Hi all,
I’m trying to understand a set of signatures showing up in my environment under the “RAPID7-TIDE” naming, and I haven’t been able to find any useful documentation about them.
For example:
-
RAPID7-TIDE Rule K1
-
RAPID7-TIDE Rule L2 / M1 / M2
-
RAPID7-TIDE E1 / E2
These appear alongside more understandable detections (LDAP queries, Kerberos errors, DNS recon, etc.), but these generic “Rule K1”, “E1”, etc. are completely unclear.
From what I can see:
-
They don’t map to known CVEs or attack signatures
-
The category is often “Unknown Classtype”
-
There’s no description of what behavior triggers them
-
They seem to fire on high-volume or long-lived flows in some cases
Questions:
-
What exactly are these TIDE rules? Are they heuristic/behavioral detections?
-
Is there any public documentation that explains what K1, L2, M1, etc. mean?
-
Are these safe to tune or suppress if they generate noise?
-
What is the recommended way to interpret them in investigations?
Right now they look like black-box alerts, which makes triage pretty difficult.
Any clarification would be greatly appreciated.
Thanks!