Rapid7 Resource Names

Rapid7 Resource Names (RRN) are unique identifiers that InsightIDR automatically adds to logs containing attributed user, asset, account, or local account information. Rapid7 introduced this feature in December, 2021 to provide a way for customers to identify users, accounts, and assets in a more reliable way.

RRNs are only applied to logs that flow into InsightIDR after the feature was enabled, and will not appear in any earlier logs. Applicable Rapid7 Resource Names are appended to logs within an object called r7_context. RRNs appear in the Log Search, Detection Rule exceptions, and Investigation evidence. In the case of Detection Rules, RRNs ensure that exceptions are consistently associated with the user, assets, accounts and local accounts for which they are written.

Why use RRNs?

User and asset names change over time. Multiple users can share the same name (i.e. John Smith). RRNs allow you to return search results or write detection rule exceptions that are for specific users or assets without worrying about an impact to actors with similar display names. Searching by RRNs eliminate ambiguity in your search results.

RRN Format

Rapid7 Resource Names consist of distinct components that combine to form a searchable string. They always begin with rrn:, but the contents after the prefix can vary:

  • rrn:service:region-code:organization-id:resource-type…:resource
  • rrn:service:region-code:organization-id:resource
  • rrn:service:::resource-type…:resource

Some of the components that could be included as part of an RRN are:

ComponentDescription
serviceThe service namespace that identifies the service component of the Rapid7 platform (i.e. uba = user behaviour analytics, now known as legacy detection rules).
region-codeThe region code of the resource. This may be omitted for global resources.
organization-idThe instance of InsightIDR to which the resource belongs. This may be omitted for resources that are not scoped to a particular instance.
resource-typeThe optional list of resource type qualifiers. Each element of the list is separated by a colon character (i.e asset, account, user).
resourceThe identifier for this specific resource.

RRNs by feature

Let’s take a closer look at RRNs in Detection Rule exceptions, Investigations evidence, and Log Search.

RRNs for Detection Rule Evidence

This is an example of how the RRN would look within a detection exception:

Detection Rule RRN Breakdown

RRNs in Investigations Evidence

The RRNs found here only apply to investigations with specific types of evidence such as users, assets, accounts or local accounts, which are found based on match content.

To locate the RRN in evidence:

  1. From the left-hand menu of InsightIDR, go to Investigations.
  2. Select an investigation.
  3. In the Investigation Details Timeline, select Evidence.
  4. Locate the ‘r7_context’ object.
  5. Copy the RRN between the quotation marks. This RRN can be used to search for this evidence using the global search or in the log search.

Investigation Evidence RRN

This is an example of how RRN’s can be visualized in Log Search. This is a sample log related to ingress authentication where a user and account have been identified from the “source_json”. In the ‘r7_context’ section, both the user and account have their RRNs displayed.

How to use RRNsLog Search RRN

How to search with RRNs

You can use Rapid7 Resource Names to search for particular users, assets, and local accounts from global search and log search. InsightIDR utilizes RRNs to navigate to specific assets and user pages, (both domain accounts and local accounts), streamlining and improving the accuracy of the results.

To search for RRNs, you must first isolate them from your data within Log Search, Detection Rule exceptions, or Investigations evidence.

How to search with RRNs from Log Search
  1. From the left-hand menu of InsightIDR, go to Log Search.
  2. Select a logset. Log Search Logsets
  3. Locate the ‘r7_context’ object in the entry.
  4. Copy the RRN between the quotation marks.
    Log Search RRN
  5. Enter the RRN into the log search or global search field. Log Search RRN Results
  6. The results matching the RRN will be returned.
How to search with RRNs in Investigations
  1. From the left-hand menu of InsightIDR, go to Investigations.
  2. Select an investigation.
  3. In the Investigation Details Timeline, select Evidence.
  4. Locate the ‘r7_context’ object.
  5. Copy the RRN between the quotation marks.
  6. Enter the RRN into the log search or global search field.
  7. The results matching the RRN will be returned.
How to locate RRNs in Detection Rules
  1. From the left-hand menu of InsightIDR, go to Detection Rules.
  2. Select a detection rule.
  3. Select the Exceptions tab.
  4. Locate the ‘r7_context’ object.
  5. Copy the RRN between the quotation marks.
  6. Enter the RRN into the log search or global search field.
  7. The results matching the RRN will be returned.

To view more example queries visit our example queries.