Attacker Behavior Analytics

Attacker Behavior Analytics are pre-built detections modeled around our wide array of threat intelligence. Attacker Behavior Analytics expose the finite ways in which attackers gain persistence on an asset and send and receive commands to victim machines.

Read more about this feature in the Rapid7 blog post here:

ABA Alerts

Each ABA detection hunts for a unique attacker behavior, which you can toggle to an alert, whitelist, or track as notable behavior. To manage these settings, go to Settings > Alert Settings > Attacker Behavior Analytics. Find the indicator or threat you want to manage and change its state in the provided dropdown menu.

Threat and Indicator Expiration

Attacker behaviors are constantly evolving and will become stale, so InsightIDR will expire old behaviors once they are past their value.


Threats are known malicious indicators that appear together during specific attacks. In the provided example, the Credential Harvester threat has several MimiKatz indicators including credential editors and others. However, this group would not appear together in a different threat, such as Ransomware.

On the "Threats" tab, you can expand each threat to see more details about the individual indicators.


Indicators are individual behaviors that are used in attacks. Each of the indicators includes recommended actions to remediate any harm done by the indicator.

Because there are so many indicators, InsightIDR will allow you to display more indicators at the bottom of the page.


You can search through threats and indicators for specific malicious actions and behaviors.

For example, if you believe that you are vulnerable through SSH, you can use InsightIDR to search for attacker behavior that might be utilized against you.