SIEM (InsightIDR) Troubleshooting

”realtime” job fails for Linux assets

For SIEM (InsightIDR) users, Linux assets with the Rapid7 Agent (Insight Agent) must have the auditd service disabled for the realtime job to run. If the realtime job fails, check for and disable the auditd service on affected Linux assets.

Blocked Outgoing Broadcasts on UPD 137 (NetBIOS)

You may see that the Rapid7 Rapid7 Agent (Insight Agent) blocks outgoing broadcasts on UDP 137.

This is because the Rapid7 Agent (Insight Agent) will send out an anonymously crafted NBT UDP broadcast packet in hopes that an Attacker (usually running responder) will respond by masquerading as the “resource” that the Rapid7 Agent (Insight Agent) randomly generated.

If the Rapid7 Agent (Insight Agent) sees a response to that crafted packet, it will trigger an event from the Rapid7 Agent (Insight Agent) which fires off an alert in SIEM (InsightIDR).