InsightIDR

Quick Start Guide

Contents
Revision history

Getting started with InsightIDR

Protecting your data with InsightIDR

Protecting your users with InsightIDR

Getting help

Gaining visibility into user activity

Planning your Collector deployment

Identifying Event Sources

12

User Attribution Event Sources

13

Configuring LDAP

14

Configuring Active Directory (AD)

18

Listen for Syslog

21

Log Aggregator

22

WMI

24

Configuring DHCP

25

Data Collection methods

28

Configuring Event Sources

30

Copying Event Sources to a Collector

34

Deleting a Collector

37

Data Collection

40

Data Collection Metrics

40

Setting an Intruder Trap

43

Honey Pots

44

Honey Users

45

Best Practices

47

Managing Honey Pots

47

Setup Data Exporter

48

Managing Exporters

49

Settings

51

Incident settings

52

User settings

53

Event Sources settings

55

Credential settings

56

Application settings

58

Incident modifications

59

Asset settings

60

Honey Users

60

Export Data

61

Static IP ranges

62

Unmanaged IP ranges

63

Network Zones

64

Network Policies

66

Tagged Domains

68

Unknown IP addresses

70

Running agents

70

General troubleshooting tips

71

Supported Event Sources

73

Event Source Categories

73

Supported Event Sources

74

Troubleshooting Endpoint Monitoring

79

Revision history
Date

Revision

May 10, 2016

Created

August 29, 2016

Published to Community

Revision history

Getting started with InsightIDR

Protecting your data with InsightIDR
InsightIDR monitors authentication activity and provides customizable incidents to monitor
access to sensitive systems and environments deemed important from a security or business
perspective. Rules can be tailored to white- or blacklist users or user groups and to monitor
access to individual assets or entire network ranges. This helps businesses identify unauthorized
access from external and/or internal threats. Furthermore, these controls help enforce both
internal and external policy compliance.

Protecting your users with InsightIDR

InsightIDR is a security tool that begins and ends with the user in mind. It focuses on user
accounts that are the most common targets for sophisticated attacks, while most tools focus on
assets, executables, or packet signatures. InsightIDR automatically analyzes and correlates user
accounts with assets, network activity, and data from other security tools in your environment,
looking for irregular behavior and known indicators of compromise. Activity that may be indicative
of a breach generates an incident, which contains not only user data, but also the aforementioned
asset data so that, in the event of a breach, security teams have a more complete picture of not
just what was involved, but who was responsible, when the event happened, and where the
intruder is headed next.

Getting help
The InsightIDR technical support team is available to help you with any questions you may have.
For assistance, visit the Rapid7 Support page, [Link]/support, or send an e-mail
request to support@[Link].

Getting started with InsightIDR

Rapid7 support page

For additional information, go to Security Street, the Rapid7 online community Web site, where
you will find InsightIDR users and others who are interested in data security. The site also hosts
documentation, blogs, and user comments related to InsightIDR and other security products.

InsightIDR community

Getting help

Gaining visibility into user activity

InsightIDR allows you to gain control of the vast amount of user activity data available from
devices that manage your network. Track the network resources your users are working on, the
devices they are using, and even the cloud services they are visiting. If you have concerns about
a web site, Web service, or mobile device, you can tell at a glance which accounts are using it.
The quality of information available in InsightIDR is determined by the configuration of your data
sources (see Planning your Collector deployment on page 9 and see User Attribution Event
Sources on page 13).

InsightIDR overview

Collectors aggregate and transmit data from Event Sources to InsightIDR which runs analytics
and populates views in the Web application. Event sources provide log data from devices that
access your corporate network from anywhere in the world.
In order to obtain access to this log data, the InsightIDR Collector requires domain administrator
credentials that have permission to read the Active Directory and Windows Endpoint log files.
The InsightIDR Collector is hosted on-premise in the customer's environment, and credentials
are never readable anywhere outside the Collector on the corporate network. The log files are
passed through a filter before the data is transmitted to ensure that only the most necessary
information is uploaded to the hardened InsightIDR backend for analysis.

Gaining visibility into user activity

To prepare your network to work with InsightIDR, identify a server or virtual machine where you
will deploy your Collector, and then identify the Event Sources that will provide user activity data
from your network.

Gaining visibility into user activity

Planning your Collector deployment

The Collector is a machine on your network running Rapid7 software that either polls data or
receives data that is pushed from Event Sources and makes it available for InsightIDR analysis.
An Event Source represents a single device that sends logs to the Collector. For example, if you
have three firewalls, you will have one Event Source for each firewall in the Collector. The
Collector is the on-premise component of InsightIDR.
The Collector is responsible for gathering endpoint data. Note that it is oftentimes more efficient
to deploy multiple Collectors throughout an environment rather than break firewall rules or
overload a single Collector. Treat your Collectors as you would any other highly valuable asset
credentials for the various Event Sources you configure are stored on this device.
A Collector can be installed on a network server or virtual machine that meets the following
requirements:
l

Operating system: Linux 64-bit or Windows 64-bit

Minimum Hardware: 4 GB RAM and 60 GB disk space

2 CPUs recommended

CPU: 1 CPU per 16,000 endpoints scanned by the Endpoint Scan

Minimum network bandwidth: 100 Mbps network (recommended), 1000Mbps (strongly

recommended)

There can only be one Collector installed per machine on your network. Rapid7 strongly
recommends that the machine (physical or virtual) is dedicated to running the Collector.

Planning your Collector deployment

Collectors, foundational sources, and additional sources

Begin by configuring multiple Event Sources on a single Collector. Later, you can add Collectors
as needed. For example, you may need to distribute the bandwidth across your network if you
have very high logging levels or if your network is geographically dispersed.
To plan your Collector deployment, have the following information available for each server or
virtual machine where you will install the Collector:
l

display name

network location

server host name and IP address

You must have administrator rights to install a service on the server.

The following process pairs the Collector installed in your network to Amazon Web Services
(AWS), where the InsightIDR servers are hosted. Note that no credentials are stored in AWS,
and raw logs are stripped by the Collector in your environment so that no sensitive data (i.e., PII,
medical records, etc.) is stored by Rapid7.

