Detection rules are the logic InsightIDR uses to detect threats using Rapid7’s wide array of threat intelligence. Detections occur when the conditions of a rule have been satisfied. Rules are classified into two categories: User Behavior Analytics and Attacker Behavior Analytics.
The InsightIDR Detection Rules page allows you to modify ABA detection rules, modify UBA detection rules, create custom alerts, subscribe or contribute to Community Threats, and gain a deeper understanding of the detection rules InsightIDR uses to create investigations and track notable events.
User Behavior Analytics (UBA)
UBA detections apply insight to the millions of network events your users generate every day to detect compromised credentials, lateral movement, and other malicious behavior. View UBA detection rules under the User Behavior Analytics tab.
Attacker Behavior Analytics (ABA)
Attacker Behavior Analytics expose the finite ways in which attackers gain persistence on an asset, and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior. You can see all ABA detection rules and the number of detections over the last 30 days in the Attacker Behavior Analytics tab. You can also view rule logic, related Threat Groups and MITRE ATT&CK mapping, and filter, sort and search detection rules.
Click into any ABA detection rule and navigate to the Rule Logic tab to see the rule logic written in our SQL-style search language, Log Entry Query Language (LEQL). The rule logic query exposes what the detection rule searches for, giving you enhanced visibility into how InsightIDR generates a detection.
Threat groups are known malicious detections that appear together during specific attacks. On the Attacker Behavior Analytics tab, you can view the threat group associated with each detection rule, and group detection rules by threat. Click into each threat group for more context.
The MITRE ATT&CK framework is a knowledge base created by MITRE to document tactics and techniques based on real-world observations. The framework offers a blueprint for teams on where to focus their detection efforts by identifying where threats fall within the attack chain. For more information about the MITRE ATT&CK framework, visit: https://attack.mitre.org/
Each Rapid7 ABA detection rule is mapped to a MITRE ATT&CK tactic and technique, which you can view within the table on the Attacker Behavior Analytics tab. Click into a detection rule to view the associated MITRE ATT&CK mapping.
You can also find a detailed view of all MITRE ATT&CK tactics and techniques on the MITRE ATT&CK Matrix tab. Click into a technique or subtechnique to see a description and mitigations recommended by MITRE. Techniques and sub-techniques that are covered by Rapid7 detection rules are indicated by a green bar, and expand to show associated rules. Use the Tactics & Techniques shown toggle to view the entire MITRE ATT&CK framework, or only tactics & techniques covered by Rapid7.
Filter ABA Detection Rules
The filter panel provides many options to narrow down your detection rules.
You can click the radio buttons to show either Log and Process Rules, or Network Sensor Rules.
- Log and Process Rules leverage a wide variety of internal and external threat intelligence, and source data from endpoints and logs. You can view rule logic, related Threat Groups and MITRE ATT&CK mapping, and sort, filter and search these detection rules.
- Network Sensor Rules use network traffic as a source. These rules run locally on the Insight Network Sensor and require access to network packets. You can view the rule logic, and sort, filter and search these detection rules.
You can also filter ABA detection rules by date modified, date added, number of exceptions, number of detections, Rule Action, Threat and MITRE ATT&CK coverage.
Sort ABA Detection Rules
Sort detection rules by using the up and down arrows in the table header. You can also click the toggle to group rules by Threat, or view rules ungrouped.
You can use the search bar to search through ABA Detection Rules and threats for specific malicious actions and behaviors.
For example, if you believe that you are vulnerable through SSH, you can use InsightIDR to search for attacker behavior that might be utilized against you.