InsightCloudSec

InsightCloudSec (previously DivvyCloud) provides real-time analysis and automated remediation for cloud and container technologies, protecting them from misconfiguration, policy violations, threats, and IAM challenges. If you have a valid InsightCloudSec license, you can send cloud events to InsightIDR for analysis, investigations, reporting, and more.

To send InsightCloudSec data to InsightIDR:

  1. Deploy and configure a collector.
  2. Set up an event source in InsightIDR.
  3. Configure InsightCloudSec.
  4. Verify the Configuration.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Rapid7 InsightCloudSec in the event sources search bar.
    • In the Product Type filter, select Rapid7.
  3. Select the Rapid7 InsightCloudSec event source tile.
  4. Choose your Collector.
  5. In the Name Event Source field, name your event source.
  6. Specify a port. You will need to enter this port information in InsightCloudSec.
  7. Click Save.

Configure InsightCloudSec

To send data to InsightIDR, you must provide InsightCloudSec with the Collector IP and the port you specified when configuring the event source in InsightIDR, and then trigger the pre-configured InsightIDR Bot action.

Set up an Integration

  1. From the InsightCloudSec left menu, select Administration > Integrations.
  2. On the Integrations page, locate the InsightIDR tile, and click Edit.
  3. In the Connector IP field, enter the Collector IP.
  4. In the Port field, enter the UDP port the Collector is listening on.
    • You must ensure that all firewall and security group rules are in place within the cloud/network location where the Collector is hosted. This allows communication between the InsightCloudSec instance and the Collector.
  5. To submit and save the integration settings, click Save.

Trigger the Pre-Configured InsightIDR Bot

InsightCloudSec includes a default Bot action that exports a pre-formatted data block that includes the bot name, filter information, and resource information. Once you configure your Collector and a Custom Log event source, trigger the bot to send logs to InsightIDR:

  1. Search for "IDR" to locate the InsightIDR Event bot action. This action allows InsightIDR to ingest InsightCloudSec data without any additional InsightIDR configuration.
  2. To test the bot, select the On Demand Scan option. This manually triggers the bot and sends data to InsightIDR based on pre-defined criteria. The data provides details on the resource that triggered the bot, including all configuration data for that resource.
  3. For additional information, see the InsightCloudSec BotFactory documentation. To read more about the InsightIDR and InsightCloudSec integration, see https://docs.rapid7.com/insightcloudsec/insight-idr-integration/.

Verify the Configuration

Complete the following steps to view your logs and ensure events are making it to the Collector:

  1. From the left menu, click Log Search and select Raw Logs.
  2. Next, perform a Log Search to make sure your events are coming through. Be sure to cross-reference your logs with existing malops. If there have not been any new malops in the last 24 hours, there will be no logs to view.

Logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source. .

Sample Logs

This is an example of the InsightIDR bot action output:

InsightCloudSec Sample Log Data