Planning your Collector deployment

10

1. Configure firewall/web proxy rules to allow the Collector to reach

[Link] and [Link] If you have a firewall or
web proxy that restricts outgoing connections, you need to grant permission for the Collector
to be able to connect to the backend servers. Customers deployed in our Frankfurt, Germany
instance need to be able to reach [Link] and [Link]
2. All Collectors must be able to reach out to port 443 to: [Link]
(US) or [Link] (EMEA).
3. Disable the local firewall (if possible).
4. From your desktop, navigate to [Link] and log in with your InsightIDR
credentials (if you do not have credentials, contact a Rapid7 Sales Representative).
5. Download the Collector installer from [Link]
6. Copy it to the machine running InsightIDR.
7. Follow the installation wizard.
8. Click Activate Collector, name the Collector, paste the Agent Key, and click Activate.
9. All Collectors must be configured with a fully qualified domain name (e.g.
[Link]).
10. All endpoints need to be able to communicate back to the Collector via Collector ports:
l 5508
l

6608

range 20,000 - 30,000

11. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined
on Collector A should not be duplicated on Collector B. If this exists, it should be updated
before the migration or those ranges have to be manually updated after the migration.
12. Each Collector can only support one set of endpoint monitoring credentials per Collector. A
Collector instance will have to be setup for each set of endpoint monitoring credentials.

Planning your Collector deployment

11

Identifying Event Sources

Collectors communicate with your network servers and gather data from your server logs to
produce a dashboard of user activity data for your security analysts.
To ensure complete coverage, take an inventory of your network servers and data logs that you
will configure as Event Sources.
View

Event Sources

User details

Microsoft Active Directory, LDAP server logs, Rapid7 Metasploit, Virus scanner,
VPN, and Endpoint Monitor

Asset details

Microsoft Active Directory security logs and the DHCP server logs, Nexpose,
and Endpoint Monitor

IP address history

Microsoft Active Directory security logs, DHCP server logs

Locations

VPN server logs, Cloud services for example, Cloud services (e.g. AWS,
[Link]), and Microsoft ActiveSync

Services

DNS server logs, firewall, Web proxy, Cloud service - [Link], Okta,
Salesforce, and the Microsoft ActiveSync servers

Incidents

Microsoft Active Directory security logs, DHCP server logs, endpoint monitor,
VPN servers (IP address ranges), DNS server logs, Firewall, and the Web proxy

Threats

DNS server logs, Firewall, and the Web proxy

Important: Be sure to identify all of the servers that track user activity on your network and assign
them to a Collector. Otherwise, the InsightIDR dashboard may be incomplete, and you will not
have access to the data you need to keep your network, and your company's assets, safe.
Set up all of your User Attribution Event Sources before you set up any others. InsightIDR
provides step-by-step assistance as you set up your data sources.

Identifying Event Sources

12

User Attribution Event Sources

InsightIDR requires log data from three types of event sources to properly attribute all of your
organizations events to the users involved. You also need to provide the IP address ranges
issued by your VPN appliances.
Note: To measure your progress, you need to provide the total number of servers of each type
that you will add to InsightIDR from your network.
The User Attribution event sourses to configure are:
l

LDAP Tracks user information essential to link account activity with real users and identify
privileged and service accounts.
DHCP Tracks IP addresses over time. DHCP logs are required for asset-to-IP correlation.
Domain Authentication Tracks all user logons including both successful and failed logons.
Required for effective use of InsightIDR ingress analytics. A domain administrator account is
required for each server. These logs are stored in the context of the Microsoft Active
Directory.

User Attribution Event Sources

13

Configuring LDAP
1. Click Data Collection from the InsightIDR menu.

Click Data Collection

2. Click Add Event Source from the Setup Event Source menu.

Setup Event Source dropdown menu

3. The Add Event Source page displays. Click LDAP.

Configuring LDAP

14

Click LDAP

4. Select Windows Collector from the Collector dropdown menu.

Select Windows Collector

5. Select Microsoft Active Directory LDAP from the Event Source dropdown menu.

Select Microsoft LDAP

6. Check the Timezone box if you want to display only U.S. time zones.

Timezone check box

7. Select the time zone from the Timezone dropdown menu.

Configuring LDAP

15

Timezone menu

8. Enter the server name in the Server field.

9. Enter the user domain in the User Domain field.
10. Enter the refresh rate (in hours) in the Refresh Rate field.
11. Select the Credential from the Credential dropdown menu.

Credential menu

12. The Username field automatically populates based on the selected credential.
13. The Type field automatically populates based on the selected credential.
14. Enter the credential. In this example, the required credential is a password. The field name
reflects the credential type.
15. Optionally, enter the base distinguished name (Base DN) in the Base DN field.
16. Optionally, enter the admin group in the Admin Group field.
17. Click the SAVE button.

Configuring LDAP

16

LDAP Event Source fields

The LDAP automatically mirrors data across all LDAP servers; thus, even if you have multiple
LDAP servers, we only need to configure one LDAP event source (unless you have manually
disabled the auto-mirror feature).

Configuring LDAP

17

Configuring Active Directory (AD)

1. Click Data Collection from the InsightIDR menu.

Click Data Collection

2. Click Add Event Source from the Setup Event Source menu.

Setup Event Source dropdown menu

Configuring Active Directory (AD)

18

3. The Add Event Source page displays. Click Active Directory.

Click Active Directory

4. Select Windows Collector from the Collector dropdown menu.

Select Windows Collector

5. Select Microsoft Active Directory Security Logs from the Event Source dropdown menu.

Select Microsoft Active Directory Security Logs

6. Check the Timezone box if you want to display only U.S. time zones.

Timezone check box

Configuring Active Directory (AD)

19

7. Select the time zone from the Timezone dropdown menu.

Timezone menu

8. Click the appropriate Collection Method.

Collection Methods

Configuring Active Directory (AD)

20

Listen for Syslog

1. Select the Protocol from the Protocol dropdown menu.

Select Protocol

2. Enter the port number in the Port field.

3. Click the SAVE button.

Syslog fields

Listen for Syslog

21

Log Aggregator
1. Select the Log Aggregator from the Log Aggregator dropdown menu.

