InsightIDR - Partial UBA Alerting Disruption (All regions)

This incident has been addressed. The volume of 'First ingress authentication from country' and 'Brute force from unknown source' alerts has returned to normal, and the status of most users is now correctly shown. Any remaining users previously marked inactive (as well as the accounts associated with those users) will return to active as users log into associated assets.

The code change which triggered this event has been rolled back. Our engineering team has repaired affected data for users in LDAP-based accounts by correcting their Active status. These users will no longer trigger false positive alerts.

This issue affected cloud-based and LDAP-based accounts. Our engineers are continuing to move groups of users back to their correct status. You should expect to see an ongoing reduction in false positive alerts as this work progresses toward completion. Cloud and SaaS users are more likely to be affected than others.

Finally, InsightIDR’s normal process of categorization has the ability to repair incorrectly categorized users over time. As incorrectly categorized users log in, they are moved into an Active state, eliminating further alerts.

This issue has not resulted in any data loss.

We will continue to update the status page with the latest information.

We identified an issue with a recent change in our system that affected the way InsightIDR interprets whether a user is active or not. As a result, InsightIDR incorrectly labeled some active users as "Removed", which impacted some alerts associated with those users:
- In some cases, a large number of false positive "First Ingress Authentication from Country" and “Bruteforce from Unknown Source” alerts were generated.
- Some “Ingress From Disabled Account” alerts that should have fired, did not.
- Some alert modifications for the above alerts may not have been applied.

Our response and next steps:
Rapid7 Engineering teams are working on a fix to revert all users that were incorrectly labeled as “Removed” to their original “Active” status.

We will continue to update the status page with the latest information.

The issue has been identified and a fix is being implemented.

We are continuing to investigate this issue.

The team is currently aware of an issue which is marking some users as "Removed" in IDR.
We are working on identifying and fixing the issue so that the statuses of those "Removed" users are reset correctly.