Managed Detection & Response Terms

This page outlines important terms related to Managed Detection and Response (MDR).

MDR Terminology

The following is a glossary of MDR-related terminology.

AlertEvents generated by detection rules in InsightIDR by one or more correlated event sources.
Alert ValidationThe MDR SOC will fully investigate all InsightIDR investigations with the responsibility of ‘Rapid7 Managed,’ gathering context from your endpoints and log data in order to determine whether the activity is benign or malicious. When the investigation is completed:

-If the MDR SOC determines that the activity is malicious, the SOC will initiate incident response, and you will receive a notification by email and phone (depending on incident severity).

-If the MDR SOC determines the activity is benign, the SOC will close the investigation and will not notify you.
Attacker Behavior Analytics (ABA)InsightIDR applies behavioral analytics and curated threat intelligence to generate investigations, built from our experience and understanding of attacker tools, tactics, procedures, and methodologies.
Security Posture AssessmentAfter deployment, Rapid7 MDR will perform a Security Posture Assessment to identify any historical or active compromises. . If the Security Posture Assessment determines that there is an active compromise, the incident response process will be initiated (see ‘Incident Response’) and you will be notified by email and phone (depending on incident severity). The report generated from the Security Posture Assessment will describe active or historic compromises or potential avenues for future breaches detected by Rapid7 in your environment. The report will include prioritized remediation actions and corrective actions.
Containment ActionsActions that can be performed via InsightIDR to contain or disrupt the current attacker. Examples are quarantining an asset and disabling a user.
Customer AdvisorThe Customer Advisor (“CA”) is your main point-of-contact for the Rapid7 MDR service. This named resource works with your team as a strategic security partner—from onboarding through incident remediation and ongoing security consultation—to help improve your organization’s security maturity.
Detection RulesInsightIDR detection rules generate investigations based on activity from your configured event sources, the Insight Agent, and the Rapid7 Network Traffic Analysis (NTA) network sensor.

These detection rules are available in the ‘Detection Rules’ page of InsightIDR. These detection rules are grouped into the following detection libraries: Attacker Behavior Analytics (ABA) and User Behavior Analytics (UBA).

Endpoint Detection and Response (EDR)Endpoint Detection and Response (EDR) tools are used by MDR to enhance the logs and information collected during incident investigation to assist with scoping and timelining the threat actor’s activity.
Event SourceEvent Sources are informational log sources used by InsightIDR and the MDR team to generate detections.
ExceptionThe MDR SOC will tune alerts designated as “Rapid7 Managed.” If the MDR SOC investigates an alert and determines it benign, the SOC will enter an exception to tune out that activity. Additionally, you can create exceptions for alerts that are your responsibility in insightIDR to tune out alerts generated by expected activity.
Forensic AnalysisDuring the course of an investigation or incident response, the MDR SOC may utilize forensic jobs built into the Insight Agent or Velociraptor to acquire forensic artifacts from the affected endpoint(s) in an effort to validate activity in an alert or determine how a compromise initially occurred.
Incident ResponsePlease review Incident Response for details.
Incident Response TeamRapid7’s Incident Response Team is a dedicated team of experienced incident response professionals who provide ongoing incident response training and support to MDR analysts, and will lead the response to complex and/or high impact incidents in your environment as needed.
Incident SeverityPlease see “Incident Types” under Incident Response.
InvestigationInvestigation occurs after the MDR SOC triages an alert and determines more data is needed to determine if it is benign or potentially malicious. The MDR SOC will utilize contextual data from your event sources, and potentially artifacts from the the affected endpoint (if applicable) to validate the activity.
Log SourceInformational sources that are used to correlate actions and alerts inside of InsightIDR. These are not the same as event sources.
Logically separated environmentRapid7 considers an environment logically separated if it meets all the following criteria:

* The in-scope environment must be on a network that is logically separated and isolated from the rest of the organization. Specifically, the in-scope environment must have its own networking infrastructure (firewalls, Web proxies, and DNS servers). The environment must have separate Internet egress points, and inbound network traffic from out-of-scope environments is not permitted.

* The in-scope environment(s) must have its own authentication and access control infrastructure (such as Active Directory and other Identity Providers). Specifically, all users supported by this infrastructure must be active users of the systems in the in-scope environment.

* Any cloud services that will be in-scope for MDR must be accessed only by active users of the systems in the in-scope environment.
MDR Notification EmailsConsolidated (“Alert roll-up”) Requests for Information
MDR Notification Emails are automated, consolidated roll-ups for alerts generated by detection rules that are your organization's responsibility to investigate. You should treat the roll-ups as automated RFIs. Please review the data in the roll-ups to determine if the activity is expected. If it is not, you should open a ticket in the customer portal or reach out to your Customer Advisor so the MDR SOC can investigate.

Your Customer Advisor will help you create exceptions to tune the activity provided in the roll-ups.
MDR SOC PodYour organization’s environment will be assigned to one of our MDR SOC Pods. The analysts in your MDR SOC Pod are responsible for deliverables such as alert review and investigation, detection rule tuning, threat hunting, and incident response.
MDR Tactical Operations TeamOur 24x7x365 Tactical Operations team is responsible for handling the most time-critical tasks for all customers, such as the investigation and triage of high priority security alerts and the initial response to urgent customer communications.
RecommendationsDuring the incident response process, the MDR SOC will provide you with recommended remediation actions and recommended corrective actions. Remediation actions are a critical part of the “Incident Remediation” step of the incident response process to contain and eradicate the threat in your environment. Corrective actions are less time-critical, though still important to implement after the incident is concluded to mitigate future threats from the same attack vector(s). For more details, please review Incident Response.
Requests for Information (RFI)In some cases, the MDR SOC may need additional input from you in order to complete an investigation, in which case Rapid7 will reach out to you via a Customer Portal case.
Threat HuntingRapid7 performs regular hunts for new or novel threats within your environment by leveraging access to historical log data, alert data, and forensic endpoint artifacts. Details about these hunts can be found in the Monthly Service Report.

