Data Collected

The Insight Agent will start collecting data immediately after installation. From that point forward, collection intervals vary by product on a per-asset basis:

InsightVM

InsightIDR

InsightOps

Collection interval

Every 6 hours

Every 2 minutes

Every 30 seconds*

Console sync interval with Insight platform

Every hour**

N/A

N/A

* The Insight Agent collects data for InsightOps in certain non-interval situations:

Log following is triggered when the log is actively being written.

This console sync interval is adjustable up to 12 hours

You can configure your Security Console to synchronize with the Insight platform at a different rate than is shown in this table. See the Modify Security Console Sync Interval page for instructions.

Communication methods

The Insight Agent authenticates using TLS 1.2 client authentication. When you deploy the Insight Agent, the deployment includes a private SSL key representing your organization. This key is used to authenticate and authorize your agent with the Insight platform.

NOTE

For InsightOps log data, an API token is used to authenticate the Insight Agent instead of TLS client authentication. Log data is encrypted in transit via TLS.

The agent can communicate directly to the Insight platform, or proxy communication through Insight collectors on your network. Finding the best route to the Insight platform occurs automatically or can be configured in advanced use cases.

Data Breakdown

Data collected by the Insight Agent varies by product:

InsightVM

InsightIDR

InsightOps

Process start/stop

X

Select security log event codes

X

Select system event codes

X

Honey credentials

X*

Protocol poisoning traps

X*

File audit logs

X**

Basic asset identification information

X

X

X

Registry information

X*

X* ***

X*

File version and package information

X

X

Log file contents

X

Resource utilization metrics

X

Event log

X* ****

Installed services

X***

X

Legend

  • * - Windows only.
  • ** - Applies to edits, moves, and deletions of Windows file shares and create, write, and delete activities on Linux machines.
  • *** - Endpoint job.
  • **** - The InsightOps component of the Insight Agent does not currently support the collection of event logs from assets acting as domain controllers. See the Windows section of the InsightOps - Configure the Insight Agent to Send Logs page for alternative methods for this use case.

File Integrity Monitoring

If you are an InsightIDR customer, you can track file event logs, such as when a file is edited, moved, or deleted if you configure File Integrity Monitoring (FIM). Learn more about FIM.