported process or threat, based on the prevention group that the endpoint was assigned to during the time of the event.
• Process full path - The full path of the file that triggered the alert.
• Command line - The full command line of the process that triggered the alert.
• Event type - The category of the rule name, corresponding to the prevention engine.
• File hash - The SHA-256 hash of the file that triggered the alert.
• Host name - The host name of the endpoint that reported the alert.
• Certificate information - The certificate information of the file that triggered the alert, which is applicable for signed processes.
• PID - The process ID of the file that triggered the alert.
• PPID - The process ID of the parent process for the process that triggered the alert. Parent process full path - The full path of the parent process for the process that triggered the alert.
• Armor version - The underlying component version of Endpoint Prevention, referred to as Armor.
• Rule name - The name of the Endpoint Prevention rule responsible for the alert.
• User name - The user that executed the process, which triggered the alert.
• Prevention group - The name of the prevention group that the endpoint triggering the alert is assigned to.
• Local IP - The local IP of the endpoint reporting the event.
• Repeat counter - The number of similar events received in the last 24 hours.
• First received time - The server time when the first similar event was received.
• Additional info - Additional information regarding the endpoint action in the alert. Depending on the event type, different details display.
• Alert type specific details - Additional forensic information about the alert.
• Process hierarchy - All parent processes’ information about the triggered process, including PID, time created, hash, command line, and the user that created the process.

For Google Cloud Platform (GCP) Security Command Center (SCC) alerts, the Evidence tab displays the same information as for other alerts, plus extra details specific to GCP, including the following sub-tabs:

• Alert Summary - This tab displays information that is similar to a non-SCC alert’s Evidence tab, providing details about how and why the alert was generated.
• • Impacted Principal - Displays details about the principal that initiated the alert, including user name, Resource URI, and account ID, as well as any role changes made by the principal during the action that generated the alert.
    • Principal Insights - Use Principal Insights to explore IP addresses and GCP roles that are related to a given principal. For instructions on exploring impacted principal details, visit Explore Principal Insight.
    • View in Log Search - Opens Log Search, displaying log entries from multiple sources, related to the activity of the specific principal in your cloud environment. This provides a chronological overview of the principal’s activity that generated the alert. Read more about Log Search .
• Impacted Resources - Displays details about the resources that are potentially impacted by the alert.
• Enrichment - Displays data related to the impacted resources collected from Cloud Security (InsightCloudSec) (https://docs.rapid7.com/insightcloudsec/ ) at the time the alert was triggered. The following data types are collected from Cloud Security (InsightCloudSec):
  • Harvested resources cloud attributes 
  • Threat findings relevant to the inquired resource 
  • Security insights relevant to the inquired resource 
  • Resource Vulnerabilities 
  • Attack Path 
  • Application context regarding the specified resource
  • Permissions and actions (in case the resource is a principal)
  • Related resource (attack pattern analysis) data
• Remediation, Scripts & Queries - Provides remediation steps as well as scripts and queries you can use to assist with remediation.
• GCP SCC JSON - Displays the full JSON of the GCP alert object.