Detection Rules

Detection rules are the logic InsightIDR uses to detect threats using Rapid7’s wide array of threat intelligence. Detections occur when the conditions of a rule have been satisfied. Rules are classified into two categories: User Behavior Analytics and Attacker Behavior Analytics.

The InsightIDR Detection Rules page allows you to modify detection rules, create custom alerts, subscribe or contribute to Community Threats, and gain a deeper understanding of the detection rules InsightIDR uses to create investigations and track notable events.

User Behavior Analytics (UBA)

UBA detections apply insight to the millions of network events your users generate every day to detect compromised credentials, lateral movement, and other malicious behavior. View UBA detection rules under the User Behavior Analytics tab.

Attacker Behavior Analytics (ABA)

Attacker Behavior Analytics expose the finite ways in which attackers gain persistence on an asset, and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior. You can see all ABA detection rules and the number of detections over the last 30 days in the Attacker Behavior Analytics tab. You can also view rule logic, related Threat Groups and MITRE ATT&CK mapping, and sort, filter and search detection rules.

Rule logic

Click into any ABA detection rule and navigate to the Rule Logic tab to see the rule logic written in our SQL-style search language, Log Entry Query Language (LEQL). The rule logic query exposes what the detection rule searches for, giving you enhanced visibility into how InsightIDR generates a detection.

Threat Groups

Threat groups are known malicious detections that appear together during specific attacks. On the Attacker Behavior Analytics tab, you can view the threat group associated with each detection rule, and group detection rules by threat. Click into each threat group for more context.

MITRE ATT&CK

The MITRE ATT&CK framework is a knowledge base created by MITRE to document tactics and techniques based on real-world observations. The framework offers a blueprint for teams on where to focus their detection efforts by identifying where threats fall within the attack chain. For more information about the MITRE ATT&CK framework, visit: https://attack.mitre.org/

Each Rapid7 ABA detection rule is mapped to a MITRE ATT&CK tactic and technique, which you can view within the table on the Attacker Behavior Analytics tab. Click into a detection rule to view the associated MITRE ATT&CK mapping.

Sort and filter ABA Detection Rules

Use the filter to narrow down your ABA Detection Rules by:

  • Date modified
  • Date added
  • Number of exceptions
  • Number of detections
  • Rule Action
  • Threat
  • MITRE ATT&CK Coverage

Sort ABA Detection Rules by using the up and down arrows in the table header. You can use the toggle to group rules by Threat, or view rules Ungrouped.

You can use the search bar to search through ABA Detection Rules and threats for specific malicious actions and behaviors.

For example, if you believe that you are vulnerable through SSH, you can use InsightIDR to search for attacker behavior that might be utilized against you.