Time and time again, we've seen the same old Greek tragedy play out on the organizational stage: Organizations purchase technology and hope it automatically works right out of the box. The reality is all technology requires appropriate resource planning and expertise.

That's why Rapid7 offers Quick Start services for UserInsight, a service that helps you get set up quickly but also trains you in regular intervals over the course of a year to ensure that you are applying your knowledge consistently.

As a Security Consultant and Roundhouse Expert from Rapid7's Strategic Services, I've helped the UserInsight family of customers accelerate their time to value through Quick Start. We do this by helping with deployment, providing investigation guidance, and personally checking in every month for a year. What have we learned? Drawing from hundreds of our Quick Start calls, here are three little-known features our customers love:

  • Malicious Process Detection
  • Unique and Rare Process Detection
  • Threat Feeds

Malicious Processes

One of the highest value event sources in UserInsight is the Endpoint Monitor. The Endpoint Monitor detects running processes on each of your Windows and Mac endpoints. This gives UserInsight the ability to match against known malicious processes detected by major AV vendors, as well as create incidents based on potentially malicious processes (see below).

Unique and Rare Process Detection

Attackers that try to avoid having their malware detected try to obfuscate the code. These anti-virus evasion techniques create unique binaries that no AV vendor has seen before. However, since the Endpoint Monitor is collecting hashes of all running processes, UserInsight can identify processes that are unique or rare on your network. This allows detection of potentially malicious process not yet known by any AV vendors. Even if the process is not malicious, it could identify unwanted applications tied back to specific assets.


One of the more underrated features in UserInsight is Threats. The Threats tab allows you to create Threat lists from external sources, such as Emerging Threats. Alternatively, Threats can be used for incident containment. For example, if beaconing activity to a URL or IP is identified during a malware analysis, it could be used to create a UserInsight Threat. Any communications to IPs or an URL listed in a Threat will create an incident.

Here is a quick snippet of Python code (thanks @NinjaSloth) that could be used to post Threats from a text file I generated with BadActors by @JGamblin:

iplist = open('badactors.txt','r').readlines()
url = "https://insight.rapid7.com/api/1/remote/customthreat/threat_api_key_goes_here/ad d"
for ip in iplist:
    ip = ip.rstrip()
    r = requests.post(url, json={"ip":[ip]})

At UNITED 2015 in Boston, MA I covered similar set of tips in my Hidden Gems: UserInsight Tips That Rock Your World talk.

If you missed UNITED 2015, sign up for a personal guided UserInsight demo.