Modify Built-In Alerts

By default, InsightIDR will generate an alert when any kind of attack behavior is detected. You can change how InsightIDR reacts to certain user behaviors, as Notable Behaviors do not generate alerts automatically.

To configure Built-In Alerts:

  1. Select the Lightning Bolt icon on the top right of InsightIDR.
  2. From the dropdown menu, select Manage Alerts.

You will see a list of built-in detections and alerts and the default type of behavior for the alert.

These detections are pre-sorted into one of two categories: "Alerts" and "Notable Behaviors". Review the list to know exactly which events will be flagged right away for review.

  • Notable Behaviors are typically single events that are anomalous for the associated user.
  • Alerts are typically patterns in data or individual events that are commonly associated with attacker behavior.
  1. For each Built-In Alert, choose whether you'd like the alert type to be Alert, Notable Behavior, or Disabled meaning that you won't be notified of that event.

Changing Notable Behaviors to Alerts can sometimes introduce unnecessary "noise" in addition to meaningful alerts.

Alert Count

When modifying built-in alerts, the "Count" column indicates the number of alerts of that type that occurred in the last 28 days.

Total User Risk Trend

The Total User Risk Trend graph displays the total user risk trend over the past 30 days. Total User Risk is the sum of all user notable behaviors on a particular day.

Notable behaviors are user actions that could be considered risky—possibly that of an attacker—and that a security administrator may want to know about. The Total User Risk Trend graph lists the Notable behavior over time.

Understanding New Alerts

The Insight Agent checks for the following incidents when creating new alerts:

Alert Name

Description

Account created

A new account has been created.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Account enabled

A previously disabled user account has been re-enabled by an administrator.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Account leak

A user's credentials may have been leaked to the public domain.

Account locked

An account has been locked.

Account password reset

A user resets the password for an account.

Account privilege escalated

An administrator has assigned a higher level of privileges to the account.

Account received suspicious link

A user has received an email containing a link flagged by the community or threat feeds.

Account unlocked

A previously locked user account has been unlocked by an administrator.

Account visits suspicious link

A user has accessed a link url on the tracked threat list.

Advanced malware alert

An advanced malware system has generated an alert.

Application authentication - new source

A permitted user is authenticating to an application from a new source asset.

Application authentication - new user

A new user is authenticating to an application.

Authentication attempt from disabled account

A disabled user attempted to access an asset.

Blacklisted application authentication

A user is authenticating to an application that you previously indicated they were not allowed to access.

Blacklisted authentication

A user is authenticating to a system that you previously indicated they were not allowed to access.

Brute force - asset

Many different accounts are attempting to authenticate to the same asset.

Brute force - domain account

A domain account has failed to authenticate to the same asset excessively.

Domain Accounts require 100 failed authentications to a single account within a one hour period before triggering this alert.

Brute force - local account

A local account has failed to authenticate to the same asset excessively.

Local Accounts require 100 failed authentications to a single account within a one hour period before triggering this alert.

Detection evasion - event log deletion

A user has deleted event logs on an asset.

Detection evasion - local event log deletion

A local account has deleted event logs on an asset.

Exploit mitigated

An exploit has been mitigated in a process.

First ingress authentication from country

An account has connected to the network for the first time.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

First time admin action

A user has performed an admin action.

Flagged hash on asset

A flagged process hash has started running on an asset for the first time.

Flagged process on asset

A flagged process name has started running on an asset for the first time.

Harvested credentials

Multiple accounts are attempting to authenticate to a single, unusual location.

Honey file accessed

A honey file was accessed on a shared file server.

Honey user authentication

There was an attempt to log in using a honey user account.

Honeypot access

There was an attempt to connect to a network honeypot.

Ingress from account whose password never expires

An account with a password that never expires has accessed the network from an external location.

Ingress from community threat

A user has logged in to the network using an IP address that is part of a currently tracked threat.

Ingress from disabled account

A disabled user has logged in to the network or a monitored cloud service.

Ingress from domain admin

A domain administrator account has accessed the network from an external location.

Ingress from service account

A service account has accessed the network from an external location.

Ingress from threat

A user has accessed the network from an IP address on the threat list.

Kerberos privilege elevation exploit

A user has exploited the Windows Kerberos Vulnerability CVE-2014-6324 to elevate their privileges.

Lateral movement - administrator impersonation

A user has authenticated to an administrator account.

Lateral movement - domain credentials

A domain account has attempted to access several new assets in a short period of time.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Lateral movement - local credentials

A local account has attempted to access several assets in a short period of time.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Lateral movement - service account

A service account is authenticating from a new source asset.

Lateral movement - watched user impersonation

A user has authenticated to a watched user's account.

LDAP admin added

A user has been added to a privileged LDAP group.

Local honey credential privilege escalation attempt

Local honey credential privilege escalation attempt.

Malicious hash on asset

A malicious hash was found on an asset.

Multiple country authentications

A user has accessed the network from many different countries in a short period of time.

Multiple organization authentications

A user has accessed the network from multiple external organizations too quickly.

Network access for threat

A user has accessed a domain or IP address on the tracked threat list.

New asset logon

A user is authenticating to a new asset.

New assets authenticated

A user has accessed a significant number of new assets in a short time.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

New local user account created

An account has created a new local user account.

New AWS Region Detected

Activity in a specific AWS region has been seen for the first time.

New AWS EC2 Instance Family Detected

An EC2 instance family was launched for the first time.

New AWS Service

An AWS Service was used for the first time.

Password set to never expire

A user's password has been set to never expire.

Protocol poisoning detected

Poisoning of a network protocol has been detected.

Remote file execution detected

Remote file execution has been detected.

Remote honey credential authentication attempt

Remote honey credential authentication attempt.

Restricted asset authentication - new source

A permitted user is authenticating to a restricted asset from a new source asset.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Restricted asset authentication - new user

A new user is authenticating to a restricted asset.

This alert is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.

Spear phishing URL detected

A user visited a potential phishing domain.

Third party alert - AWS GuardDuty

AWS GuardDuty has detected suspicious or malicious activity.

Third party alert - carbon black response

Carbon black response has detected suspicious or malicious activity.

Virus alert

A virus has been found on an asset.

Wireless multiple country authentications

A user has logged onto the network using a mobile device from too many countries in a short period of time.

Wireless multiple organization authentications

A user has logged onto the network with a wireless device from a large number of distinct organizations too quickly.

Zone policy violation

A user has violated a network zone policy configured in InsightIDR.