Legacy Detection Rules
Legacy detection rules run on InsightIDR's legacy User Behavior Analytics (UBA) engine. This set of rules applies insight to the millions of network events your users generate every day to detect compromised credentials, lateral movement, and other malicious behavior. Some legacy detection rules require newly created assets and users to be placed in a baseline period while InsightIDR learns about their behavior.
We’ve made some detection terminology updates
As of November 2023, we’ve updated the tab names within our Detection Rules experience to better reflect the breadth of rules available:
- The Attacker Behavior Analytics tab is now called the Detection Rule Library.
- The User Behavior Analytics tab is now called Legacy UBA Detection Rules.
These changes make way for our teams to migrate all legacy User Behavior Analytics rules to the Detection Library tab to create a singular Detection Rules experience. For more information, read Legacy Detection Rules.
Browse our existing legacy detection rules:
| Detection Rule Name | Description |
|---|---|
| Account Created | A new account has been created. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. However, the baseline ages out after 90 days of no authentications for restricted asset authentications. |
| Account Enabled | A previously disabled user account has been re-enabled by an administrator. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. However, the baseline ages out after 90 days of no authentications for restricted asset authentications. |
| Account Leak | Indicates that some account names in your environment are present in credential dumps from external data breaches of other websites or other external sources. InsightIDR generates a detection if accounts in your environment match what is out in the public domain. This does not mean that the credentials present in the public domain match those used in your environment, but they may if the user reused the same password on these third-party sites as used for your environment. Based on your company's password policy and age of the leak data, these detections may be considered low-fidelity and more informational. |
| Account Locked | An account has been locked. |
| Account Password Reset | A user resets the password for an account. |
| Account Privilege Escalated | An administrator has assigned a higher level of privileges to the account. |
| Account Received Suspicious Link | A user has received an email containing a link flagged by the community or threat feeds. |
| Account Unlocked | A previously locked user account has been unlocked by an administrator. |
| Account Visits Suspicious Link | A user has accessed a link url on the tracked threat list. |
| Advanced Malware Alert | An advanced malware system has generated an alert. |
| Authentication Attempt From Disabled Account | A disabled user attempted to access an asset. |
| Brute Force - Asset | Many different accounts are attempting to authenticate to the same asset. |
| Brute Force - Domain Account | A domain account has failed to authenticate to the same asset excessively. Domain Accounts require 100 failed authentications to a single account within a one hour period before triggering this detection. |
| Brute Force - Local Account | A local account has failed to authenticate to the same asset excessively. Local Accounts require 100 failed authentications to a single account within a one hour period before triggering this detection. |
| Detection Evasion - Event Log Deletion | A user has deleted event logs on an asset. |
| Detection Evasion - Local Event Log Deletion | A local account has deleted event logs on an asset. |
| Exploit Mitigated | An exploit has been mitigated in a process. |
| First Ingress Authentication From Country | An account has connected to the network for the first time. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. |
| First Time Admin Action | A user has performed an admin action. |
| Flagged Hash On Asset | A flagged process hash has started running on an asset for the first time. |
| Flagged Process On Asset | A flagged process name has started running on an asset for the first time. |
| Harvested Credentials | Multiple accounts are attempting to authenticate to a single, unusual location. |
| Honey File Accessed | A honey file was accessed on a shared file server. |
| Honey User Authentication | There was an attempt to log in using a honey user account. |
| Honeypot Access | There was an attempt to connect to a network honeypot. |
| Ingress From Account Whose Password Never Expires | An account with a password that never expires has accessed the network from an external location. |
| Ingress From Community Threat | A user has logged in to the network using an IP address that is part of a currently tracked threat. |
| Ingress From Disabled Account | A disabled user has logged in to the network or a monitored cloud service. |
| Ingress From Privileged Account | A domain admin, enterprise admin, schema admin, administrator or backup operator account has accessed the network from an external location. |
