How the Insight Agent Works
The Insight Agent is a single agent that runs as a set of components and processes to gather relevant security information about your endpoints. Depending on your Rapid7 license, you may see some or all of the following processes running on the endpoint.
|Component||Process Name||Rapid7 Product||Description|
|Bootstrap||ir_agent.exe||All||Bootstrap is a component manager that installs and upgrades components like the Insight Agent to keep Rapid7 software up to date on your assets.|
|Rapid7 Insight Agent||ir_agent.exe||All||The Insight Agent runs various processes to gather vulnerability and/or incident response data depending on your license. Each process performs a different role such as event log monitoring, registry export, quarantine, etc. Because of this, you may occasionally see up to 6 processes running at once.|
|Endpoint Broker||rapid7_endpoint_broker.exe||All||The Endpoint Broker relays messages between the Rapid7 Platform and various components that run on the endpoint. For example, MDR Monthly Hunts are enabled by queries run via the Endpoint Broker.|
|Events Monitor||rapid7_events_monitor.exe||InsightIDR and MDR||Windows only. Events Monitor collects & enriches operating system events and sends them to the Rapid7 Insight platform.|
|Sysmon Installer||rapid7_sysmon_installer.exe||InsightIDR and MDR||Windows only. Sysmon Installer installs and upgrades Sysmon to keep it up to date and be used by the Events Monitor.|
|osquery||osqueryi.exe||MDR only||MDR Monthly Hunts utilize osquery to search for and document specific malicious behavior.|
The Insight Agent will start collecting data immediately after installation. From that point forward, collection intervals vary by product on a per-asset basis:
Every 6 hours
Every 2 minutes
Every 30 seconds*
Console sync interval with Insight platform
* The Insight Agent collects data for InsightOps in certain non-interval situations:
Log following is triggered when the log is actively being written.
This console sync interval is adjustable up to 12 hours
You can configure your Security Console to synchronize with the Insight platform at a different rate than is shown in this table. See the Modify Security Console Sync Interval page for instructions.
The Insight Agent authenticates using TLS 1.2 client authentication. When you deploy the Insight Agent, the deployment includes a private SSL key representing your organization. This key is used to authenticate and authorize your agent with the Insight platform.
For InsightOps log data, an API token is used to authenticate the Insight Agent instead of TLS client authentication. Log data is encrypted in transit via TLS.
The agent can communicate directly to the Insight platform, or proxy communication through Insight collectors on your network. Finding the best route to the Insight platform occurs automatically or can be configured in advanced use cases.
Data collected by the Insight Agent varies by product:
Select security log event codes
Select system event codes
Protocol poisoning traps
File audit logs
Basic asset identification information
File version and package information
Log file contents
Resource utilization metrics
*- Windows only.
**- Applies to edits, moves, and deletions of Windows file shares and create, write, and delete activities on Linux machines.
***- Endpoint job.
****- The InsightOps component of the Insight Agent does not currently support the collection of event logs from assets acting as domain controllers. See the Windows section of the InsightOps - Configure the Insight Agent to Send Logs page for alternative methods for this use case.
File Integrity Monitoring
If you are an InsightIDR customer, you can track file event logs, such as when a file is edited, moved, or deleted if you configure File Integrity Monitoring (FIM). Learn more about FIM.