Utilize Existing Threats

While InsightIDR has an array of built-in detection rules, you can utilize an existing threat feed to receive specific indicators (IP addresses, domains, hashes, and URLs) that are allegedly malicious in nature. When InsightIDR identifies one of these indicators, it triggers a detection.

Depending on your data region, the number of community threats may vary. Some data regions have fewer customers and therefore fewer community threats.

Configure your threat feed

You can use threats discovered by Rapid7 or other companies, or you can add your own threat.

To subscribe to community threats:

  1. Select Detection Rules from the InsightIDR left menu.
  2. Navigate to the Community Threats tab. You will see your threat feed, comprised of subscribed threats or your own threats. If this is your first time on the Community Threats page, this section will be blank.
  3. To subscribe to a new threat, click the Threat Community button in the top right corner.
  4. Click Subscribe for any threats you’d like to receive detections for. Threats created by other organizations are not vetted by Rapid7, so it is recommended you review these threats before subscribing to them.

Each threat contains a description of the threat and which feed it belongs to.

  • Click View to see specific details including the number of indicators, the number of organizations tracking the threat, the false-positive rate, and the number of alerts generated.
  • Click Subscribe to follow the indicators and receive detections that are valuable based on your organization's threat profile.

Why Is My Threat Indicator Expiring?

Indicators have a default expiry of 30 days. If your threat has an orange band across it, you should review the threat to confirm that your indicators are still relevant.

Expired threat

Threat Intelligence Detection Rules

Once you've subscribed to threats, various detection rules will be activated in InsightIDR:

  • Account Received Suspicious Link - InsightIDR can detect malicious links in a user's inbox.
  • Account Visits Suspicious Link - InsightIDR can detect when a user visits a URL that is part of a tracked threat, based on firewall or DNS events.
  • Suspicious Process Hash Discovered - InsightIDR can detect when a process hash that matches a tracked threat is detected on an endpoint.
  • Ingress from Community Threat - InsightIDR can detect when a user logs in to the network remotely from an IP address that matches a tracked community threat.
  • Ingress from Threat - InsightIDR can detect when a user logs in to the network remotely from an IP address that matches an owned threat.
  • Network Access for Threat - InsightIDR can detect when a user on the network has accessed a domain or IP address that matches a tracked threat.

If you receive detections from a community threat you have subscribed to, you will have the ability to mark the resulting alert as a false positive when closing the investigation that the alert is part of. Marking a threat as a false positive will add to the counter of false positives displayed on the Community Threats page, and will not allowlist the behavior.

Use an API

InsightIDR has a REST API available for you to add and replace threat indicators automatically. To use this API, you must generate a threat key to identify the threat and apply the indicator action.