Select Aggregator

2. Select the Protocol from the Protocol dropdown menu.

Select Protocol

3. Enter the port number in the Port field.

Log Aggregator

22

4. Click the SAVE button.

Log Aggregator fields

Log Aggregator

23

WMI
1. Enter the server name in the Server field.
2. Enter the user domain in the User Domain field.
3. Select the Credential from the Credential dropdown menu.

Credential menu

4. The Username field automatically populates based on the selected credential.

5. Enter the credential. In this example, the required credential is a password. The field name
reflects the credential type.
6. Click the SAVE button.

WMI fields

AD Domain Controllers do not mirror data repeat steps for each DC in your environment.

WMI

24

Configuring DHCP
Microsoft DHCP
1. On your DHCP server, create a new folder for DHCP logs we recommend placing this folder
on the root C drive (C:\dhcplogs).
2. Once the folder is created, right-click the folder, select Properties-->Sharing-->Advanced
Sharing-->Share this folder-->Permissions-->Add and provide the credentials that will
have access to this file (read-only access is adequate).
3. Once the folder is ready, launch the DHCP console and right-click IPv4 in the left pane, then
click Properties.
4. Under the Advanced tab, change the Audit log file path destination folder to the new folder you
just set up (C:\dhcplogs).
5. Restart the DHCP server to apply changes.
6. From the left panel of the Home page, click Data Collection.
7. Select ADD EVENT SOURCE from the SETUP EVENT SOURCE dropdown menu.

Setup Event Source dropdown menu

8. The Add Event Source screen displays. Click DHCP.

Click DHCP

Configuring DHCP

25

9. Select Windows Collector from the Collector dropdown menu.

Collector dropdown menu

10. Select Microsoft DHCP from the Event Source dropdown menu.

DHCP Event Source menu

11. Click the Watch Directory under the Collection Method.

Click Watch Directory

Configuring DHCP

26

12. Enter the FQDN of the DHCP server and the file path to the folder (C:\dhcplogs).

Watch Folder settings

For more information, refer to the Preparing Microsoft DHCP and DNS for the Insight Platform
Collector document.
Other non-Microsoft DHCP sources
1. Ensure the DHCP host is logging all DHCP activity.
2. Configure DHCP source to send logs to your Collector by specifying it as a syslog server.
3. Use the Listen for Syslog Collection Method to ingest logs over a predetermined port.

Configuring DHCP

27

Data Collection methods

The following paragraphs describe the most common data collection methods. In some cases,
you provide the directory or file location where the Collector can access the server logs. You can
specify a local folder path or a Windows UNC (Universal Naming Convention) path to a hosted
network drive.
Important: Only those log entries that are added to the file after the Event Source is connected to
a Collector are uploaded to InsightIDR.
Watch directory
The watch directory is the network location of a watch directory where log files are copied. This
method monitors a specified directory on a local or remote host and uploads files added to the
directory, at 30-second scan intervals. Use this method for log files that roll over to new files, for
example, Microsoft DHCP and IIS (Internet Information Services) log files.
Tail file
This is the network location of a tail file where log data is stored. This method watches a specific
file written to disk using the equivalent of the UNIX tail command, at 20-second scan intervals.
Use this method for log files that are written continuously to a single file, for example, Windows
DNS log files.
Listen for Syslog
The TCP or UDP port where syslog events are being forwarded. Many network appliances can
be configured to deliver audit logs over syslog to a server. These appliances should be configured
to send their logs to a unique port on the Collector where an Event Source has been set up in
InsightIDR to ingest the logs. Collectors accept syslog messages over UDP or TCP.
SIEM
In some deployments, a SIEM may already collect data. You can configure your SIEM to send
logs to the Collector by selecting the appropriate SIEM under Log Aggregator when configuring
the Event Source in InsightIDR.
Honey Pot
A Honey Pot is a virtual server that you can deploy on your network from InsightIDR. The Honey
Pot provides a simple way to detect attackers from attempting to scan your network. For more
information, please refer to the Honey Pot documentation located in the InsightIDR online
community.
Endpoint Monitor

Data Collection methods

28

The Endpoint Monitor is a unique Event Source in the InsightIDR Collector infrastructure in that it
acts as a scanner to query endpoints across the network. The Endpoint Monitor technology
ingests this information into InsightIDR without requiring an agent to be installed on the endpoints
themselves. For more information, please refer to the Endpoint Monitoring in InsightIDR
documentation located in the InsightIDR online community.

Data Collection methods

29

Configuring Event Sources

Perform the following steps to configure Event Sources:
1. Click the Data Collection link from the InsightIDR menu.
2. Click Add Event Sources from the Setup Event Source dropdown menu.

Click Add Event Sources

3. The Add Event Source page displays. Click the appropriate Event Source.

Add Event Source page

Configuring Event Sources

30

3. Choose the Collector that the Event Source will be installed in. For this example, it is the
Active Directory.

Add Active Directory Event Source page

4. Click Windows Collector from the Collector dropdown menu.

Collector dropdown menu

5. Click Microsoft Active Directory Security Logs from the Event Source dropdown menu.

Event source dropdown menu

Configuring Event Sources

31

6. Check the Timezone box if you want to display only U.S. time zones.

Timezone check box

7. Select the time zone from the Timezone dropdown menu.

Timezone menu

8. Click the appropriate Collection [Link] information may need to be entered based
on the Collection Method chosen.

Collection Method buttons

9. Click the Save button.

Please review the appropriate documentation for setting up additional data sources.

Configuring Event Sources

32

Note: If your network configuration includes resources that you can access with the same user
name and password, you can reuse those credentials across multiple data sources in InsightIDR.
This way, you only need to provide the credentials once.
When all of your data sources are configured and running successfully, the InsightIDR views are
populated with your company data.
Note: As a security measure, InsightIDR logs off automatically after 15 minutes of inactivity.
When you next log on after being logged off automatically, you return to the page you last visited.

