R7 Managed: Endpoint Visibility Validation Dashboard
As part of the Dashboard Library, the Endpoint Visibility Validation dashboard provides clarity about the health of the Insight Agents in your environment. If you're an MDR customer, you can select this pre-built dashboard to get more information about the Insight Agents sending beacons and process start events.
Using Linux machines in your environment?
It’s a good idea to verify that auditd
compatibility is configured correctly for Linux machines. The Insight Agent can send process start events from Linux machines only if auditd
is configured correctly. Learn more by reading InsightIDR - auditd Compatibility Mode for Linux Assets.
Go to the Dashboard
- Go to the Dashboards and Reports page.
- Click the Dashboard Library button.
- Selected the Managed Services category on the left.
- Click the Add button for the Endpoint Visibility Validation dashboard.
The dashboards are added to your Dashboards list for later reference.
Interpret the Dashboard Data
On the Endpoint Visibility Validation dashboard, available data includes:
- Agent Beacon Events - Displays the number of Insight Agents sending beacons or connectivity signals to the Insight Platform
- Process Start Events - Displays the number of Insight Agents sending process start events to the Insight Platform
You can use this dashboard to verify that the number of Insight Agents sending beacon events and process start events are about the same. Typically, you can expect the number of beacon events and process start events to differ slightly because of the nature of the underlying data—Insight Agents sending process start events, compared to Insight Agents sending beacons over a period of time. As long as the numbers are close, this indicates that your environment is in good health.
A healthy environment is indicated by numbers that differ by 10% or less. If the numbers differ more greatly, you must take action to investigate the cause.
Expected number differences in a healthy environment
In a healthy environment, there are several reasons why the number of Insight Agents sending beacons might be greater than the number of Insight Agents sending process start events.
For example, the numbers might differ because the Insight Agent sends a beacon once every five minutes, while the Insight Agent sends process start events as a stream of data. The numbers might differ during the 24-hour time period, when a machine had sent a beacon near the beginning or the end of the time period and then shut down immediately after, without sending any process start events.
Reasons for large number differences
There are several reasons why the number of Insight Agents sending beacons and process start events could have a large difference, which depend on the operating system.
Windows
The Insight Agent has multiple components. Visibility into process start events is dependent on these specific components:
- Events Monitor - This component is responsible for sending events to InsightIDR.
- Sysmon Installer - This component is responsible for installing and managing the Sysmon service and configuration.
If a different version of the Sysmon service was installed after the Sysmon Installer was working and operational on a machine, and the Sysmon Installer could not reinstall the Sysmon service installed by Rapid7, the Events Monitor component stops sending process start events, while the Insight Agent continues to send beacons to the Insight Platform.
Linux
The main reason that the Insight Agent might not send process start events on Linux is the misconfiguration of auditd
. Learn more about how to configure auditd
on Linux by referring to InsightIDR - auditd Compatibility Mode for Linux Assets.
View Agent IDs
Leverage Log Search to retrieve the list of agent IDs sending beacons and process start events.
To retrieve the list of Insight Agents sending beacons:
- Go to the Log Search page.
- Select the Agent Beacons log under the Endpoint Agent log set.
- Select Last 7 Days as the Time Range.
- Change the query from Simple to Advanced.
- Query for
where(platform=windows) groupby(hostId) limit(10000)
. - Click Run.
- On the Entries tab, select Download > Export CSV to Report Archive.
- In the status bar, click Visit page. The Settings: Entries Exports page opens, where the CSV file is being prepared.
- When the CSV file is ready, click the Created on date to download the file.
- On your computer, rename the CSV file to
Agent Beacons List
.
To retrieve the list of Insight Agents sending process start events:
- Go to the Log Search page.
- Select the Process Start Events log under the Endpoint Activity log set.
- Select Last 7 Days as the Time Range.
- Change the query from Simple to Advanced.
- Query for
where(os_type=WINDOWS) groupby(r7_hostid) limit(10000)
. - Click Run.
- On the Entries tab, select Download > Export CSV to Report Archive.
- In the status bar, click Visit page. The Settings: Entries Exports page opens, where the CSV file is being prepared.
- On your computer, rename the CSV file to
Agent Process Start Events List
.
To find the Insight Agents that are not sending process start events:
- Generate CSV files with the lists of Insight Agents sending process start events and beacon data.
- On your computer, open the
Agent Process Start Events List
andAgent Beacons List
CSV files in table format (for example, using Microsoft Excel). - Copy the Agent ID column from the
Agent Process Start Events List
CSV file to Column B of theAgent Beacons List
CSV file. - In Column C of the
Agent Beacons List CSV
file, use the formula=ISERROR(VLOOKUP(B2,$A,1,0))
. The formula checks whether the Agent ID in cell B2 exists anywhere in Column A. - Interpret the result returned by the formula:
- FALSE - The Agent ID in cell B2 exists in Column A.
- TRUE - The Agent ID in cell B2 does not exist in Column A. This indicates that the Agent ID is not sending process start events to the Insight Platform.
- If the result is TRUE, take steps to remediate the issue with the Agent ID that is not sending process start events.
Remediate Issues
To remediate issues, create a Support ticket that includes this information:
- In the title, specify
Agent not Sending Process Starts
. - Include details such as the
orgID
,agentID,
and the list of impacted Insight Agents. - Include other relevant details, such as
auditd
compatibility or Sysmon versions on the assets.