Send InsightConnect Events to InsightIDR

The Investigation feature in InsightIDR allows you to gather context around incidents and collaborate effectively to remediate and close them. When you use this feature, you can trigger automated workflows in InsightConnect to help move faster through the incident lifecycle. These workflows can produce events or logs that you can send back into InsightIDR to provide more security data.

InsightConnect plugs into hundreds of popular security tools that help to detect anomalous activity and alert security teams. The user may do additional enrichment on these alerts, and then feed them into InsightIDR to handle them in InsightIDR’s Investigations feature. The user can create custom alerts to alert on the InsightConnect data coming in.

By adding your InsightConnect logs to InsightIDR, you can create customizable dashboards using InsightOps.

Here’s an overview of how to send your InsightConnect events to InsightIDR:

  1. Set Up the InsightConnect event source.
  2. Add a Syslog Forwarder step in InsightConnect.
  3. View your InsightConnect logs in InsightIDR.

Set Up the InsightConnect Event Source

To create a new event source in InsightIDR:

  1. Click Settings in the left navigation bar.
  2. Click Setup Event Source > Add Event Source.
  3. Click the Custom Logs event source under Raw Data.
  4. Add a name for the event source, like InsightConnect.
  5. Choose the timezone for your Orchestrator.
  6. Choose a collector to associate with the event source.
    1. Take note of the collector you choose so you can find its IP address in Step 10 of this procedure.
  7. Select Listen for Syslog as your Collection Method.
  8. In the Port field, enter a port number that is not overloaded. For example, you could use port 65218.
    1. Take note of this port number for later configuration in InsightConnect.
  9. In the Protocol field, select either UDP or TCP. Select TCP if you want to send encrypted data.
  10. Navigate to the Collectors tab under Settings. Under the collector that you chose in step 6, take note of its IP address for later configuration in InsightConnect.

Add a Syslog Forwarder Step in InsightConnect

To send logs from an InsightConnect workflow to InsightIDR, you add a Syslog Forwarder step to the workflow. To add a Syslog Forwarder step to a workflow:

  1. Log in to your InsightConnect instance.
  2. In the left navigation bar, expand Workflows, and navigate to the Workflow that want to add a Syslog Forwarder step to.
  3. Click the + icon to add a step.
  4. Select Action Step.
    1. If you already downloaded the Syslog Forwarder, skip to step 8.
    2. If you have not downloaded the Syslog Forwarder, click the + Add Plugin button, and go to Step 5.
  5. Search for Syslog Forwarder.
  6. Select Syslog Forwarder by Rapid7 and press Next.
  7. Click Import and the plugin will install.
  8. Select Syslog Forwarder from the From Plugins menu and press Continue.
  9. Select Forward Message and press Continue.
  10. Click +Add a New Connection.
  11. In the Connection Name field, add a name for the connection.
  12. In the Where will this connection live? field select the relevant orchestrator.
  13. In the Host field, enter the collector IP address that you took note of in Step 10 of the Set Up the InsightConnect event source section.
  14. In the Port field, enter the Syslog Listener port number that you set up in Step 8 of the Set Up the InsightConnect event source section.
  15. In the Transport field, select UDP or TCP based on the protocol that you selected in Step 9 of the Set Up the InsightConnect event source section.
  16. Put the message you would like to send in the logs in the Message field. You can write the message in JSON, but it will be formatted as a string once ingested by Syslog.
  17. Set the Facility field to Local0. For more information, see here: https://success.trendmicro.com/solution/TP000086250-What-are-Syslog-Facilities-and-Levels
  18. Fill in the Level, Host, and MessageID fields. The values for these fields will vary depending on how you use Syslog. See the screenshot below for an example, and click here for more information: https://success.trendmicro.com/solution/TP000086250-What-are-Syslog-Facilities-and-Levels

View Your InsightConnect Logs in InsightIDR

You can view your InsightConnect logs in InsightIDR using two methods.

The first method is:

  1. Navigate to Settings.
  2. Select Event Sources.
  3. Find the InsightConnect event source.
  4. Click View Raw Log.

The second method is:

  1. Click Log Search in the left navigation bar.
  2. Select only the Raw Data logset.
  3. Select InsightConnect and deselect all other logs.