Configuring Event Sources

33

Copying Event Sources to a Collector

There may be times when you want to use an exisiting Collector as the starting point for another
Collector. The existing Collector has many of the Event Sources that you need; you just need to
make a few modifications for your new Collector.
Perform the following steps to copy Event Sources from one Collector to another Collector.
1. Click Data Collection from the InsightIDR menu.
2. Click Manage Collectors from the Setup Collector dropdown menu.

Click Manage Collectors

3. The Collectors page displays.

Data Collector page

Copying Event Sources to a Collector

34

4. Click the Copy event sources link for the Collector that you want to copy.

Copy event sources link

5. The Copy event sources dialog displays.

Copy event sources dialog

6. Select the Target Collector (the Collector you want to copy the Event Sources to) from the
Target Collector dropdown menu.

Select Target Collector

Copying Event Sources to a Collector

35

7. Click the Save button.

Copying Event Sources to a Collector

36

Deleting a Collector
If you encounter a problem and need to delete a Collector from the Collectors list, you must also
uninstall it from the server or virtual machine where it is installed.
To delete a Collector:
1. Click the Data Collection link in the InsightIDR menu.
2. Click Manage Collectors from the Setup Collector dropdown menu.

Collect Manage Collectors

3. The Collectors page displays.

Data Collectors page

4. Click the Delete button of the Collector that you want to delete.

Deleting a Collector

37

Delete button for Collector

5. The Delete Collector confirmation dialog displays. Enter the name of the Collector to confirm
the deletion.

6. Click the I UNDERSTAND, DELETE THIS COLLECTOR button.

The Collector and all Event Sources assigned to it are removed from the Collectors list. Data
from the Event Sources will no longer be ingested in InsightIDR.
Note: To ensure proper operation, you must uninstall the Collector from the server where it is
installed.
7. Go to the server where the Collector is installed and uninstall it:

Deleting a Collector

38

In Windows, open the Start Menu, locate the Insight Platform folder, and then click the
Uninstall button.

Tip: If you cannot find the Uninstall shortcut, run the [Link] file from the
InsightIDR\.install4j subdirectory of the destination directory where you installed the Collector.
l

In Linux, run the uninstall script from the .install4j subdirectory of the destination directory
where you installed the Collector.

When the Uninstaller finishes, the Collector has been removed from the server. If you later
decide to reinstall and reactivate the Collector on the same machine, you can do so.

Deleting a Collector

39

Data Collection
The Data Collection page displays Collector, Event Source, and Honey Pot information.

Data Collection page

Additional options allow you to set up Event Sources, Collectors, and Data Exporters. Refer to
the Endpoint Monitoring Guide to learn how to set up Event Sources and Collectors.

Data Collection Metrics

The top of the page displays Data Collection Metrics: Collectors, Event Sources, and Honeypots.

Data Collection Metrics

Collector Metrics
Clicking the Collector metric displays the Collector page. The left side of the page allows you to
view Collectors by their state:

Data Collection

40

All

Registering

Generating Keys

Healthy

Warning, and

Error

Click a state to display Collectors matching that state. The middle of the page displays
information about the selected collectors.

Collectors page

Data Collection Metrics

41

Event Sources Metrics

Clicking the Event Sources metric displays the Event Sources page. This page displays Event
Sources and Collector information. Use the left panel to view Event Sources and Collectors by
type.

Event Sources page

Data Collection Metrics

42

Honey Pots Metrics

Clicking the Honeypots metric displays the Honey Pots page. Use the left panel to select Honey
Pots by a specific state.

Honey Pots page

Setting an Intruder Trap

The Set Intruder Trap menu allows you to:
l

Manage Honeypots

Download a Honeypot, and

Activate a Honeypot

Setting an Intruder Trap

43

Honey Pots
Honey Pots are fake assets that produce an alert any time a user attempts to connect to the
device. Once attackers find an initial foothold in a network, their next step is typically a network
scan to identify all the other assets in the network.
Deployment guide
1. On the Collectors page in Insight Platform, click Download Collector and select the Honeypot
(OVA).

Download collector

2. Download the Honey Pot.

3. In your VMware environment, create a new VM from the OVA.
4. Power on the VM. You will see the following prompt:

Powering the VM

Honey Pots

44

5. Provide a name that fits your network naming convention and makes the machine look
important.
6. You will be prompted to acknowledge the machines IP address. Continue until you see:

Acknowledge machine's IP address

7. Take note of the Agent key (xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx) that is displayed

8. On the Collectors page in the InsightIDR web interface, click Activate Collector. Enter a
name for the Honey pot and enter the Access Key to pair the Honey Pot OVA to your
InsightIDR instance.
9. Once paired successfully, you receive automated alerts to any connection attempts to the
Honey Pot; run a standard discovery scan, a vulnerability scan, throw some exploits, or
attempt to brute force the Honey Pot to trigger an incident! These are all common techniques
during the reconnaissance and enumeration phase of the attackers kill chain.

Honey Users
A Honey User is a dummy user that is not associated with a real person within the organization,
and therefore should never be accessed. Attackers frequently attempt to authenticate to as many
user accounts as possible during the reconnaissance phase of an attack; this helps expand their
footprint and gain access to more assets and privileges without tripping any traditional alarms.
Honey users, however, are a unique way to detect this activity; anytime someone attempts to log
in to a honey user account, InsightIDR generates a Honey User Authentication incident, which
shows when an attempt occurred and which asset was targeted.

Displaying information about a Honey User

Honey Users

45

Displaying information about a homey user

Creating a Honey User

1. Create a new user in Active Directory with a believable name, but dont give anyone access to
the account. This will be your new Honey User.
2. Give the Honey User every appearance of a normal employee of the company! This includes
things like a complex passphrase, organizational mappings, permissions, or whatever else
may trick an attacker into believing the user is an actual employee.
3. Remember that honey users may have multiple accounts! In fact, multiple accounts can
increase the likelihood that an attacker will target the user, as it seems more authentic and
provides additional chances for reaching an administrative role (or so the attacker thinks).
4. Log in to your account in InsightIDR. Select Settings --> Honey Users and enter the newly
created Honey Users name in the search bar. Select the name to mark the user as a Honey
User.

Honey Users

46

A honey user

Best Practices
If your organization uses a naming convention for assets and/or users, configure these intruder
traps to match all naming conventions; do not name your Honey Pot honeypot, or your honey
user John Doe. If an attacker is smart enough to get past perimeter defenses, then hes smart
enough to avoid obviously fake assets and users.
We also recommend deploying both Honey Pots and honey users throughout the environment
with an added emphasis on critical network segments or subnets. In the event of a breach, having
tiers of intruder traps can help isolate the precise location of an intruder or malicious insider in the
network, helping Incident Response teams lock down users and assets quickly to contain the
incident.

Managing Honey Pots

Perform the following steps to manage a Honey Pot.
1. Click Manage Honeypots from the Set Intruder Trap dropdown menu.
2. The Honey Pots page displays. The left side displays options to:
l View all Honey Pots
l

View registering Honey Pots

Generating keys

Healthy warning, and

View Honey Pots with errors.

3. The middle of the page displays information about the Honey Pots.

Best Practices

47

Honey Pots page

Setup Data Exporter

The Setup Data Exporter dropdown menu provides options to:
l

Add Data Exporter

Manage Exporters

Perform the following steps to add a Data Exporter.

1. Click Add Data Exporter from the Setup Data Export menu.

Setup Data Exporter menu

Setup Data Exporter

48

2. The Add Data Exporter dialog displays.

3. Click Collector from the Collector dropdown.
4. Click Data Exporter from the Data Exporter dropdown menu.
5. Optionally, enter a display name in the Display Name field.
6. Click the Save button.

Add Data Export dialog

Managing Exporters
Perform the following steps to manage Exporters.

Managing Exporters

49

1. Click Manage Exporters from the Setup Data Exporters dropdown menu.
2. The Data Exporters page displays. The left side of the page lists Exporters by type and state.
l Product
l All
l

Collector
l All
State
l

All

Running

Warning

Error

Stopped

3. Click a type or state to display more information about that Exporter.

4. The middle of the page displays information about the selected Exporters.

Data Exporters page

Managing Exporters

50

Settings
The Settings page allows you to configure InsightIDR to meet your needs. The following table
lists and explains the types of settings that you can define.
Setting
Incident Settings
User Settings
Event Source Settings
Credential Settings
Application Settings
Incident Modifications
Asset Settings
Honey Users
Export Data
Static IP Ranges
Unmanaged IP Ranges
Network Zones

Network Policies

Tagged Domains

Unknown IP Addresses

Definition
Incident Settings designate the types of incidents that InsightIDR tracks.
User Settings allow you to assign a role to a user. You can also add new
users and delete users.
Event Sources Settings allows you to specify the IP addresses for each
event source.
Credential Settings allow you to add new credentials for InsightIDR to
monitor.
Application Settings allow you to add applications for InsightIDR to
monitor.
Incident Modifications lists exceptions for incidents.
Asset Settings allows you to designate which assets are restricted
based on a Nexpose criticality setting. Note: You need Nexpose to use
this functionality.
View, mark, or delete users as Honey Users.
Export Data allows you to export account, asset, and mobile device
information from InsightIDR into a CSV file.
Static IP Ranges are assets that do not receive IP addresses via DHCP.
Most commonly, these are servers and any other assets who have a
statically assigned IP.
Unmanaged IP Ranges are ranges that are outside the managed
corporate network.
Network Zones allow the logical labeling of different systems or
business groups based on IP ranges.
Network Policies allow you to create alerts based on rules, for example,
the finance network zone can only be accessed by those in the finance
group within the Active Directory. This is driven from Network Zones
and Active Directory group membership.
Tagged Domains are owned or ignored by an organization. This is used
for the Spear Phishing URL detection incident.
InsightIDR tracks all IP addresses it receives from DHCP and VPN
assignments, but sometimes logs come in with IPs that have never been
seen before by any of the DHCP or VPN event sources. These IPs are
reported as Unknown IP Addresses in order to help you see if you might
be missing a DHCP or VPN event source in your environment
somewhere that you should hook up to a Collector.

Settings

51

Setting
Running Agents

Definition
Displays a list of running agents. The hostname and last seen time are
displayed.

Incident settings
Incident settings designate the types of incidents that InsightIDR tracks. To disable the tracking of
an incident, uncheck that incidents checkbox; to enable an incident, check that incident's
checkbox.

Enabling incident tracking

Some incident types allow you to designate information by:

l

specific user type

Incident by user type

time period

Incident by time period

priority

Incident by priority

Ingress type

Incident settings

52

Incident by Ingress type

User settings
User settings allow you to assign a role to a user. You can also add new users and delete users.
The following table explains the different user types and associated functionality.
Setting

Functionality

Admin

Can perform all Insight Platform functionality

Investigator

Can view incidents and start investigations

Read only

Can only view information

Adding a user
To add a user, perform the following steps.
1. Click the ADD USER button. The Create User dialog displays.

Add user button

2. Enter the users e-mail address in the Email field.

3. Enter the users first name in the First Name field.
4. Enter the users last name in the Last Name field.

User settings

53

5. Select the users role from the Role dropdown menu.

Setting role drop-down

6. Enter your password in the Password field.

7. Re-enter your password in the Confirm Password field.
8. Click the Create button.

Add user dialog

Changing a users role

To change the users role, select the appropriate role from the Role dropdown list for that user.

Change user role

User settings

54

Deleting a user
To delete a user, click the

on the right-sight of the row of the user to delete.

Delete user

Event Sources settings

Event source categories include:
User Attribution - In order to more easily understand the activity which occurs in your
environment, it is highly recommended that you configure the event sources necessary to tie
actions back to the users and assets involved. These foundational event sources are LDAP,
DHCP logs, and Active Directory Security Logs. These sources will not only add context to
analytics, but also make Search easier.
Endpoint Monitoring - For critical servers and endpoints belonging to remote employees, it is
recommended to install the Rapid7 persistent agent to enable real-time streaming of events and
ensure your team is not blind to the activities which occur when assets are off the network.
When a persistent agent is not desired, it is recommended to use the Rapid7 Agentless Endpoint
Scan. This option collects data from your endpoints periodically, monitors local user activity,
windows logon activity, event log tampering and enables process hashes to be identified,
analyzed for commonality, and checked against VirusTotal for known malware.
Rapid7 - If you already own any of our threat exposure management products such as Nexpose
and Metasploit, you can add exposure knowledge to your incident analysis.
Security Data - InsightIDR is designed to ease Search and Analytics across your entire
environment. To ensure you can perform all necessary investigative steps in one place, it is
suggested to not only transmit security logs and deploy agents, but also transmit any other
potentially useful data for searching, such as custom application logs.
Raw Data - InsightIDR is designed to ease Search and Analytics across your entire environment.
To ensure you can perform all necessary investigative steps in one place, it is suggested to not
only transmit security logs and deploy agents, but also transmit any other potentially useful data
for searching, such as custom application logs.
Entering a VPN IP address range or Local IP address range
To enter a VPN IP address range:

Event Sources settings

55

1. Enter the VPN IP address range in the VPN IP Address Range field.
2. Click the Submit button.
To enter a Local IP address range:
1. Enter the Local IP address range in the Local IP Address Range field.
2. Click the Submit button.

Event source settings

Credential settings
Credential settings allows you to add new credentials for InsightIDR to monitor.

Credential settings

56

Credential settings

To add a new credential, perform the following steps:

1. Click the ADD CREDENTIAL button.

Add credential button

2. The NEW CREDENTIAL dialog displays.

3. Enter the name of the new credential in the Name field.
4. Enter the user name of the credential in the Username field.
5. Select the credential type from the Type dropdown menu.

Credential drop-down

6. Enter the password in the Password field.

Credential settings

57

7. Click the DEPLOY CREDENTIAL button.

New credential dialog

Application settings
Application settings allows you to add applications for Insight Platform to monitor. To add an
application, perform the following steps:
1. Click the ADD APPLICATION button.

Add application button

2. The New Application dialog displays.

3. Enter the name of the application in the Name field.
4. Select the application type from the Type dropdown menu.

Application type drop-down

5. Click the CREATE button.

Application settings

58

Add application dialog

Incident modifications
Incident modifications list exceptions for incidents. These are generated when you determine to
either whitelist or blacklist an incident when you close them. Incidents include:
l

Permitted Disabled Authentication to Asset

Allowed Ingress From User

Suspicious Authentication To Asset

Allowed Ingress From Location

Suspicious Authentication To Asset

Honeypot Exception

Permitted Local Account Authentications

Permitted Impersonation

Permitted Brute Force

Permitted Brute Force User

Permitted Access to New Assets

Account Enabled Whitelist

Incident settings

Incident modifications

59

Asset settings
Asset settings allows you to designate which assets are restricted based on a Nexpose criticality
setting. Note: You need Nexpose to use this functionality.
To set the Nexpose criticality setting, perform the following steps:
1. Tick the Use criticality setting from Nexpose checkbox.
2. Select the criticality level from the Criticality dropdown button.
3. Click the Submit button.

Set criticality

Honey Users
This page allows you to mark, unmark, and view Honey Users.
Marking a user as a Honey User
To mark a user as a Honey User, perform the following steps:
1. Enter the name of the user that you want to mark as a Honey User in the Search field. As
you type in the name, InsightIDR displays a list of users based on what you have typed.

Asset settings

60

Searching for a user to mark as a honey users

2. Based on the results InsightIDR displays, if the users name displays, select it. If not,
continue typing until either the name displays or until you have typed the complete name.
3. Press the Enter key. The name displays in the Honey User list.
In this example, I selected Carla Hoffman.

Honey users list

Export Data
Export Data allows you to export account, asset, and mobile device information from InsightIDR
into a Comma Separated Values (CSV) file. Click the CSV button next to the file that you want to
download. You can open the file in Excel or any program, for example, a text editor, that can open
a CSV file.

Export data

Export Data

61

Static IP ranges
Static IP ranges are used to define assets that do not receive IP addresses via DHCP. Most
commonly, these are servers and any other assets that have a statically assigned IP. You can
add and edit ranges.
Adding a Static IP range
To add a Static IP range, perform the following instructions:
1. Click the ADD IP RANGE button.

Add IP range button

2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is [Link].x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range [Link]/24 defines the values [Link], [Link],
[Link], to the address [Link].
4. Click the checkmark.

Add IP range

Static IP ranges

62

Editing a Static IP range

To edit a Static IP range, perform the following instructions:
1. Click on the pencil icon

to the right of the range that you want to edit.

2. Make the required edits.

3. Click the checkmark.

Edit IP range

Unmanaged IP ranges
Unmanaged IP ranges are ranges that are outside the managed corporate network.
Adding an Unmanaged IP range
To add an Unmanaged IP Range, perform the following instructions:
1. Click the ADD IP RANGE button.

Add IP range button

2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is [Link].x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range [Link]/24 defines the values [Link], [Link],
[Link], to the address [Link].
4. Click the checkmark.

Unmanaged IP ranges

63

Add IP range

Network Zones
Network Zones allow the logical labeling of different systems or business groups based on IP
ranges.

Network zones

Adding a Network Zone

To add a Network Zone, perform the following instructions:
1. Click the ADD ZONE button.

Add zone button

2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is [Link].x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range [Link]/24 defines the values [Link], [Link],
[Link], to the address [Link].
4. Click the checkmark.

Network Zones

64

Add IP range

Network Zones

65

Editing a Network Zone

To edit a Network Zone, perform the following instructions:
1. Click on the pencil icon

to the right of the range that you want to edit.

2. Make the required edits.

3. Click the checkmark.

Edit IP range

Network Policies
Network Policies allow you to create alerts based on rule violations. For example, the finance
network zone can only be accessed by those in the finance group within the Active Directory. This
is driven from Network Zones and Active Directory group membership.

Network policies

Adding a Network Policy

To add a network policy, perform the following steps:
1. Click the ADD POLICY button. The New Policy dialog displays.

Add policy button

2. Enter the group name in the Group Names search field. As you type in the name, the search
field is populated based on related information imported from the LDAP. If you don't see an
expected name, check your LDAP settings.

Network Policies

66

Network policies group names

3. Select the access policy from the Access Policy dropdown menu.

Access policies

4. Select the zone from the Zone dropdown menu.

Create policy zone

Network Policies

67

5. Enter the name of the zone in the Zone Name field. Note: If you select an existing zone, the
Zone Name and IP Ranges fields become hidden since they were defined when the existing
zone was defined. In this case, the group names and access policies are added to the
existing zone.
6. Enter the IP range(s) in the IP Ranges field. The format is [Link].x.x/xx where the values
before the slash (/) are the starting range and the value after the slash is the last entry in the
range. For example, the range [Link]/24 defines the values [Link], [Link],
[Link], to the address [Link].
7. Click the Save button.

Tagged Domains
Tagged Domains are domains that are either owned or controlled by your organization or
domains that you organization wishes to ignored. This is used for the Spear Phishing URL
detection incident. In our example, Rapid7 is tagged as an owned domain. InsightIDR sends
alerts when it detects attempts to spoof this domain.
Referring to our example, [Link] is tagged as a domain to ignore. InsightIDR does not
send alerts regarding this domain.

Tagged Domains

68

Tagged domains

Tagged Domains

69

Tagging a new owned domain or a new ignored domain

To tag an owned domain or a domain to ignore, perform the following steps:
1. To tag a domain as owned, enter the domain name in the New Owned Domain field.
2. To tag a domain to ignore, enter the domain name in the New Ignored Domain field.
3. Click the appropriate Submit button.

Unknown IP addresses
InsightIDR tracks all IP addresses it receives from DHCP and VPN assignments, but sometimes
logs come in with IPs that have never been seen before by any of the DHCP or VPN event
sources. These IPs are reported as Unknown IP Addresses in order to help you see if you might
be missing a DHCP or VPN event source in your environment somewhere that you should hook
up to a Collector. Some of these might be related to DHCP servers or VPN servers that havent
been configured, some might be static IP ranges and others might be unmanaged. Select a
range and select a resolution option.

Running agents
This page displays a list of running agents. The hostname and last seen time are displayed. Use
the Search by hostname box to search for a host.

Running agents

Unknown IP addresses

70

General troubleshooting tips

Your InsightIDR pages are populated with user activity data derived from your network logs. If
your InsightIDR pages appear to be incomplete, you may need to check your data sources. For
more information, see Identifying Event Sources on page 12.
Q: I cannot activate the Collector. The activation key does not work.
A: First, make sure you have the correct activation key. It's located in the [Link] file in the
Insight Platform/agent_key subdirectory of the destination directory where you installed the
Collector.
If the key is correct, but still does not work, it may have been voided. This can occur if you do not
activate the Collector immediately after installing it or if you have restarted the server where the
Collector is installed.
If the activation key has been voided, you will need to uninstall the Collector and then reinstall it:
To uninstall the Collector from the server where it is installed:
l

In Windows, open the Start Menu, locate the InsightIDR folder, and then click Uninstall.

TIP: If you cannot find the Uninstall shortcut, run the [Link] file from the Insight
Platform\.install4jsubdirectory of the destination directory where you installed the Collector.
l

In Linux, run the uninstall script from the.install4j subdirectory of the destination directory
where you installed the Collector.
When the Uninstaller finishes, the Collector has been removed from the server. If you later
decide to reinstall and reactivate the Collector on the same machine, you can do so.
Reinstall the Collector on the server and then return to the InsightIDR Web application
immediately and activate the Collector. Do not shut down the server where the Collector is
installed until it has been activated in Insight Platform.

General troubleshooting tips

71

Q: How do I increase the amount of RAM Collector in environments that require a lot of
RAM?
A: If your Collector is handling more than 100,000 EPM, configure the Collector to use more
available memory from the server that it is installed on. Place a file in the same directory where
you installed the Collector with the name [Link] which contains the following line (no
spaces):
-Xmx#g
where "#" is the number of GB of memory the Collector should use. For a 4GB machine, you can
tell the Collector to use 3GB of memory by putting Xmx3g in the file. For an 8GB machine, you
can tell the Collector to take 6GB of memory by saving a [Link] file in the Collector
directory with the line Xmx6g.
Q: I have set up an Event Source using syslog data collection, but the log data is not
showing up in InsightIDR.
A: If the Collector has a local firewall running, that firewall may be blocking the port you
configured for the Event Source. Check your firewall settings to make sure the device can
communicate with the InsightIDR Collector via the configured port. If firewall settings seem to be
correct, try stopping the current Event Source and configuring a Rapid7 Generic Syslog Event
Source to listen to the same port. If the generic syslog shows EPM, there is a problem with the log
format. Contact support for further assistance.
Q: I have an Event Source that InsightIDR does not support. Is there a way for Insight
Platform to monitor that source?
A: Use the Rapid7 Generic Syslog Event Source to upload sample log files that are not supported
by any Event Source in InsightIDR. The Development team will work with the sample data to
create a new Event Source in InsightIDR. When they are done, you will be notified to delete the
Rapid7 Generic Syslog Event Source and add the new Event Source to your Collector.

General troubleshooting tips

72

Supported Event Sources

The InsightIDR team is continually adding support for Event Sources. If you have a device that is
not listed in the preceding table, contact Technical Support ([Link]/support) with
details about the device and sample log output. Use the Rapid7 Generic Syslog Event Source to
upload sample log data.
Please refer to the Settings page for the latest information.

