How the Insight Agent Works
The Insight Agent is a single agent that runs as a set of components and processes to gather relevant security information about your endpoints. Depending on your Rapid7 license, you may see some or all of the following processes running on the endpoint.
Component | Process name | Rapid7 product | Description |
---|---|---|---|
Bootstrap | ir_agent.exe | All | Bootstrap is a component manager that installs and upgrades components like the Insight Agent to keep Rapid7 software up to date on your assets. |
Rapid7 Insight Agent | ir_agent.exe | All | The Insight Agent runs various processes to gather vulnerability, policy, and incident response data depending on your license. Each process performs a different role, such as event log monitoring, registry export, quarantine, among others. Because of this, you may occasionally see up to 6 processes running at once. |
Agent Core | rapid7_agent_core.exe | All | The Agent Core manages the communications between the endpoint and the Insight Platform. |
Endpoint Broker | rapid7_endpoint_broker.exe | All | The Endpoint Broker relays messages between the Rapid7 Insight Platform and various components that run on the endpoint. For example, Managed Detection and Response (MDR) Monthly Hunts are enabled by queries run by the Endpoint Broker. |
Events Monitor | rapid7_events_monitor.exe | InsightIDR and MDR | Windows only. Events Monitor collects and enriches operating system events and sends them to the Rapid7 Insight Platform. See the Sysmon Installer and Events Monitor overview article for more information on how these components work. |
Sysmon Installer | rapid7_sysmon_installer.exe | InsightIDR and MDR | Windows only. Sysmon Installer installs and upgrades Sysmon to keep it up to date for use by the Events Monitor. See the Sysmon Installer and Events Monitor overview article for more information on how these components work. |
osquery | osqueryi.exe | MDR | MDR Monthly Hunts utilize osquery to search for and document specific malicious behavior. |
Velociraptor | rapid7_velociraptor.exe | InsightIDR | Available for InsightIDR Ultimate customers only. This component works with Agent Core to deliver Velociraptor integrated with the Insight Platform. Read Velociraptor Integration for more information about how these components work together. |
Rapid7 Endpoint Prevention | MVArmorService32.exe MVArmorService64.exe | As part of the Managed Threat Complete (MTC) Ultimate package or as an add-on to other MTC and MDR subscriptions | Implements the Next-Generation Antivirus or Ransomware Prevention add-on to your assets. |
Data Collection
The Insight Agent will start collecting data immediately after installation. From that point forward, collection intervals vary by product on a per-asset basis:
InsightVM | InsightIDR | InsightOps | |
---|---|---|---|
Collection interval | Every 6 hours | Every 2 minutes | Every 30 seconds* |
Console sync interval with Insight platform | Every hour** | N/A | N/A |
* The Insight Agent collects data for InsightOps in certain non-interval situations:
Log following is triggered when the log is actively being written.
This console sync interval is adjustable up to 12 hours
You can configure your Security Console to synchronize with the Insight platform at a different rate than is shown in this table. See the Modify Security Console Sync Interval page for instructions.
Communication methods
The Insight Agent authenticates using TLS 1.2 client authentication. When you deploy the Insight Agent, the deployment includes a private SSL key representing your organization. This key is used to authenticate and authorize your agent with the Insight platform.
NOTE
For InsightOps log data, an API token is used to authenticate the Insight Agent instead of TLS client authentication. Log data is encrypted in transit via TLS.
The agent can communicate directly to the Insight platform, or proxy communication through Insight collectors on your network. Finding the best route to the Insight platform occurs automatically or can be configured in advanced use cases.
Data Breakdown
Data collected by the Insight Agent varies by product:
InsightVM | InsightIDR | InsightOps | |
---|---|---|---|
Process start | X | ||
Select security log event codes | X | ||
Select system event codes | X | ||
Honey credentials | X* | ||
Protocol poisoning traps | X* | ||
File audit logs | X** | ||
Basic asset identification information | X | X | X |
Registry information | X* | X* *** | X* |
File version and package information | X | X | |
Log file contents | X | ||
Resource utilization metrics | X | ||
Event log | X* **** | ||
Installed services | X*** | X |
Legend
*
- Windows only.**
- Applies to edits, moves, and deletions of Windows file shares and create, write, and delete activities on Linux machines.***
- Endpoint job.****
- The InsightOps component of the Insight Agent does not currently support the collection of event logs from assets acting as domain controllers. See the Windows section of the InsightOps - Configure the Insight Agent to Send Logs page for alternative methods for this use case.
File Integrity Monitoring
If you are an InsightIDR customer, you can track file event logs, such as when a file is edited, moved, or deleted if you configure File Integrity Monitoring (FIM). Learn more about FIM.