Utilize Existing Threats

While InsightIDR has an array of built-in detection rules, you can utilize an existing threat feed to receive specific alert-tied indicators (IP addresses, domains, hashes, and URLs) that are allegedly malicious in nature. When InsightIDR detects one of these indicators, it triggers an investigation.

Depending on your data region, the number of community threats may vary. Some data regions have fewer customers and therefore fewer community threats.

Configure your threat feed

You can use threats discovered by Rapid7 or other companies, or you can add your own threat.

To subscribe to community threats:

  1. Select Detection Rules from the InsightIDR left menu.
  2. Navigate to the Community Threats tab. You will see your threat feed, comprised of subscribed threats or your own threats. If this is your first time on the Community Threats page, this section will be blank.
  3. To subscribe to a new threat, click the Threat Community button in the top right corner.
  4. Click Subscribe for any threats you’d like to receive alerts for. Threats created by other organizations are not vetted by Rapid7, so it is recommended you review these threats before subscribing to them.

Each threat contains a description of the threat and which feed it belongs to.

  • Click View to see specific details including the number of indicators, the number of organizations tracking the threat, the false-positive rate, and the number of alerts generated.
  • Click Subscribe to follow the indicators and receive alerts that are valuable based on your organization's threat profile.

Why Is My Threat Indicator Expiring?

Indicators have a default expiry of 30 days. If your threat has an orange band across it, you should review the threat to confirm that your indicators are still relevant.

Expired threat

Threat Intelligence Alerts

Once you've subscribed to threats, various alerts will be activated in InsightIDR:

  • Account Received Suspicious Link: InsightIDR can alert you to malicious links in a user's inbox
  • Account Visits Suspicious Link: InsightIDR can alert you when a user visits a URL that is part of a tracked threat, based on firewall or DNS events.
  • Endpoint Threat Intelligence Match: InsightIDR can alert you when a process hash that matches a tracked threat is detected on an endpoint.
  • Ingress from Community Threat: InsightIDR can alert you when a user logs in to the network remotely from an IP address that matches a tracked community threat.
  • Ingress from Threat: InsightIDR can alert you when a user logs in to the network remotely from an IP address that matches an owned threat.
  • Network Access for Threat: InsightIDR can alert you when a user on the network has accessed a domain or IP address that matches a tracked threat.

If you receive alerts from a community threat you have subscribed to, you will have the ability to mark the threat as a false positive when closing the investigation. Marking a threat as a false positive will add to the counter of false positives displayed on the Community Threats page, and will not allowlist the behavior.

Use an API

InsightIDR has a REST API available for you to add and replace threat indicators automatically. To use this API, you must generate a threat key to identify the threat and apply the indicator action.