DivvyCloud by Rapid7 provides real-time analysis and automated remediation for cloud and container technologies, protecting them from misconfiguration, policy violations, threats, and IAM challenges. If you have a valid DivvyCloud license, you can send cloud events to InsightIDR for analysis, investigations, reporting, and more.
To send DivvyCloud data to InsightIDR:
- Deploy and configure a collector.
- Set up an event source in InsightIDR.
- Configure DivvyCloud.
- Verify the Configuration.
Set up an Event Source in InsightIDR
- From the InsightIDR left menu, select Data Collection.
- Click the Setup Event Source dropdown and choose Add Event Source.
- From the Rapid7 section, click the DivvyCloud icon. The Add Event Source panel appears.
- Choose your Collector.
- In the Name Event Source field, name your event source.
- Specify a port. You will need to enter this port information in DivvyCloud.
- Click Save.
To send data to InsightIDR, you must provide DivvyCloud with the Collector IP and the port you specified when configuring the event source in InsightIDR, and then trigger the pre-configured InsightIDR Bot action.
Set up an Integration
- From the DivvyCloud left menu, select Administration > Integrations.
- On the Integrations page, locate the InsightIDR tile, and click Edit.
- In the Connector IP field, enter the Collector IP.
- In the Port field, enter the UDP port the Collector is listening on.
- You must ensure that all firewall and security group rules are in place within the cloud/network location where the Collector is hosted. This allows communication between the DivvyCloud instance and the Collector.
- To submit and save the integration settings, click Save.
Trigger the Pre-Configured InsightIDR Bot
DivvyCloud includes a default Bot action that exports a pre-formatted data block that includes the bot name, filter information, and resource information. Once you configure your Collector and a Custom Log event source, trigger the bot to send logs to InsightIDR:
- Search for "IDR" to locate the InsightIDR Event bot action. This action allows InsightIDR to ingest DivvyCloud data without any additional InsightIDR configuration.
- To test the bot, select the On Demand Scan option. This manually triggers the bot and sends data to InsightIDR based on pre-defined criteria. The data provides details on the resource that triggered the bot, including all configuration data for that resource.
- For additional information, see the DivvyCloud BotFactory documentation. To read more about the InsightIDR and DivvyCloud integration, see https://docs.divvycloud.com/docs/insight-idr-integration.
Verify the Configuration
Complete the following steps to view your logs and ensure events are making it to the Collector:
- From the left menu, click Log Search and select Raw Logs.
- Next, perform a Log Search to make sure your events are coming through. Be sure to cross-reference your logs with existing malops. If there have not been any new malops in the last 24 hours, there will be no logs to view.
Logs take a minimum of 7 minutes to appear in Log Search
Logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source. .
This is an example of the InsightIDR bot action output: