How to Link Custom Threats With Webhook-Ingested Logs in InsightIDR?

InsightIDR Alerts
1

Hi everyone,
I’m working on a setup where I have:

  • A Custom Threat (Community Threat) list containing IP addresses (e.g., customIPs1).
  • A Webhook integration that pushes logs into InsightIDR, including various IP fields.

I want to understand whether any detection mechanism in InsightIDR can automatically raise alerts when an IP from incoming webhook logs matches an IP stored in a custom threat list.

I’m looking for clarity on:

  1. Whether InsightIDR supports automatic matching between webhook-ingested log fields and Custom Threat IPs.
  2. If yes, what fields or event formats the webhook logs need to contain for threat-intel matching to work.
  3. If no, what alternative approaches people use to achieve IP-to-Threat-List correlation (e.g., LEQL, custom detections, parsers, UDV mapping, etc.).
  4. Any examples, documentation, or prior experiences from anyone who has implemented something similar.

Any guidance would be greatly appreciated!

2

Initially, I would raise a case with Rapid7 - and ask to confirm - but I'm pretty sure the Community Threat config, only looks at specific log sets, and not everything you are pulling into IDR.

As you are using a webhook to receive this data, then I presume its setup as a Rapid7 Custom Logs event source, using the webhook functionality.

It might be better to create a variable in IDR, and add the IP's from your Community Threat list, into that variable. Then you can create either a basic detection rule, or a custom rule in the custom rule library. You can then specify the actual event source that you want to reference against the variable for what you are trying to alert on.

1 Like
3

Perry is absolutely correct here, Custom Log event sources, including the Webhook ingestion method have no out of the box detection rules that the data is checked against. The only option is to craft your own custom detection rules (or basic detection rules) against these logs. And using a Variable would help manage the rule.

David

4

Thanks for the response. I tested the variable approach as well, but since variables can’t reference or sync with a Custom Threat name, the values must be hard-coded. With the 3072-character limit, a variable only fits around 180–190 IPs, which isn’t scalable for larger or automated IOC feeds.

Is there an alternative way to match IPs from custom event logs (ingested via webhook or collector) against a larger Custom Threat IP list? Ideally something that:

  • Can match src_ip/dest_ip (or similar fields) from custom event logs
  • Works within Log Search or Custom Detections

If there’s a recommended approach (IOC ingestion, UDV mapping, enrichment, etc.), I’d appreciate any guidance.

Thanks!

5

@perry_satchwell-cox @david_smith1,

Thank you for your responses.

I have a follow-up question: Could you please help me understand the feasibility of assigning all the values from a community threat to a variable?

If you could please help me with syntax/approach or any official document.

Thank you!

6

The approach would be manual for the most part, copying and pasting the contents of the same key type for each. We do have an API for creating variables however: SIEM | © Rapid7

However we don't have any documented process for migrating CDTs to variables, it would involve manual work to get the existing CDTs IOCs out, since there is no support GET operation for Existing CDTs via the public API