Modify Built-In Alerts

By default, InsightIDR will generate an alert when different kinds of attack behaviors are detected. You can configure alert types to change how InsightIDR reacts to certain user behaviors, as Notable Behaviors do not generate alerts automatically.

How to configure Built-In Alerts for MDR customers

Any changes made by MDR customers directly to the Built-In Alerts will be reset automatically back to the default MDR settings. If you are an MDR customer and would like to change these default behaviors, please notify your assigned Customer Advisor.

To configure Built-In Alerts:

  1. Select the Lightning Bolt icon on the top right of InsightIDR.
  2. From the dropdown menu, select Manage Alerts.

You will see a list of built-in detections and alerts and the default type of behavior for the alert.

These detections appear in alphabetical order and are automatically configured with one of three alert types:

  • Alert means that an Investigation container is created in InsightIDR. You can configure your Profile Settings to send email alerts when Investigations are created. Use this option when you would like to be notified of events when they happen.
  • Notable Behaviors are flagged with a blue flag and can be viewed from the Home page or on each user's activity. No Investigation is created and no email will be sent. Use this option for events that you would like to be aware of when reviewing a user's activities but do not wish to be notified of.
  • Disabled events are not tracked or used in IDR. Use this option for events you do not wish to track.
  1. For each Built-In Alert, choose whether you would like the alert type to be Alert, Notable Behavior, or Disabled.

Changing Notable Behaviors to Alerts can sometimes introduce unnecessary "noise" in addition to meaningful alerts.

Alert Count

When modifying built-in alerts, the "Count" column indicates the number of open investigations of that type that occurred in the last 28 days.