Overview

Welcome to the SIEM (InsightIDR) Detection Library! Browse our existing detection rules and review recommendations for responding to alerts generated by these rules.

SIEM (InsightIDR)‘s built-in detection rules analyze the stream of endpoint and log events coming from event sources and look for events that might indicate attacker behavior. The Rapid7 Threat Detection and Response team makes frequent updates to our detection rules to adapt to the ever-changing tactics of malicious actors, so check back often for the latest updates.

View detection rules in SIEM (InsightIDR)

You can view our library of detection rules in SIEM (InsightIDR) by navigating to the left menu and selecting Detection Rules. For more information on our detection systems and how you can modify rules for your security needs, read Detection Rules.

Legacy Detection Rules

The Legacy UBA Detection Rules tab lists all detection rules that run on SIEM (InsightIDR)‘s legacy User Behavior Analytics (UBA) engine. As we continue to add features to the primary Detection Library tab, our teams are migrating all of the legacy UBA rules onto our main detection engine to create a singular experience. These rules will continue to detect on the same user behaviors, but you will now have access to additional customization capabilities, including exceptions.

While the migration is ongoing, there will be 2 versions of each legacy detection rule: the existing rule on the Legacy UBA Detection Rules tab, and a migrated version on the Detection Library tab.

Migrate legacy detection rules

To support the transition from legacy detection rules to the new and enhanced detection rules in the Detection Rule Library, you can migrate legacy detection rules for your organization.

Legacy UBA rules will remain available until November 30, 2026, but we recommend migrating to the new ABA rules to ensure continued visibility and protection.

To migrate your legacy detection rules:

1. Identify the legacy rule you want to migrate. Its corresponding Detection Rule is listed under Associated Detection Rules.
2. Select the associated rule name, then set its Rule Action to one of the following:
   • Creates Investigations
   • Creates Alerts
   • Generates Notable Events
3. Once validated, return to the legacy rule and set its Rule Action to Off to avoid duplicate detections. It will also include a Migrated tag, indicating its status.

You can also choose Assess Activity to evaluate behavior before enabling detections.

Copy Rule Modifications as Exceptions

If you’ve applied legacy rule modifications to legacy detection rules and want to retain those changes after migration, you can convert them into an exception. This new exception will combine all applicable rule modifications and apply them to all associated detection rules.

Note, the option to copy rule modifications as exceptions is not available for managed detection rules.

To convert rule modifications into an exception:

1. Click the copy icon in the Rule modifications column of the exception.
2. Review the message listing the associated detection rules that the exception will be applied to.
3. Provide a name for the exception. Optionally, you can provide a note explaining the purpose of the exception.
4. Click Create Exception.

When the exception has been created, a tick icon appears in the Rule modifications column.