Overview

Welcome to the InsightIDR Detection Library! Browse our existing detection rules and review recommendations for responding to alerts generated by these rules.

InsightIDR's built-in detection rules analyze the stream of endpoint and log events coming from event sources and look for events that might indicate attacker behavior. The Rapid7 Threat Detection and Response team makes frequent updates to our detection rules to adapt to the ever-changing tactics of malicious actors, so check back often for the latest updates.

View Detection Rules in InsightIDR

You can view our library of detection rules in InsightIDR by navigating to the left menu and selecting Detection Rules. For more information on our detection systems and how you can modify rules for your security needs, read Detection Rules.

We've updated our Detection Rules terminology

As of November 2023, we’ve updated the tab names within our Detection Rules experience to better reflect the breadth of rules available:

  • The Attacker Behavior Analytics tab is now called the Detection Rule Library.
  • The User Behavior Analytics tab is now called Legacy UBA Detection Rules.

These changes make way for our teams to migrate all legacy User Behavior Analytics rules to the Detection Library tab to create a singular Detection Rules experience. For more information, read Legacy Detection Rules.

Legacy Detection Rules

The Legacy UBA Detection Rules tab lists all detection rules that run on InsightIDR's legacy User Behavior Analytics (UBA) engine. As we continue to add features to the primary Detection Library tab, our teams are migrating all of the legacy UBA rules onto our main detection engine to create a singular experience. These rules will continue to detect on the same user behaviors, but you will now have access to additional customization capabilities, including exceptions.

While the migration is ongoing, there will be 2 versions of each legacy detection rule: the existing rule on the Legacy UBA Detection Rules tab, and a migrated version on the Detection Library tab.

You must opt-in to use the migrated version of the rule

Legacy detection rules will remain on by default while we migrate detection functionality. Note that any automation attached to legacy UBA detection rules will not be automatically applied to migrated rules.

Opt-in to use the migrated version of a rule

To avoid detection duplication, you must turn on the migrated rule, then turn off the legacy rule.

To opt-in to the migrated rules:

  1. On the Legacy UBA Detection Rules tab, find the legacy rule that you want to disable. View the Associated Detection Rules tab to find the name or associated rule set of the migrated rule.
  2. Navigate to the migrated version of the rule in the Detection Rule Library tab, and switch on the rule by setting the Rule Action to Creates Investigations or Generates Notable Events.
  3. Navigate back to the legacy rule and ensure you switch the Rule Action to Off to avoid duplicate detections.