InsightIDR Troubleshooting

"realtime" job fails for Linux assets

For InsightIDR users, Linux assets with the Insight Agent must have the auditd service disabled for the realtime job to run. If the realtime job fails, check for and disable the auditd service on affected Linux assets.

Blocked Outgoing Broadcasts on UPD 137 (NetBIOS)

You may see that the Rapid7 Insight Agent blocks outgoing broadcasts on UDP 137.

This is because the Insight Agent will send out an anonymously crafted NBT UDP broadcast packet in hopes that an Attacker (usually running responder) will respond by masquerading as the "resource" that the Insight Agent randomly generated.

If the Insight Agent sees a response to that crafted packet, it will trigger an event from the Insight Agent which fires off an alert in InsightIDR.