| InsightIDR Documentation

Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Start Trial
Products
- NEW!
  Surface Command
  Unlock a continuous 360° view of your attack surface
  FREE TRIAL
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The Take Command Summit is back!
  Our largest virtual event returns Apr. 9
  Register
Company
Partners
Sign In

InsightIDR

Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Start Trial
Products
- NEW!
  Surface Command
  Unlock a continuous 360° view of your attack surface
  FREE TRIAL
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The Take Command Summit is back!
  Our largest virtual event returns Apr. 9
  Register
Company
Partners

Sign In

Documentation
InsightIDR
Release Notes

Getting Started with InsightIDR

InsightIDR Overview
Essential | Quick Start Guide
Advanced | Quick Start Guide
Ultimate | Quick Start Guide

Setup and Deployment

System Requirements
- Setting Up a Service Account
Network and Environment Audit
Ports Used by InsightIDR
Collector Overview
Insight Agent
FIM Recommendations
Other Deployment Options

Automation

Get Started with Automation
Get Started with Automation for Legacy Detection Rules and Basic Detection Rules
- Triggers for Legacy Detection Rules and Basic Detection Rules
Insight Orchestrator Overview
- Configure Connections For Automation
- Automation Workflow Templates
Automation Workflows
Automated Enrichment Workflows
- Enrich Alert Data with Open Source Plugins
Get Started with On Demand Response Actions
Automation Troubleshooting
Send InsightConnect Events to InsightIDR

How To

Manage Credentials
Search Your Logs
Transform Logs to Universal Event Format
Delete and Reinstall a Collector
Deploy Deception Technology
Investigate an Asset or User
Manage Event Sources
- Edit Event Sources
- Copy Event Sources to a New Collector
Export Data
Access AWS Resources with EC2 IAM Roles
Monitor Your Security Operations Activities

Concepts and Usage

Rapid7 Resource Names
Detection Rules
Notable Events
Alerts
- Take Action on an Alert
- Anatomy of an Alert
Investigations
Investigate Threat Command Alerts
Velociraptor
Assets on Your Domain
Dashboards and Reports
- R7 Managed: Endpoint Visibility Validation Dashboard
Deception Technology
File Access Activity Monitoring
File Integrity Monitoring
- File Integrity Monitoring for Linux
- Search Logs for FIM Events
Log Search
Network Rules
Network Traffic Analysis
Threats
- Utilize Existing Threats
- Add and Manage Threats
Users and Accounts
Quick Actions
Data Storage and Retention FAQs

Detection Library

Overview
Rules by Rule Set
Rules by Endpoint
Legacy Detection Rules

InsightIDR REST APIs

InsightIDR REST APIs

Event Source Configuration

InsightIDR Event Sources
Data Collection Methods
Advanced Event Source Settings
Monitor Event Source Health
Event Source Troubleshooting
Auto Configure
Rapid7 Products
Active Directory
- Microsoft Active Directory Security Logs
- Troubleshooting Active Directory
Advanced Malware
- FireEye NX
Cloud Services
Data Exporter
Database
- Microsoft SQL Database Audit Logs
DHCP
DNS
Email and ActiveSync
- Microsoft ActiveSync and Outlook Web Access
Firewall
IDS
Ingress Authentication
- Zscaler LSS
LDAP
- LDAP Troubleshooting
- AWS Managed Microsoft AD
Universal Event Sources
Raw Data
Log Aggregators
Third Party Alerts
Virus Scan
VPN
Web Proxy
Web Server Access
- Microsoft IIS

Administration

Monthly Data Usage
Browser Settings
Email Notifications
User Management
Single Sign-On

Release Notes

Command Platform Release Notes

Support

Contact the Rapid7 Support team
Share an idea with Rapid7
Rapid7 IDR AI Usage

On This Page

Stealth Falcon

Getting Started with InsightIDR

InsightIDR Overview
Essential | Quick Start Guide
Advanced | Quick Start Guide
Ultimate | Quick Start Guide

Setup and Deployment

System Requirements
- Setting Up a Service Account
Network and Environment Audit
Ports Used by InsightIDR
Collector Overview
Insight Agent
FIM Recommendations
Other Deployment Options

