Detection rules are the logic InsightIDR uses to detect threats using Rapid7’s wide array of threat intelligence. Detections occur when the conditions of a rule have been satisfied. Rules are classified into two categories: User Behavior Analytics and Attacker Behavior Analytics.
The InsightIDR Detection Rules page allows you to modify ABA detection rules, modify UBA detection rules, create basic detection rules, subscribe or contribute to Community Threats, and gain a deeper understanding of the detection rules InsightIDR uses to create investigations and track notable events.
User Behavior Analytics (UBA)
UBA detections apply insight to the millions of network events your users generate every day to detect compromised credentials, lateral movement, and other malicious behavior. View UBA detection rules under the User Behavior Analytics tab.
Attacker Behavior Analytics (ABA)
Attacker Behavior Analytics expose the finite ways in which attackers gain persistence on an asset, and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior. You can see all ABA detection rules and the number of detections over the last 30 days in the Attacker Behavior Analytics tab. You can also view details specific to each rule including:
View rule overview and context
You can click on any ABA detection rule to view an overview of the rule, including:
- Rule Action and Rule Priority: Read more about changing these settings.
- Rule metrics: These metrics show you how often your rule is generating detections, how many exceptions and automations are attached to the rule, and when the rule was added to the library, last detected, and last modified.
- Event Type: The Event Type is the data structure that defines the data contained in an event. When event data comes into the InsightIDR system as logs, (such as from the Collector, event sources, sensors, or Insight Agent) the application classes that event data as a particular type.
- Threat Group: Threat groups indicate known malicious detections that appear together during specific attacks.
- Recommendation: The recommendation provides steps for remediation in the case that the rule detects malicious activity.
- Threshold and keys that the rule matches on: These conditions refine the rule logic to define when a match will generate a detection and cause the rule action to occur.
- Threshold: The Threshold determines when the rule will generate a detection based on the number of matches that occur within the given time range. A Threshold can also prevent additional detections from being generated once a maximum number of matches has been reached.
- Group matches by these keys: The rule will group data containing the specified keys together and only detect on events that occur within these groups.
- Match only on unique values for this key: The rule will only detect on events that contain unique values for this key.
- Rule Context: The Rule Context provides a description of the associated threat group and shows other detection rules associated with this group.
What is a match?
When the logic of your rule matches content in your environment, a match occurs. A match will generate a detection if it meets the criteria set by the threshold and the matching keys.
View Rule logic
Click into any ABA detection rule and navigate to the Rule Logic tab to see the rule logic written in our SQL-style search language, Log Entry Query Language (LEQL). The rule logic query exposes what the detection rule searches for, giving you enhanced visibility into how InsightIDR generates a detection.
View MITRE ATT&CK mapping
The MITRE ATT&CK framework is a knowledge base created by MITRE to document tactics and techniques based on real-world observations. The framework offers a blueprint for teams on where to focus their detection efforts by identifying where threats fall within the attack chain. For more information about the MITRE ATT&CK framework, visit: https://attack.mitre.org/
Each Rapid7 ABA detection rule is mapped to a MITRE ATT&CK tactic and technique, which you can view within the table on the Attacker Behavior Analytics tab. Click into a detection rule to view the associated MITRE ATT&CK mapping.
You can also find a detailed view of all MITRE ATT&CK tactics and techniques on the MITRE ATT&CK Matrix tab. Click into a technique or subtechnique to see a description and mitigations recommended by MITRE. Techniques and sub-techniques that are covered by Rapid7 detection rules are indicated by a green bar, and expand to show associated rules. Use the Tactics & Techniques shown toggle to view the entire MITRE ATT&CK framework, or only tactics & techniques covered by Rapid7.
Filter ABA Detection Rules
The filter panel provides many options to narrow down your detection rules.
You can click the radio buttons to show either Log and Process Rules, or Network Sensor Rules.
- Log and Process Rules leverage a wide variety of internal and external threat intelligence, and source data from endpoints and logs. You can view rule logic, related Threat Groups and MITRE ATT&CK mapping, and sort, filter and search these detection rules.
- Network Sensor Rules use network traffic as a source. These rules run locally on the Insight Network Sensor and require access to network packets. You can view the rule logic, and sort, filter and search these detection rules.
You can also filter ABA detection rules by date modified, date added, number of exceptions, number of detections, Rule Action, Threat and MITRE ATT&CK coverage.
Sort ABA Detection Rules
Sort detection rules by using the up and down arrows in the table header. You can also click the toggle to group rules by Threat, or view rules ungrouped.
You can use the search bar to search through ABA Detection Rules and threats for specific malicious actions and behaviors.
For example, if you believe that you are vulnerable through SSH, you can use InsightIDR to search for attacker behavior that might be utilized against you.