Threats can be used to track indicators of compromise, also known as "IoC." You can create your own threats or use Rapid7 or other community threats to add to your defenses.
IoCs may be a known bad IP address, domain, or URL for which you want to be alerted if someone in the organization accesses it. A threat in InsightIDR can also be a hash for which you want to be alerted if someone runs it.
To see how other organizations utilize threats, or to see other Rapid7 recommendations, you can Subscribe to Community Threats.
New threat updates may take up to one hour to appear in User Behavior Analytics (UBA).
InsightIDR has an updated API you can use to interact with threats by adding and replacing indicators. To use this API, you must generate a threat key to identify the threat and apply the indicator action.
Generate the Threat Key
When configuring threats, you'll see the Threat API Key field in the bottom right corner. To generate the threat key:
- Expand the Threat API Key field for all options.
- Choose a format, operation, and request type.
- Based on your choices, a cURL command will appear.
The "Contributing Collaborative Threat"
Your instance of InsightIDR includes a privately owned threat called the Contributing Collaborative Threat, which has the InsightIDR Threat API exposed for you to use if desired.