Rapid7 Resource Names

Rapid7 Resource Names (RRN) are unique identifiers that InsightIDR automatically adds to logs containing attributed user, asset, account, or local account information. Rapid7 introduced this feature in December, 2021 to provide a way for customers to identify users, accounts, and assets in a more reliable way.

RRNs are only applied to logs that flow into InsightIDR after the feature was enabled, and will not appear in any earlier logs. Applicable Rapid7 Resource Names are appended to logs within an object called r7_context. RRNs appear in the Log Search, detection rule exceptions, and Investigation evidence. In the case of detection rules, RRNs ensure that exceptions are consistently associated with the user, assets, accounts and local accounts for which they are written.

Why use RRNs?

User and asset names change over time. Multiple users can share the same name (i.e. John Smith). RRNs allow you to return search results or write detection rule exceptions that are for specific users or assets without worrying about an impact to actors with similar display names. Searching by RRNs eliminate ambiguity in your search results.

RRN Format

Rapid7 Resource Names consist of distinct components that combine to form a searchable string. They always begin with rrn:, but the contents after the prefix can vary:

rrn:service:region-code:organization-id:resource-type…:resource
rrn:service:region-code:organization-id:resource
rrn:service:::resource-type…:resource

Some of the components that could be included as part of an RRN are:

Component	Description
service	The service namespace that identifies the service component of the Rapid7 platform (i.e. uba = user behaviour analytics, now known as legacy detection rules).
region-code	The region code of the resource. This may be omitted for global resources.
organization-id	The instance of InsightIDR to which the resource belongs. This may be omitted for resources that are not scoped to a particular instance.
resource-type	The optional list of resource type qualifiers. Each element of the list is separated by a colon character (i.e asset, account, user).
resource	The identifier for this specific resource.

RRNs by feature

Let’s take a closer look at RRNs in detection rule exceptions, Investigations evidence, and Log Search.

RRNs for Detection Rule Evidence

This is an example of how the RRN would look within a detection exception:

RRNs in Investigations Evidence

The RRNs found here only apply to investigations with specific types of evidence such as users, assets, accounts or local accounts, which are found based on match content.

To locate the RRN in evidence:

From the left-hand menu of InsightIDR, go to Investigations.
Select an investigation.
In the Investigation Details Timeline, select Evidence.
Locate the ‘r7_context’ object.
Copy the RRN between the quotation marks. This RRN can be used to search for this evidence using the global search or in the log search.

RRNs in Log Search

This is an example of how RRN’s can be visualized in Log Search. This is a sample log related to ingress authentication where a user and account have been identified from the “source_json”. In the ‘r7_context’ section, both the user and account have their RRNs displayed.

How to search with RRNs

You can use Rapid7 Resource Names to search for particular users, assets, and local accounts from global search and log search. InsightIDR utilizes RRNs to navigate to specific assets and user pages, (both domain accounts and local accounts), streamlining and improving the accuracy of the results.

To search for RRNs, you must first isolate them from your data within Log Search, Detection Rule exceptions, or Investigations evidence.

How to search with RRNs from Log Search