Automation

Get Started with Automation
Get Started with Automation for Legacy Detection Rules and Basic Detection Rules
- Triggers for Legacy Detection Rules and Basic Detection Rules
Insight Orchestrator Overview
- Configure Connections For Automation
- Automation Workflow Templates
Automation Workflows
Automated Enrichment Workflows
- Enrich Alert Data with Open Source Plugins
Get Started with On Demand Response Actions
Automation Troubleshooting
Send InsightConnect Events to InsightIDR

How To

Manage Credentials
Search Your Logs
Transform Logs to Universal Event Format
Delete and Reinstall a Collector
Deploy Deception Technology
Investigate an Asset or User
Manage Event Sources
- Edit Event Sources
- Copy Event Sources to a New Collector
Export Data
Access AWS Resources with EC2 IAM Roles
Monitor Your Security Operations Activities

Concepts and Usage

Rapid7 Resource Names
Detection Rules
Notable Events
Alerts
- Take Action on an Alert
- Anatomy of an Alert
Investigations
Investigate Threat Command Alerts
Velociraptor
Assets on Your Domain
Dashboards and Reports
- R7 Managed: Endpoint Visibility Validation Dashboard
Deception Technology
File Access Activity Monitoring
File Integrity Monitoring
- File Integrity Monitoring for Linux
- Search Logs for FIM Events
Log Search
Network Rules
Network Traffic Analysis
Threats
- Utilize Existing Threats
- Add and Manage Threats
Users and Accounts
Quick Actions
Data Storage and Retention FAQs

Detection Library

Overview
Rules by Rule Set
Rules by Endpoint
Legacy Detection Rules

InsightIDR REST APIs

InsightIDR REST APIs

Event Source Configuration

InsightIDR Event Sources
Data Collection Methods
Advanced Event Source Settings
Monitor Event Source Health
Event Source Troubleshooting
Auto Configure
Rapid7 Products
Active Directory
- Microsoft Active Directory Security Logs
- Troubleshooting Active Directory
Advanced Malware
- FireEye NX
Cloud Services
Data Exporter
Database
- Microsoft SQL Database Audit Logs
DHCP
DNS
Email and ActiveSync
- Microsoft ActiveSync and Outlook Web Access
Firewall
IDS
Ingress Authentication
- Zscaler LSS
LDAP
- LDAP Troubleshooting
- AWS Managed Microsoft AD
Universal Event Sources
Raw Data
Log Aggregators
Third Party Alerts
Virus Scan
VPN
Web Proxy
Web Server Access
- Microsoft IIS

Administration

Monthly Data Usage
Browser Settings
Email Notifications
User Management
Single Sign-On

Release Notes

Command Platform Release Notes

Support

Contact the Rapid7 Support team
Share an idea with Rapid7
Rapid7 IDR AI Usage

Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests a possible link between this group and the United Arab Emirates (UAE) government, but this has not been confirmed.

Other names for this threat

FruityArmor

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - Stealth Falcon Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

Acquire Infrastructure - T1583
Domains - T1583.001
Compromise Infrastructure - T1584
Domains - T1584.001

Suspicious Process - Stealth Falcon Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - Stealth Falcon Related Domain Observed

Description

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

Acquire Infrastructure - T1583
Domains - T1583.001
Virtual Private Server - T1583.003
Server - T1583.004
Compromise Infrastructure - T1584
Domains - T1584.001
Virtual Private Server - T1584.003
Server - T1584.004

Did this page help you?

Detection Library

Spring Dragon APT

Detection Library

On This Page

Stealth Falcon

CUSTOMER SUPPORT

+1-866-390-8113 (Toll Free)

SALES SUPPORT

+1-866-772-7437 (Toll Free)

Need to report an Escalation or a Breach?

SOLUTIONS

The Command Platform Exposure Command Managed Threat Complete

SUPPORT & RESOURCES

Product Support Resource Library Our Customers Events & Webcasts Training & Certification Cybersecurity Fundamentals Vulnerability & Exploit Database

ABOUT US

Company Culture Leadership News & Press Releases Public Policy Open Source Investors

CONNECT WITH US

Contact Blog Support Login Careers

Rapid7 Official Cybersecurity Partner of the Boston Bruins

© Rapid7

|

|

|

Trust