Notable events

Notable events are automated messages in your Investigations timeline that help you distinguish expected behavior from alert-worthy behavior. InsightIDR monitors users’ activity and establishes a baseline pattern for the assets that the user owns or regularly accesses, where they log in from, and other actions.

These events are generated in two areas: InsightIDR’s Legacy UBA Detection Rules (formerly known as User Behavior Analytics) and the Detection Rule Library. You can choose to track notable events for detection rules by modifying the rule action. This system flags anomalous events and includes them in investigations without overwhelming security incident response teams with false positives.

Some notable events help identify user anomalies from this baseline, such as New Asset Logon or First Time Ingress from Country. Other notable events are effectively low fidelity detections, such as Account Lockout or Virus Alert.

You can expect to receive a large number of notable events in your network each day. To prevent notification fatigue, InsightIDR limits the number of events you’ll see in your Investigations timeline for a single Legacy UBA Detection Rule. By default, a single type of notable event displays a maximum of 10 times in a 24-hour period from the first match. If you want to adjust the number of events you can see in your Investigations timeline, go to the custom detection rule and edit the thresholding.

You can click View Log Entry under a notable event to open a Log Search view, where you can observe trends in user behavior and adjacent activity. This will allow you to better understand your notable events and take action if you notice uncommon activity.