SIEM (InsightIDR) Integration

The integration with Rapid7’s SIEM (InsightIDR) provides Cloud Security (InsightCloudSec) with the ability to export cloud event data to SIEM (InsightIDR) for historical logging, analysis, and further investigation.

To learn more about working specifically with SIEM (InsightIDR), including setup of SIEM (InsightIDR), check out the SIEM (InsightIDR) integration documentation .

For general information about Integrations (editing and deleting), refer to the Integrations Overview page.
If you need help with this integration, contact us through the Customer Support Portal .

Configuration in SIEM (InsightIDR)

As part of the Cloud Security (InsightCloudSec) integration, there are a few configuration steps you must complete in SIEM (InsightIDR) before you can send data.

These steps assume you have deployed and configured a Collector following the steps found here and that you have registered your Collector with your instance of SIEM (InsightIDR) based on those instructions.

ℹ️

Public Collector IP

The Collector must have a public IP address to properly enable the integration in Cloud Security (InsightCloudSec).

Once you have your Collector in SIEM (InsightIDR), you will need to create a new data source.
- This data source should be of type Custom Logs as seen below.
- This allows the integration to send structured logs to IDR via the Collector.
- You will need to configure a public Collector to listen on a network port and then select UDP as the profile, as shown below, and take note of the port you select. You will need the port information when you configure the integration inside Cloud Security (InsightCloudSec).
Click Save when you have completed the Add Event Source details.

Configuration in Cloud Security (InsightCloudSec)

Refer to the steps below to set up the integration within Cloud Security (InsightCloudSec)

Navigate to Settings > Integrations and locate the SIEM (InsightIDR) tile.
Click Edit on the SIEM (InsightIDR) tile.
Provide the public Collector IP and the UDP port the Collector is listening on. You will need to ensure that all firewall, security groups, etc., rules are in place within the cloud/network location where the Collector is hosted. This allows communication between the Cloud Security (InsightCloudSec) instance and the Collector.
Optionally, select the Send Product API Activity checkbox to enable Cloud Security (InsightCloudSec) to send API activity to your SIEM (InsightIDR) instance, e.g., Compliance Report generation, custom Insight creation, etc.
Click Save to submit and save the integration settings.

Creating a Bot Using Your SIEM (InsightIDR) Integration

Cloud Securityloud Security (InsightCloudSec) includes Bot actions that include an action that exports a pre-formatted data block that includes Bot Name, filter information, and resource information.

For detailed step by step instructions check out Creating Bots.
You can also check out Working with Bots (Best Practices & Examples) if you want to review some examples.

From within the Bots form, during Step 4 you will be allowed to select Actions. Search for IDR to locate the Bot action titled “SIEM (InsightIDR) Event”. Using this Bot action allows the default SIEM (InsightIDR) parser to handle data from Cloud Security (InsightCloudSec) without additional SIEM (InsightIDR) configuration.

At the time of writing the Actions specific to SIEM (InsightIDR) include:

Insight IDR Custom Event: Log a custom event into an SIEM (InsightIDR) collector
Insight IDR Event: Log a pre-canned event into an SIEM (InsightIDR) Collector (mentioned above)

ℹ️

Product name to be replaced

You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn’t affect the configuration or the product’s functionality, and we will notify you as we replace these component names.

An example of the Insight IDR Event Bot action output is shown below.

Configuration of Cloud Security (InsightCloudSec) Data in SIEM (InsightIDR)

Once you have your Collector and event sources configured, you should be able to trigger the Bot(s) to see logs flowing into the Collector.

From your SIEM (InsightIDR) installation, click into the Collectors and then choose View raw log data. For more information on configuration in SIEM (InsightIDR), refer to the SIEM (InsightIDR) documentation .

Log Analysis

After verifying the logs are flowing into SIEM (InsightIDR), you can start to build out the dashboard using elements of the log files as search parameters.