If a threat hunt identifies an active compromise in your environment, Rapid7 will initiate incident response.
Threat Intelligence and Detection Engineering TeamTIDE supports MDR with threat analysis and new detections. TIDE identifies new attacker trends across the global threat landscape and uses these findings to create detections for new vulnerabilities, exploits, and attack campaigns.
User Behavior Analytics (UBA)A detection library that includes:
-UBA activity: InsightIDR creates a baseline of normal user activity within your environment and generates investigations when there is a deviation.
-Custom Alerts: Detection rules written by your organization.
* Community Threats: Detection rules powered by community-managed threat intelligence feeds.
-Third Party Alerts: Alerts generated by third-party security vendors.

MDR Alert Priorities

CriticalActivity occurred in your environment that was almost certainly a malicious event. Critical alerts require immediate response and are the highest priority for the MDR team.
HighActivity occurred in your environment that was most likely a malicious event and should be prioritized for analyst review.
MediumActivity occurred in your environment that may be a malicious event and requires analyst review.
LowActivity occurred in your environment that is likely not malicious but still requires review by a Rapid7 MDR Analyst.

Closed Alert Dispositions

BenignThis event was associated with non-malicious behaviors in the context of your environment and did not require additional validation from your organization to close.
Reported BenignThis event was reported to your organization and was confirmed as benign. For example, after further investigation, Rapid7 confirmed that a suspicious authorization or honeypot was benign.
Reported MaliciousThe event represented by this alert was associated with malicious activity and was reported to your organization. Your organization confirmed that this event was unexpected behavior and further analysis indicated a compromise. The communication resulted in changes to your environment, such as password resets or reconfigured services.
Security TestRapid7 determined that this alert was related to security testing, and did not require customer validation to close.
Reported Security TestRapid7 determined that this alert was associated with alerts often generated by security testing, and confirmed with your organization.
Reported UnknownRapid7 reported this alert to your organization, but we did not complete an in-depth investigation. Your organization indicated that this event fulfilled a business use-case or that it was of no concern.
System ClosedAlerts that were closed automatically without further analyst review. This includes alerts that on their own do not indicate malicious activity, but are reviewed if they are related to a high fidelity alert.
False PositiveAn alert was triggered that was not related to the rule logic. Rapid7 triaged the event, and submitted a tuning request to the intel team.

Rapid7 Cloud Technology Architecture and Capabilities

The following is a list of the Rapid7 cloud technology that is used with MDR.

Insight CloudResponsible for all log management, data processing, enrichment, and storage of your data. Each client’s instance on the Insight Cloud is isolated from other instances.
InsightIDRRapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of your environment and sophisticated behavior analytics to identify threats.
Customer Service PortalRapid7’s purpose built portal to deliver MDR content such as Incident and Service related Reports.
Threat Intelligence EnginePrimary Rapid7-developed intelligence paired with additional third-party sources to enrich attack detection and response processes in near real time.

MDR Software and Configuration

The following is a list of the software that MDR requires.

Insight AgentPowers the Insight cloud and allows Rapid7 analysts to collect data for identifying malicious activity on your endpoints for system-level visibility, real-time detection analysis, and endpoint investigation and hunting. We recommend deploying the Insight Agent on all endpoints, but require deployment to a minimum of 80% of licensed assets - defined as workstations, desktops, and servers - using your existing software management processes in order to deliver service. Rapid7 assigns deployment resources to work with you for the initial deployment of the Rapid7 MDR technology stack and ensure your event sources are configured for optimal service.
Insight CollectorCollectors receive log data and agent data from your environment. All collected data is compressed and encrypted before being forwarded to the Insight cloud. You are responsible for provisioning Collectors as described in the Rapid7 InsightIDR documentation. The Collectors must meet the recommended hardware specifications. You are also responsible for keeping the Collector operating system patched and up-to-date.
InsightIDRRapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of your environment and sophisticated behavior analytics to identify threats. You can also establish custom alerts in InsightIDR; however, Rapid7 does not triage custom alerts.
Deception TechnologyHoneypots, honey users, honey credentials, and honey files designed to identify malicious behaviors using fake assets, users, credentials in memory, or files.
File Integrity MonitoringAlerts generated for changes to operating systems and application software files to identify if tampering or fraud has occurred. Rapid7 MDR does not alert on File Integrity Monitoring alerts, but these are available to you to investigate in InsightIDR.
Insight Orchestrator (Automation)Automation in InsightIDR allows you to add enrichment to open investigations or to take action when alerted to possible malicious behavior. You are responsible for provisioning, configuring, and activating an Orchestrator system to use automation functionality. Rapid7 will assist with the configuration, activation, and use of the Orchestrator. Rapid7 will not take any actions on your behalf to quarantine assets, stop processes, disable accounts, de-provision users, or any type of action that is available as part of the InsightIDR Automation and Orchestration suite.