Managed Detection & Response Terms

This page outlines important terms related to Managed Detection and Response (MDR).

MDR Terminology

The following is a glossary of MDR-related terminology.

TermDescription
AlertSuspicious event triggered in InsightIDR by one or more correlated event sources.
Alert CriticalityAfter Security Operations Center (SOC) investigation and validation, it will be determined how pressing of an issue the alert is. High criticality alerts should be addressed immediately.
Alert TuningMDR SOC team leverages Threat Intelligence gathered from third-party sources and through engagements with MDR and Incident Response customers to enhance our detections for MDR customers.
Attack CampaignAlso known as Cyberattack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset. Attack Campaigns may be limited to single assets or single businesses, or it may be coordinated across many assets and businesses.
Attacker Behavior Analytics (ABA)Attacker Behavior Analytics (ABA) are alerts generated by attacker tactics, techniques, and procedures commonly used.
Attack StoryboardingMDR provides a Findings Report with a complete timeline of events and discoveries so the customer can learn each step of the process of the attack.
Compromise AssessmentAfter deployment, Rapid7 MDR will ensure there is no malicious activity in the customer’s network or evidence of previous compromise(s). This report contains any detected active or historic compromises, potential avenues for future breaches, and prioritized remediation and mitigation recommendations.
Containment ActionsActions that can be performed by the customer via InsightIDR (or found through a link in the Findings Report) to contain or disrupt the current attacker. Examples are locking an asset and disabling a user.
Customer AdvisorThe Customer Advisor (“CA”) is each customer’s main point-of-contact for the Rapid7 MDR service. This named resource works with the customer’s team as a strategic security partner—from initial technology deployment through incident remediation and ongoing security consultation—to shepherd each customer organization’s security maturity.
Detection MethodologiesThe ways in which Rapid7 MDR is able to find attackers in the customer environment.
Endpoint Detection and Response (EDR)Endpoint Detection and Response (EDR) tools are used by MDR to enhance the logs and information collected during incident investigation to gain a clearer picture of the attack.
Event SourceEvent Sources are informational log sources used by InsightIDR and the MDR team to generate detections.
Forensic AnalysisDeep investigative work done by the MDR SOC analysts
Full ServiceCustomers enter into Full Service when the Insight Agent is deployed to over 80% of in-scope endpoints. This includes Threat Hunting and the Compromise Assessment.
InvestigationManual triage by the MDR SOC Pod based on alerts generated from our detections.
LicenseThe software that powers the MDR service is purchased on a subscription basis and is centrally hosted such that the customer must purchase access to the Insight Agent and InsightIDR software through MDR in order for the service to operate properly.
Limited ServiceIf the customer is not able to deploy to 80% of your endpoints by completion of Deployment Days, the customer will be placed into Limited Service by the MDR SOC team. In this phase, the MDR SOC will monitor alerts from the current connected event sources and deployed agents; however, it is necessary for the customer to deploy the agents to the rest of their in-scope environment. The scope of the Limited Service is restricted to only endpoints with Insight Agents. Limited Service completes when the Insight Agent is deployed to 80% of the in-scope environment and the customer is moved to Full Service.
Log SourceInformational sources that are used to correlate actions and alerts inside of InsightIDR. These are not the same as event sources.
Logically separated environmentThe organization’s IT infrastructure may have one or more logically separated environments. For example, an organization may have an Internet-facing production data center that is separate from their corporate IT end-user environment. Or they may have multiple subsidiaries with logically separate IT infrastructure. In these situations, Rapid7 recommends that an organization deploy our MDR service to all of their environments for the two reasons. The first reason is that attackers often move laterally within an organization from one environment to another, and without a full deployment to all environments, we may be unable to detect or respond to the full scope of an attack. The second reason is that if traffic/activity from ‘out of scope’ environments is logged by ‘in scope environments’, this causes additional detection and response work for the MDR SOC that the customer is not licensed for. However, Rapid7 MDR will consider monitoring for 'logically separated environments' as long as these meet the following criteria:\n* Environments have their own authentication and access control infrastructure. Specifically, their own Windows domain.\n* Environments are on a network that are logically segmented from the in-scope environments.\n* Environments serve a distinctly different purpose than other environments. For example, a production data center (versus a corporate IT end user network).\n* Environments have their own Internet egress points.
Remote Incident ResponseA technical process handled by the Managed Services SOC to scope the severity of a compromise. All investigation activity is conducted remotely and is limited to examination of data obtainable by the InsightIDR agent and platform. Remote Incident Response engagements are not time bound and expire at the end of each contract year.
SignaturesDetections based off of specific attacker or code patterns
SOC PodThe customer’s environment will be assigned to one of our SOC Pods staffed by our world-class analysts. These analysts are assembled in Pods to ensure each customer receives continuous 24x7x365 monitoring coverage for real-time alert investigation and incident response. Each SOC Pod will investigate alerts generated for their specific customer clusters.
Threat HuntingProcess to proactively search for cyber threats in the environment, manually done by the SOC analysts.
Threat Intelligence TeamSupports the MDR SOC and CAs with threat analysis and new detections. Our Rapid7 Threat Intelligence team of researchers identifies new attacker trends across the global threat landscape and uses these findings to create in-product detection mechanisms for new vulnerabilities, exploits, and attack campaigns.
User Behavior Analytics (UBA)User Behavior Analytics (UBA) detections are triggered when a user exhibits a deviation from normal user activity within the customer’s environment
ValidationRapid7 MDR SOC performing initial triage and investigation to determine with a high degree of confidence that the event is non-benign and requires a communication to the customer.

