Endpoint Prevention glossary

The key terms defined here will help you understand how Endpoint Prevention works.

agent

This is the generalized, informal term for the Insight Agent - Rapid7's data collection, monitoring, and response software that you install on your assets. The data the Insight Agent routinely and silently collects is sent to the Insight Platform for analysis and powers several of your Insight products, of which InsightIDR and InsightVM are prominent members.

The Insight Agent itself functions as a package of several independent components which can vary depending on the operating systems you have in your environment, your security goals, and the Rapid7 products you subscribe to. The Endpoint Prevention feature is the latest of these components and is designed for use with InsightIDR.

agent action

When one of Endpoint Prevention's engines detects a threat, your configuration determines what action the Insight Agent will take on that asset. Agents can block, disinfect, or quarantine threats, or simply alert on them (known as "Detection Only").

Some agent actions are specific to a particular prevention engine and aren't available for others. See the prevention policies article for details.

asset

In Rapid7 terms, an "asset" is any device on your network, whether physical or virtual, that your business owns and has a security interest in. On-premises desktop workstations, take-home employee laptops, servers, and virtual machines are all examples of assets.

Assets with an installed Insight Agent can benefit from the threat detection, antivirus, and response capabilities of Endpoint Prevention.

exclusion

If you want Endpoint Prevention to ignore certain asset behavior that would otherwise trigger an agent action, you can configure and apply exclusions to meet that use case. You can exclude some behaviors that you consider benign and not worth monitoring, are actually legitimate processes coming from other software you control, or are simply not relevant to your security concerns.

See the exclusions article for more information and configuration instructions.

prevention engine

Endpoint Prevention's ability to detect and respond to threats comes from several prevention engines. Each engine is functionally a category of logical rules or known bad signatures designed to detect specific types of behavior. When such behavior is detected, they respond with an agent action and create an alert tagged with a pre-arranged priority.

You can read about each engine in the prevention policies article.

prevention group

All agents in your Endpoint Prevention program are organized in units called prevention groups. Each of these groups, whether you use the single default group or supplement it with additional custom groups, has exclusive control of their member agents. Prevention groups are the object to which you attach a prevention policy, configure agent membership, and apply exclusions.

See the prevention groups article for more information and configuration instructions.

prevention policy

The configuration of each prevention engine and the selection of the engines you decide to use overall constitute a prevention policy that you attach to a prevention group. Rapid7 maintains a default policy that provides baseline protection from threats, but you are free to create custom policies that better suit your Endpoint Prevention goals.

See the prevention policies article for more information and configuration instructions.

prevention rule

The logic that a prevention engine uses to detect threats is made up of prevention rules. Each of these rules is available for viewing within InsightIDR's Detection Management experience.

rule action

Separate from an agent action, a rule action instructs InsightIDR on how to respond when the conditions of a prevention rule are triggered. InsightIDR can either create an investigation based on the triggering of the rule, generate an alert, or do nothing.

rule priority

When a prevention engine responds to a detected threat with an agent action, it also tags the detection with a priority level you configure in your prevention policy. This designation is called rule priority. In the context of InsightIDR, rule priority is used to inform your security practitioners of the urgency they should respond to investigations or alerts generated by the rule being triggered.