Utilize Existing Threats

While InsightIDR has an array of built-in alerts, you can utilize an existing threat feed to receive specific alert tied indicators (IP addresses, domains, hashes, and URLs) that are allegedly malicious in nature. When InsightIDR detects one of these indicators, it triggers an alert.

You can use threats discovered by Rapid7 or other companies, or you can add your own threat.

Depending on your data region, the number of community threats may vary. Some data regions have fewer customers and therefore fewer community threats.

Configure Threat Feed

To configure your threat feed:

  1. Select Investigations on the left menu from the InsightIDR homepage.
  2. Select Configure Threats in the top right corner.
  1. You will see your threat feed, comprised of subscribed threats or your own threats. If this is your first time on the "Threats" page, this section will be blank.
  2. To subscribe to a new threat, click the Threat Community button in the upper right.

Subscribe to the Threat Community

The "Threat Community" page allows you to subscribe to various threats. The threat community contains two kinds of available threats: those created by Rapid7 and those created by other organizations.

To access Rapid7 Threat, select the Rapid7 MDR Intel tab. Any threats within the feed with the Rapid7 logo will be from Rapid7 and will indicate whether or not you are subscribed to them.

Each threat contains an indicator count, a description of the threat and which feed it belongs to.

  • Click View on a threat to see specific details. Each threat includes the number of indicators, number of organizations tracking, false positive rate, and number of alerts generated.
  • Click Subscribe to follow the indicators and receive alerts that are valuable based on your organization's threat profile.

The rest of the threats in the Threat Community feed have been created by other organizations.

Please note that the threats created by other organizations are not vetted by Rapid7, so it is recommended to review threats before subscribing to them.

Why Is My Threat Indicator Expiring?

If your threat has an orange band across it, you need to mark your indicators as still relevant.

See Attacker Behavior Analytics (ABA) for more information on why indicators expire.

Threat Intelligence Alerts

Once you've subscribed to threats, various alerts will be activated in InsightIDR:

  • Account Received Suspicious Link: InsightIDR can alert you to malicious links in a user's inbox
  • Account Visits Suspicious Link: InsightIDR can alert you when a user visits a URL that is part of a tracked threat, based on firewall or DNS events.
  • Endpoint Threat Intelligence Match: InsightIDR can alert you when a process hash that matches a tracked threat is detected on an endpoint.
  • Ingress from Community Threat: InsightIDR can alert you when a user logs in to the network remotely from an IP address that matches a tracked community threat.
  • Ingress from Threat: InsightIDR can alert you when a user logs in to the network remotely from an IP address that matches an owned threat.
  • Network Access for Threat: InsightIDR can alert you when a user on the network has accessed a domain or IP address that matches a tracked threat.

If you receive alerts from a community threat you have subscribed to, you will have the ability to mark the threat as a false positive when closing the alert.

Use an API

InsightIDR has a REST API available for you to add and replace threat indicators automatically. To use this API, you must generate a threat key to identify the threat and apply the indicator action.