New custom Detection Rules Overview

Hi!

Recently myself and my team have been testing the new functionality of custom detection rules.

After some testing and migrating some rules we had in the “Basic Detection rule” format, we have to say that this is a top tier functionality and we love it.

But I have a question. In the FAQ it says that you can only create 50 custom detection rule. Why is that? I mean, could this number change in the future?

image

If you have not tried the new custom detection rule, I encourage you to try it!

Here are the docs: Custom Detection Rules | InsightIDR Documentation

Thanks!
Ruben

2 Likes

Really? I didn´t know it was just up to 50… why? I mean… almost 5k detection rules by Rapid7 but we cannot get 51?

Glad you like the feature, and thank you for the feedback!
The reason for the current 50 limit is primarily because it’s a new feature and we are being cautious that customers may write rules that are overly noisy and swamp either themselves or their detection engine. We are constantly adding new features and safeguards to assist in testing, validating and preventing these potential problems, and have already increased the limit from an initial 20 to 50. I think the next jump will be to 200, but we are intending to increase this further (and can increase upon request individually in the meantime)

Cheers,

Nick

2 Likes

Thanks for the info @nick_mifsud4

Really appreciated!

Ruben.

Hi @nick_mifsud4!

Will the Basic Detection Rules be deprecated one day? Iam using those right now to notify myself (via E-Mail) about specific log appearances without triggering an investigation because I just want to be informed when something happens, e.g. when someone logs into a switch or our backup solution. I don’t need an investigation for that, but I want to be informed when it happenes and the Basic Detection Rules cover this case perfectly.

However, It seems like I can’t do that with the new Detection Rules, is that right? The rule action implies what will happen when a detection triggers, right? So I can create an investigation and thus get an E-Mail, like for all investigations, but I can’t only get an E-Mail. Will this feature be adopted to “just notify via E-Mail”?

A rule action for “Tracks Notable Events” & “Notify via E-Mail” would be perfect for my usecase.

Best regards
Robert

1 Like

Hi Robert!
Do not worry, Basic Detection Rules won’t be deprecated until we have exactly the feature parity that you require (and a few other BDR specific capabilities - most relevant to this thread would be removal of limitations on total number of active rules).
Right now, if you have an InsightConnect licence, you can achieve the same outcomes - but we are aware that the additional built in notification options with BDR are superior to the out of the box options with CDR and this is an area we are tackling as part of a broader automation upgrade across InsightIDR as a whole.

Cheers,
Nick

1 Like

What are some good custom detection rule recommendations? I know this will depend on the environment and based on what is considered an anomaly on a given server but wondering if you have any recommendations or is there any source on the web that might be helpful?

My only issue with the basic detection rule, is the output I get. It basically contains the whole log, is there a way to custom the notification email to only contain certain variables? Our previous option, has this, so the notification only produced the information we wanted from the log. As its stated earlier, this notification itself is too noisy, would be nice to only produce, the information I want. Perhaps using set variables?

Hi! For example I create some rules for correct foreign access to O365 or VPN service.

Its currently not possible to have the output only include the specific key/values you are interested in. This would be considered a Request for Enhancement