| Ingress From Service Account | A service account has accessed the network from an external location. |
| Ingress From Threat | A user has accessed the network from an IP address on the threat list. |
| Kerberos Privilege Elevation Exploit | A user has exploited the Windows Kerberos Vulnerability CVE-2014-6324 to elevate their privileges. |
| Lateral Movement - Administrator Impersonation | A user has authenticated to an administrator account. |
| Lateral Movement - Domain Credentials | A domain account has attempted to access several new assets in a short period of time. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity. |
| Lateral Movement - Local Credentials | A local account has attempted to access several assets in a short period of time. This detection rule is inactive during your first two weeks of baselining in order to suppress false positives while InsightIDR learns about your normal user activity. |
| Lateral Movement - Service Account | A service account is authenticating from a new source asset. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity. |
| Lateral Movement - Watched User Impersonation | A user has authenticated to a watched user's account. |
| LDAP Admin Added | A user has been added to a privileged LDAP group. |
| Local Honey Credential Privilege Escalation Attempt | Local honey credential privilege escalation attempt. |
| Malicious Hash On Asset | A malicious hash was found on an asset. |
| Multiple Country Authentications | A user has accessed the network from many different countries in a short period of time. |
| Multiple Organization Authentications | A user has accessed the network from multiple external organizations too quickly. |
| Network Access For Threat | A user has accessed a domain or IP address on the tracked threat list. |
| New Asset Logon | A user is authenticating to a new asset. |
| New Assets Authenticated | A user has accessed a significant number of new assets in a short time. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity. |
| New Local User Account Created | An account has created a new local user account. |
| New AWS Region Detected | Activity in a specific AWS region has been seen for the first time. |
| New AWS EC2 Instance Family Detected | An EC2 instance family was launched for the first time. |
| New AWS Service | An AWS Service was used for the first time. |
| Password Set To Never Expire | A user's password has been set to never expire. |
| Protocol Poisoning Detected | Poisoning of a network protocol has been detected. |
| Remote File Execution Detected | Remote file execution has been detected. |
| Remote Honey Credential Authentication Attempt | Remote honey credential authentication attempt. |
| Restricted Asset Authentication - New Source | A permitted user is authenticating to a restricted asset from a new source asset. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity. |
| Restricted Asset Authentication - New User | A new user is authenticating to a restricted asset. This detection rule is inactive during baselining period, in order to suppress false positives while InsightIDR learns about your normal user activity. |
| Spear Phishing URL detected | A user visited a potential phishing domain. |
| Third Party Alert - Carbon Black Response | Carbon black response has detected suspicious or malicious activity. |
| Virus Alert | A virus has been found on an asset. |
| Wireless Multiple Country Authentications | A user has logged onto the network using a mobile device from too many countries in a short period of time. |
| Wireless Multiple Organization Authentications | A user has logged onto the network with a wireless device from a large number of distinct organizations too quickly. |
| Zone Policy Violation | A user has violated a network zone policy configured in InsightIDR. |
Baseline period
A baseline period allows InsightIDR to learn about an asset or user's behavior. Baseline is a temporary state that usually starts when a specific user or asset is added to your environment. The baseline period is set to 21 days after a user has been created, and 14 days after an asset has been created.
Notable events and basic detection rules will still be generated during the baseline period. However, the following legacy detection rules will not generate detections during the baseline period:
| Legacy Detection Rule Name | Effect during baseline period |
|---|---|
| Lateral Movement - Domain Credentials | Detection not generated if user or destination asset is in baselining period. |
| Lateral Movement - Service Account | Detection not generated if any user, source, or destination assets are in baselining period. |
| New Assets Authenticated | Detection not generated if user is in baselining period. |
| Restricted Asset Authentication - New Source | Detection not generated if any user, source, or destination assets are in baselining period. |
| Restricted Asset Authentication - New User | Detection not generated if either user or asset are in baselining period. |
Did this page help you?