MDR Alert Priorities

PriorityDescription
CriticalActivity occurred in your environment that was almost certainly a malicious event. Critical alerts require immediate response and are the highest priority for the MDR team.
HighActivity occurred in your environment that was most likely a malicious event and should be prioritized for analyst review.
MediumActivity occurred in your environment that may be a malicious event and requires analyst review.
LowActivity occurred in your environment that is likely not malicious but still requires review by a Rapid7 MDR Analyst.

Closed Alert Dispositions

DispositionDescription
BenignThis event was associated with non-malicious behaviors in the context of your environment and did not require additional validation from your organization to close.
Reported BenignThis event was reported to your organization and was confirmed as benign. For example, after further investigation, Rapid7 confirmed that a suspicious authorization or honeypot was benign.
Reported MaliciousThe event represented by this alert was associated with malicious activity and was reported to your organization. Your organization confirmed that this event was unexpected behavior and further analysis indicated a compromise. The communication resulted in changes to your environment, such as password resets or reconfigured services.
Security TestRapid7 determined that this alert was related to security testing, and did not require customer validation to close.
Reported Security TestRapid7 determined that this alert was associated with alerts often generated by security testing, and confirmed with your organization.
Reported UnknownRapid7 reported this alert to your organization, but we did not complete an in-depth investigation. Your organization indicated that this event fulfilled a business use-case or that it was of no concern.
System ClosedAlerts that were closed automatically without further analyst review. This includes alerts that on their own do not indicate malicious activity, but are reviewed if they are related to a high fidelity alert.
False PositiveAn alert was triggered that was not related to the rule logic. Rapid7 triaged the event, and submitted a tuning request to the intel team.

Rapid7 Cloud Technology Architecture and Capabilities

The following is a list of the Rapid7 cloud technology that is used with MDR.

TechnologyDescription
Insight CloudResponsible for all log management, data processing, enrichment, and storage of customer data. Each customer instance on the Insight cloud is isolated from other instances.
InsightIDRRapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of the customer’s environment and sophisticated behavior analytics to identify threats
Customer Service PortalRapid7’s purpose built portal to deliver MDR content such as Findings and Service related Reports to the customer.
Threat Intelligence EnginePrimary Rapid7-developed intelligence paired with additional third-party sources to enrich attack detection and response processes in near real time.

Customer-Deployed Software and Configuration

The following is a list of the software that MDR customers deploy.

TechnologyDescription
Insight AgentPowers the Insight cloud and allows Rapid7 analysts to collect data for identifying malicious activity on the customer’s endpoints for system-level visibility, real-time detection analysis, and endpoint investigation and hunting. We recommend deploying the Insight Agent on all endpoints, but require deployment to a minimum of 80% of licensed assets - defined as workstations, desktops, and servers - using the customer’s existing software management processes in order to deliver service. Rapid7 assigns deployment resources to work with the customer for the initial deployment of the Rapid7 MDR technology stack and ensure the customer’s event sources are configured for optimal service.
Insight CollectorCollectors receive log data and agent data from the customer’s environment. All collected data is compressed and encrypted before being forwarded to the Insight cloud. The customer is responsible for provisioning Collectors as described in the Rapid7 InsightIDR documentation. The Collectors must meet the recommended hardware specifications. The customer is also responsible for keeping the Collector operating system patched and up-to-date.
InsightIDRRapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of the customer’s environment and sophisticated behavior analytics to identify threats. Customer’s can also establish custom alerts in InsightIDR; however, Rapid7 will be unable to act on these custom alerts beyond the monitoring that MDR typically covers. Additionally, the customer’s team should not modify or close out alerts within InsightIDR without contacting the Customer Advisor prior to closing out these alerts to ensure the Rapid7 MDR team maintains complete visibility.
Deception TechnologyHoneypots, honey users, honey credentials, and honey files designed to identify malicious behaviors using fake assets, users, credentials in memory, or files.
File Integrity MonitoringAlerts generated for changes to operating systems and application software files to identify if tampering or fraud has occurred. Rapid7 MDR does not alert on File Integrity Monitoring alerts, but these are available to the customer to investigate from their instance of InsightIDR.
Insight Orchestrator (Automation)Automation in InsightIDR allows the customer to add enrichment to open investigations or to take action when alerted to possible malicious behavior. The customer is responsible for provisioning, configuring, and activating an Orchestrator system to use automation functionality. Rapid7 will assist with the configuration, activation, and use of the Orchestrator. Rapid7 will not take any actions on the customer’s behalf to quarantine assets, stop processes, disable accounts, de-provision users, or any type of action that is available as part of the InsightIDR Automation and Orchestration suite.