Advanced Event Source Settings
Multi-Domain Environments
If you have multiple domains in your environment, it is important that you specify a default domain for your event source. This setting ensures that InsightIDR knows which domain should be used to attribute users to, particularly when that data is not provided in the event log.
Rapid7 Encryption Certificate
When using TCP to send event source data by syslog, you can also choose to encrypt that data. When configuring an event source, choose TCP under collection methods and select the "Download Certificate" button. The certification is called Rapid7CA.pem and will allow InsightIDR and the event source to "trust" each other during log forwarding.
Rapid7 Recommends importing the certificate file on the same machine as the vendor or application you are connecting to InsightIDR as an event source. Use your administrative tool or vendor in order for your machine to ingest the certificate.
The certificate file contains two keys: a public key for your organization, and the Rapid7 key, which created the org-key.
Inactivity Timeout Threshold
This setting applies only to DHCP and VPN event sources. The inactivity Timeout Threshold setting allows you to specify in minutes how long an event source should be inactive before it enters an error state.
Active Failover Partner
If you have two DHCP servers configured in an active/passive relationship, you can specify the active partner.
Unparsed Logs
Learn about how unparsed logs affect your event source.
Attribution Source
In InsightIDR, attribution refers to the attempts the system makes to identify which assets, accounts, and users are involved in the collected log activity. For example, when an event log states that the activity was performed by the account jdoe
, InsightIDR uses previously collected information from other event sources to determine whether that account is associated with the user Jane Doe or John Doe.
The InsightIDR attribution engine uses data collected by event sources, endpoint agents, and network sensors to model the relationship between IP addresses and assets over time. This model is used to attribute events that contain a source IP address (but not a source hostname or fully qualified domain name) to an asset.
The term source address in InsightIDR refers to the information in an event log that identifies an asset. This might be an IP address, such as 10.101.102.103
, or a hostname, such as janeslaptop
or janeslaptop.bos.razor.com
.
If the InsightIDR attribution engine is successful in determining the asset, it then uses the authentication history of that asset to identify the primary user of that asset. If there is a known primary user of that asset, that log entry is attributed to both the asset and the user.
If the InsightIDR attribution engine cannot successfully determine the asset or the user, but the log entry contains values with the correct attribution, you may want to change the attribution source setting using those fields. For example, if the log entry also contains a value in the username
field other than the one that InsightIDR identified—for example, Jeremy Doe (jdoe@razor.com)
, choose one of the attribution source settings to leverage the event log to identify the correct value. This setting will apply to both asset and user attribution.
Select an Attribution Source
These options attribute a user to the log activity in slightly different ways:
- Use IDR engine if possible; if not, use event log - The user or asset the InsightIDR attribution engine identified is deemed responsible for the log activity. If the attribution engine is not able to identify a user, then the user or asset found in the log entry is deemed responsible.
- Use event log if possible; if not, use IDR engine - The user or asset identified in the log entry is deemed responsible for the log activity. If the log entry does not contain a known user, use the InsightIDR attribution engine to identify the user or asset.
- Use IDR engine only - The user or asset the InsightIDR attribution engine identified is deemed responsible for the log activity. Any user information that is found in the log entry will be ignored.
- Use event log only - Only the user information that is found in the log entry will be used to determine the user or asset. Even if the log entry does not contain a known user, the InsightIDR attribution engine will not be consulted.
These descriptions relate to choosing an automated process to determine the user, but some event source products also provide information about the asset that performed the activity. The same setting will be used to determine which source is preferred for attributing the asset when that value is present in the original event log. For more information on how user attribution works, see User Attribution.