Notable Events

Notable events do not generate alerts or investigations.

Notable events are the events that fall between expected behavior and alert-worthy behavior. You can choose to track notable events for detection rules by modifying the rule action.

As a part of InsightIDR’s legacy detection rules (formerly known as User Behavior Analytics), the solution monitors and baselines each and every user’s activity, establishing a pattern for which asset(s) the user owns, which assets they access, where they log in remotely from, and other actions.

Some notable events help identify user anomalies from this baseline, such as "New Asset Logon" or "First Time Ingress from Country." Other notable events are effectively low fidelity detections, such as "Account Lockout" or "Virus Alert." It is expected that almost any network will experience a large number of notable events on any given day. This prevents InsightIDR from flooding the end user with alerts.

Instead, notable events are automatically added to Investigation Timelines when a user is involved in a “real” alert to provide additional context. This helps analysts better contextualize the behavior without these notable events going completely unobserved.

Example Use Case

The alert "Bruteforce — Domain Account" truly indicates that an employee John Doe was locked out of his account because he was the target of a bruteforce attempt.

This unique, two-tiered detection system flags anomalous events and includes them in investigations without overwhelming security incident response teams with false positives.