Legacy Detection Rules

Legacy detection rules run on InsightIDR's legacy User Behavior Analytics (UBA) engine. This set of rules applies insight to the millions of network events your users generate every day to detect compromised credentials, lateral movement, and other malicious behavior. Some legacy detection rules require newly created assets and users to be placed in a baseline period while InsightIDR learns about their behavior.

We’ve made some detection terminology updates

As of November 2023, we’ve updated the tab names within our Detection Rules experience to better reflect the breadth of rules available:

  • The Attacker Behavior Analytics tab is now called the Detection Rule Library.
  • The User Behavior Analytics tab is now called Legacy UBA Detection Rules.

These changes make way for our teams to migrate all legacy User Behavior Analytics rules to the Detection Library tab to create a singular Detection Rules experience. For more information, read Legacy Detection Rules.

Browse our existing legacy detection rules:

Detection Rule NameDescription
Account CreatedA new account has been created. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. However, the baseline ages out after 90 days of no authentications for restricted asset authentications.
Account EnabledA previously disabled user account has been re-enabled by an administrator. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. However, the baseline ages out after 90 days of no authentications for restricted asset authentications.
Account LeakIndicates that some account names in your environment are present in credential dumps from external data breaches of other websites or other external sources. InsightIDR generates a detection if accounts in your environment match what is out in the public domain. This does not mean that the credentials present in the public domain match those used in your environment, but they may if the user reused the same password on these third-party sites as used for your environment. Based on your company's password policy and age of the leak data, these detections may be considered low-fidelity and more informational.
Account LockedAn account has been locked.
Account Password ResetA user resets the password for an account.
Account Privilege EscalatedAn administrator has assigned a higher level of privileges to the account.
Account Received Suspicious LinkA user has received an email containing a link flagged by the community or threat feeds.
Account UnlockedA previously locked user account has been unlocked by an administrator.
Account Visits Suspicious LinkA user has accessed a link url on the tracked threat list.
Advanced Malware AlertAn advanced malware system has generated an alert.
Authentication Attempt From Disabled AccountA disabled user attempted to access an asset.
Brute Force - AssetMany different accounts are attempting to authenticate to the same asset.
Brute Force - Domain AccountA domain account has failed to authenticate to the same asset excessively. Domain Accounts require 100 failed authentications to a single account within a one hour period before triggering this detection.
Brute Force - Local AccountA local account has failed to authenticate to the same asset excessively. Local Accounts require 100 failed authentications to a single account within a one hour period before triggering this detection.
Detection Evasion - Event Log DeletionA user has deleted event logs on an asset.
Detection Evasion - Local Event Log DeletionA local account has deleted event logs on an asset.
Exploit MitigatedAn exploit has been mitigated in a process.
First Ingress Authentication From CountryAn account has connected to the network for the first time. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.
First Time Admin ActionA user has performed an admin action.
Flagged Hash On AssetA flagged process hash has started running on an asset for the first time.
Flagged Process On AssetA flagged process name has started running on an asset for the first time.
Harvested CredentialsMultiple accounts are attempting to authenticate to a single, unusual location.
Honey File AccessedA honey file was accessed on a shared file server.
Honey User AuthenticationThere was an attempt to log in using a honey user account.
Honeypot AccessThere was an attempt to connect to a network honeypot.
Ingress From Account Whose Password Never ExpiresAn account with a password that never expires has accessed the network from an external location.
Ingress From Community ThreatA user has logged in to the network using an IP address that is part of a currently tracked threat.
Ingress From Disabled AccountA disabled user has logged in to the network or a monitored cloud service.
Ingress From Privileged AccountA domain admin, enterprise admin, schema admin, administrator or backup operator account has accessed the network from an external location.
Ingress From Service AccountA service account has accessed the network from an external location.
Ingress From ThreatA user has accessed the network from an IP address on the threat list.
Kerberos Privilege Elevation ExploitA user has exploited the Windows Kerberos Vulnerability CVE-2014-6324 to elevate their privileges.
Lateral Movement - Administrator ImpersonationA user has authenticated to an administrator account.
Lateral Movement - Domain CredentialsA domain account has attempted to access several new assets in a short period of time. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.
Lateral Movement - Local CredentialsA local account has attempted to access several assets in a short period of time. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity.
Lateral Movement - Service AccountA service account is authenticating from a new source asset. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.
Lateral Movement - Watched User ImpersonationA user has authenticated to a watched user's account.
LDAP Admin AddedA user has been added to a privileged LDAP group.
Local Honey Credential Privilege Escalation AttemptLocal honey credential privilege escalation attempt.
Malicious Hash On AssetA malicious hash was found on an asset.
Multiple Country AuthenticationsA user has accessed the network from many different countries in a short period of time.
Multiple Organization AuthenticationsA user has accessed the network from multiple external organizations too quickly.
Network Access For ThreatA user has accessed a domain or IP address on the tracked threat list.
New Asset LogonA user is authenticating to a new asset.
New Assets AuthenticatedA user has accessed a significant number of new assets in a short time. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.
New Local User Account CreatedAn account has created a new local user account.
New AWS Region DetectedActivity in a specific AWS region has been seen for the first time.
New AWS EC2 Instance Family DetectedAn EC2 instance family was launched for the first time.
New AWS ServiceAn AWS Service was used for the first time.
Password Set To Never ExpireA user's password has been set to never expire.
Protocol Poisoning DetectedPoisoning of a network protocol has been detected.
Remote File Execution DetectedRemote file execution has been detected.
Remote Honey Credential Authentication AttemptRemote honey credential authentication attempt.
Restricted Asset Authentication - New SourceA permitted user is authenticating to a restricted asset from a new source asset. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.
Restricted Asset Authentication - New UserA new user is authenticating to a restricted asset. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity.
Spear Phishing URL detectedA user visited a potential phishing domain.
Third Party Alert - Carbon Black ResponseCarbon black response has detected suspicious or malicious activity.
Virus AlertA virus has been found on an asset.
Wireless Multiple Country AuthenticationsA user has logged onto the network using a mobile device from too many countries in a short period of time.
Wireless Multiple Organization AuthenticationsA user has logged onto the network with a wireless device from a large number of distinct organizations too quickly.
Zone Policy ViolationA user has violated a network zone policy configured in InsightIDR.

Baseline period

A baseline period allows InsightIDR to learn about an asset or user's behavior. Baseline is a temporary state that usually starts when a specific user or asset is added to your environment. The baseline period is set to 21 days after a user has been created, and 14 days after an asset has been created.

Notable events and basic detection rules will still be generated during the baseline period. However, the following legacy detection rules will not generate detections during the baseline period:

Legacy Detection Rule NameEffect during baseline period
Lateral Movement - Domain CredentialsDetection not generated if user or destination asset is in baselining period.
Lateral Movement - Service AccountDetection not generated if any user, source, or destination assets are in baselining period.
New Assets AuthenticatedDetection not generated if user is in baselining period.
Restricted Asset Authentication - New SourceDetection not generated if any user, source, or destination assets are in baselining period.
Restricted Asset Authentication - New UserDetection not generated if either user or asset are in baselining period.