How the Rapid7 Agent (Insight Agent) Works
The Rapid7 Agent (Insight Agent) is a single agent that runs as a set of components and processes to gather relevant security information about your endpoints. Depending on your Rapid7 license, you may see some or all of the following processes running on the endpoint.
Component | Process name | Rapid7 product | Description |
---|---|---|---|
Bootstrap | ir_agent.exe | All | Bootstrap is a component manager that installs and upgrades components like the Rapid7 Agent (Insight Agent) to keep Rapid7 software up to date on your assets. |
Rapid7 Rapid7 Agent (Insight Agent) | ir_agent.exe | All | The Rapid7 Agent (Insight Agent) runs various processes to gather vulnerability, policy, and incident response data depending on your license. Each process performs a different role, such as event log monitoring, registry export, quarantine, among others. Because of this, you may occasionally see up to 6 processes running at once. |
Agent Core | rapid7_agent_core.exe | All | The Agent Core manages the communications between the endpoint and the ICommand Platform (Insight Platform). |
Endpoint Broker | rapid7_endpoint_broker.exe | All | The Endpoint Broker relays messages between the Rapid7 Command Platform (Insight Platform) and various components that run on the endpoint. For example, Managed Detection and Response (MDR) Monthly Hunts are enabled by queries run by the Endpoint Broker. |
Events Monitor | rapid7_events_monitor.exe | SIEM (InsightIDR) and MDR | Windows only. Events Monitor collects and enriches operating system events and sends them to the Rapid7 Command Platform (Insight Platform). See the Sysmon Installer and Events Monitor overview article for more information on how these components work. |
Sysmon Installer | rapid7_sysmon_installer.exe | SIEM (InsightIDR) and MDR | Windows only. Sysmon Installer installs and upgrades Sysmon to keep it up to date for use by the Events Monitor. See the Sysmon Installer and Events Monitor overview article for more information on how these components work. |
osquery | osqueryi.exe | MDR | MDR Monthly Hunts utilize osquery to search for and document specific malicious behavior. |
Velociraptor | rapid7_velociraptor.exe | SIEM (InsightIDR) | Available for SIEM (InsightIDR) Ultimate customers only. This component works with Agent Core to deliver Velociraptor integrated with the Command Platform (Insight Platform). Read Velociraptor Integration for more information about how these components work together. |
Rapid7 Endpoint Prevention | MVArmorService32.exe MVArmorService64.exe | As part of the Managed Threat Complete (MTC) Ultimate package or as an add-on to other MTC and MDR subscriptions | Implements the Next-Generation Antivirus or Ransomware Prevention add-on to your assets. |
Data Collection
The Rapid7 Agent (Insight Agent) will start collecting data immediately after installation. From that point forward, collection intervals vary by product on a per-asset basis:
Vulnerability Management (InsightVM) | SIEM (InsightIDR) | |
---|---|---|
Collection interval | Every 6 hours | Every 2 minutes |
Console sync interval with Insight platform | Every hour** | N/A |
* The Rapid7 Agent (Insight Agent) collects data for Log Management (InsightOps) in certain non-interval situations:
Log following is triggered when the log is actively being written.
This console sync interval is adjustable up to 12 hours
You can configure your Security Console to synchronize with the Insight platform at a different rate than is shown in this table. See the Modify Security Console Sync Interval page for instructions.
Communication methods
The Rapid7 Agent (Insight Agent) authenticates using TLS 1.2 client authentication. When you deploy the Rapid7 Agent (Insight Agent), the deployment includes a private SSL key representing your organization. This key is used to authenticate and authorize your agent with the Insight platform.
NOTE
For Log Management (InsightOps) log data, an API token is used to authenticate the Rapid7 Agent (Insight Agent) instead of TLS client authentication. Log data is encrypted in transit via TLS.
The agent can communicate directly to the Insight platform, or proxy communication through Insight collectors on your network. Finding the best route to the Insight platform occurs automatically or can be configured in advanced use cases.
Data Breakdown
Data collected by the Rapid7 Agent (Insight Agent) varies by product:
Vulnerability Management (InsightVM) | SIEM (InsightIDR) | |
---|---|---|
Process start | X | |
Select security log event codes | X | |
Select system event codes | X | |
Honey credentials | X* | |
Protocol poisoning traps | X* | |
File audit logs | X** | |
Basic asset identification information | X | X |
Registry information | X* | X* *** |
File version and package information | X | |
Log file contents | ||
Resource utilization metrics | ||
Event log | ||
Installed services | X*** |
Legend
*
- Windows only.**
- Applies to edits, moves, and deletions of Windows file shares and create, write, and delete activities on Linux machines.***
- Endpoint job.****
- The Log Management (InsightOps) component of the Rapid7 Agent (Insight Agent) does not currently support the collection of event logs from assets acting as domain controllers. See the Windows section of the Log Management (InsightOps) - Configure the Rapid7 Agent (Insight Agent) to Send Logs page for alternative methods for this use case.
File Integrity Monitoring
If you are an SIEM (InsightIDR) customer, you can track file event logs, such as when a file is edited, moved, or deleted if you configure File Integrity Monitoring (FIM). Learn more about FIM .