UBA detections migration to Detection Rule Library ETAs


Is there a place where we can see a roadmap of when the remaining Legacy UBA Rules will be migrated to the new Detection Rule Library? Our organization is excited to tune some of the legacy UBA rules.

Hello! I’m a member of the product team here at Rapid7 unfortunately don’t have a full answer to this, but can shed some light on where we currently sit with the migration, and what our plans are going forward. We are currently taking some time for engineering to do a full audit of remaining Legacy UBA rules to discover the exact mechanisms needed to migrate them, while at the same time collecting all of our feedback around which rules are most important for customers to have migrated. Once those two bits are combined we will be able to push out a rough eta on specific cohorts of rules migration to our customers, finding a balance in prioritizing those with the most impact and easiest to migrate. We expect to have this ready towards the end of Q2/early Q3. If you have any specific legacy rules that your organization is looking to tune we’d love to have feedback to help in our prioritization work.

Hi Jordan,

I’ve mentioned this in previous support tickets, including when onboarding Rapid7 a few years ago, but i’ll add it here as well - the ‘New Local User Created’ UBA rule gives us problems. We have a large number of laptops from a particular supplier where the support and management software for the laptops regularly creates a temporary user (called supplier_tmp_randomtext) to perform config and support tasks and then deletes it. Every time this happens we get an alert and investigation created. We get around this with Outlook rules and an insightConnect workflow that deletes every investigation that this creates, but it would be great to filter these out permanently. I’ve just checked and I’ve had 60 of these in the last 5 hours, and it looks like at least 125,000 in total.