Event Source Categories

InsightIDRseamlessly integrates log data from each event source provided to deliver additional context
around user behaviors, compromised credentials, and other potentially malicious activity. We strongly
recommend that all log sources that meet supported collection methods be made available to InsightIDR.
User Attribution - In order to more easily understand the activity which occurs in your environment, it is
highly recommended that you configure the event sources necessary to tie actions back to the users and
assets involved. These foundational event sources are LDAP, DHCP logs, and Active Directory Security
Logs. These sources will not only add context to analytics, but also make Search easier.
Endpoint Monitoring - For critical servers and endpoints belonging to remote employees, it is
recommended to install the Rapid7 persistent agent to enable real-time streaming of events and ensure
your team is not blind to the activities which occur when assets are off the network.
When a persistent agent is not desired, it is recommended to use the Rapid7 Agentless Endpoint Scan.
This option collects data from your endpoints periodically, monitors local user activity, windows logon
activity, event log tampering and enables process hashes to be identified, analyzed for commonality, and
checked against VirusTotal for known malware.
Rapid7 - If you already own any of our threat exposure management products such as Nexpose and
Metasploit, you can add exposure knowledge to your incident analysis.
Security Data - InsightIDR is designed to ease Search and Analytics across your entire environment. To
ensure you can perform all necessary investigative steps in one place, it is suggested to not only transmit
security logs and deploy agents, but also transmit any other potentially useful data for searching, such as
custom application logs.
Raw Data - InsightIDR is designed to ease Search and Analytics across your entire environment. To
ensure you can perform all necessary investigative steps in one place, it is suggested to not only transmit
security logs and deploy agents, but also transmit any other potentially useful data for searching, such as
custom application logs.

Supported Event Sources

73

Supported Event Sources

User Attribution
LDAP
l

Microsoft Active Directory LDAP

ACTIVE DIRECTORY
l

Microsoft

DHCP
l

Alcatel-Lucent VitalQIP

Bluecat

Cisco IOS

Cisco Meraki

Infoblox Trinzic

ISC dhcpd

Microsoft

MicroTik

Sophos UTM

Endpoint Monitoring
l

Rapid7 Continuous Endpoint Agent - Windows

Rapid7 Agentless Endpoint Scan - Windows

Rapid7 AgentlessEndpoint Scan - Mac

Rapid7 Linux Asset Monitor

Rapid7
l

Rapid7 Metasploit

Rapid7 Nexpose

Supported Event Sources

74

Security Data
DNS
l

Bluecat ISC

Infoblox Trinzic

ISCBind9

Microsoft

MikroTik

PowerDNS

IDS/IPS
l

Cisco Sourcefire

Dell iSensor

Dell SonicWall

HP TippingPoint

McAfee IDS

Metaflows IDS

Security Onion

Snort

Supported Event Sources

75

FIREWALL
l

Barracuda NG

Cisco ASA + VPN

Cisco IOS

Cisco Meraki

Check Point

Clavister W20

Fortinet Fortigate

Juniper Junos OS

Juniper Netscreen

Mcafee

Palo Alto Networks and VPN (also includes Wildfire support)

pfSense

SonicWALL

Sophos

Stonesoft

Watchguard XTM

ADVANCED MALWARE
l

FireEye NX

Palo Alto Networks WildFire

Supported Event Sources

76

VPN
l

Barracuda NG

Cisco ASA

Citrix NetScaler

F5 Networks FirePass

Fortinet FortiGate

Juniper SA

Microsoft IAS (RADIUS)

Microsoft Network Policy Server

Microsoft Remote Web Access

MobilityGuard OneGate

OpenVPN

SonicWALL

VMware Horizon

WatchGuard XTM

WEB PROXY
l

Barracuda Web Filter

Blue Coat

Cisco IronPort

Fortinet FortiGate

Intel Security (fka McAfee) Web Reporter

McAfee Web Reporter

Sophos Secure Web Gateway

Squid

TrendMicro Control Manager

Watchguard XTM

WebSense Web Security Gateway

Zscalar NSS

Supported Event Sources

77

E-MAIL & ACTIVESYNC

l

Microsoft Exchange Transport Agent (Email monitoring)

OWA/ActiveSync (Ingress monitoring, mobile device attribution)

CLOUD SERVICES
l

Microsoft Office 365

AWS CloudTrail

[Link]

Duo Security

Google Apps

Okta

Salesforce

APPLICATION MONITORING
l

Atlassian Confluence

Microsoft SQL Server

VIRUS SCANNERS
l

Cylance Protect

Check Point AV

F-Secure

McAfee ePO

Sophos

Symantec Enduser Protection

TrendMicro OfficeScan

TrendMicro Control Manager

Supported Event Sources

78

DATA EXPORTERS (Send data from Insight Platform)

l

FireEye Threat Analytics Platform (TAP)

HP ArcSight and HP ArcSight Logger

Splunk

SIEMs/LOG AGGREGATORS (Receive data from these platforms into Insight Platform)
l

HP ArcSight

IBM QRadar

LogRhythm

McAfee Enterprise Security Manager (fka Nitrosecurity)

Splunk

Raw Data
GENERIC SYSLOG
l

Rapid7 Generic Syslog

Rapid7 Generic Windows Event Log

Rapid7 Raw Data

Troubleshooting Endpoint Monitoring

Endpoint and Collector Requirements:
1. All collectors must be
a. Configured with a fully qualified domain name (e.g. [Link])
b. Able to reach out to over port 443 to:
1. [Link] (US) or
2. [Link] (EMEA)
2. Each Collector can contain no more than one set of endpoint credentials. Ex. if you have two
sets of endpoint credentials you must have at least two Collectors.

Troubleshooting Endpoint Monitoring

79

3. Endpoint credentials should include the domain in addition to the username. Ex.
domain\username
4. All endpoints need to be able to communicate back to the collector via TCP on collector ports:
a. 5508
b. 6608
c. range 20,000 - 30,000
5. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined
on Collector A should not be duplicated on Collector B. If this exists, it should be updated ASAP.
When a customer does not see endpoints returning logs in their scans or in their Continuous
Agents, the first thing to do is review the following diagram (next page) to confirm that all ports are
available as expected.
If the external firewall and web proxies are configured correctly, check a sample endpoint for
agent log files. For the scan agent, there should be a Rapid7 folder in either:
l

C:\Windows\Temp\, or

C:\Users\<<IDR_service_account>>\AppData\Local\Temp\

For the Continuous Agent, the Rapid7 folder should be found in c:\program files(x86)\.
Inside the Rapid7, folder look for the following 3 files and send them to engineering if available for
review:
l

[Link]

[Link]

[Link]

Troubleshooting Endpoint Monitoring

80

Endpoint network

Troubleshooting Endpoint Monitoring

81