Visibility Monitoring
This is a collection of rules used to monitor for potential impacts to Rapid7’s visibility into the customer’s environment.
Endpoint Visibility - Linux Auditd Compatibility Mode Is Not Enabled
Description
This detection identifies when one or more of the Linux hosts in your environment has an auditd
Compatibility Mode misconfiguration. Hosts that report this issue will not be able to send process start logs to the Insight Platform, which inhibits InsightIDR’s ability to detect malicious activity on the endpoint.
Recommendation
If you install the Insight Agent on Linux assets for use with InsightIDR, the auditd
library must be present, but the service must be disabled. InsightIDR must have exclusive use of the auditd
service to successfully run the agent.job.linux.ui_realtime job
.
If your organization requires that auditd
be enabled at all times, you must configure auditd Compatibility Mode
to ensure that both the Insight Agent and auditd services can run together.
To identify the list of machines that are currently misconfigured:
- Navigate to Log Search from the InsightIDR left menu.
- Run this query on the Job Status log (located in Endpoint Health log set) with a time range of “Today” to see the latest reports:
where(job = "agent.jobs.linux.ui_realtime" AND status = "job.status.failed" AND message ISTARTS-WITH "Auditd is enabled") groupby(hostname)limit(10000)
- For each Linux host that is returned, ensure the
auditd
library is installed, but the service is disabled. If your organization requires thatauditd
remain enabled at all times, follow the instructions to configureauditd
Compatibility Mode: https://docs.rapid7.com/insight-agent/auditd-compatibility-mode-for-linux-assets/ .
To validate that the Linux host is configured correctly:
Run a search on the process start events log to ensure logs are coming from the host: where("hostname" = "my-hostname")
. Note that logs take a minimum of 7 minutes to appear in Log Search.
Visibility Monitoring - Rapid7 Endpoint Component Quarantined By AntiVirus
Description
This detection identifies antivirus software detecting Rapid7 Insight Agent directories or components as a threat. If the antivirus software quarantines or deletes components of Rapid7 Insight Agent, this may lead to loss of visibility and coverage across endpoints.
Recommendation
Review the alert in question. If necessary, contact the antivirus vendor for instructions on how to add the Rapid7 Insight Agent to an allow list.
Visibility Monitoring - Request To Rapid7.com Blocked By Web Proxy
Description
This detection identifies blocked requests to 'insight.rapid7.com' or 'endpoint.ingress.rapid7.com'. Endpoints running the Insight Agent need access to one of these domains to deliver information to the InsightIDR platform for monitoring purposes. Endpoints need access through one of three available methods: direct network connection, access to an InsightIDR Collector, or a proxy that has network access to these domains.
Recommendation
If you are running the Insight Agent in an environment that needs to restrict outbound agent access to InsightIDR, this alert can tell you which web proxies are configured as expected. If you operate in this type of environment, you may want to turn off the alert. Contact your Customer Advisor about best practices and potential tuning requests for this alert.
If you are not restricting how the Insight Agent connects to InsightIDR, this alert means your environment may be misconfigured. Review the configuration of the web proxies involved and ensure they are not blocking 'rapid7.com'.
For more information on the networking requirements, view the documentation: https://docs.rapid7.com/insight-agent/requirements/#insight-platform-connectivity-requirements