Endpoint Monitor

The Endpoint Monitor, or Scan Mode, can run an agentless scan that gathers data from endpoints once an hour alongside the Collector.

The Endpoint Monitor collects the required data from assets that do not have the Insight Agent installed and immediately shuts down when the scan is complete. You can use the Endpoint Monitor as an alternative to using the Insight Agent.

Please note the following about the Endpoint Monitor:

  • Rapid7 recommends using the Insight Agent over the Endpoint Monitor because the Insight Agent collects real-time data, is capable of more detections, and allows you to use the Scheduled Forsensics feature. See the Insight Agent documentation for Insight Agent deployment instructions.
  • If you are a Managed Detection and Response (MDR) customer, you cannot use the Endpoint Monitor. You must install the Insight Agent on at least 80% of your endpoints. Please note that Rapid7 recommends that MDR customers install the Insight Agent on every endpoint possible, and not just 80% of the endpoints. However, the Insight Agent is required to be installed on at least 80% of the endpoints for Full Service monitoring.
  • The Endpoint Monitor only works on Windows assets.

Before You Begin

Before you set up the Endpoint Monitor, review the following sections:

Then you can configure the Endpoint Monitor.

Requirements

Permission requirements include:

  • The Endpoint Monitor requires admin credentials. Prepare a Service Account with admin credentials in order to authenticate to the target endpoints for data collection.
  • A user profile must be created on the designated endpoint(s) for the account being used to run the endpoint scan. The user must log onto the designated endpoint before the Endpoint Scan process takes place.
  • In order to deploy multiple Endpoint Scans of the same OS type across a network, you must configure a host Collector for each domain with its own credentials.

Networking requirements include:

  • The Endpoint Monitor must be able to establish a WMI (Windows) with the endpoints.
  • Endpoints must be able to initiate a connection back to the Collector on a port between 20,000–30,000.
  • If you have a firewall or web proxy that restricts outgoing connections, you must grant permission for the Collector to connect to the backend servers. See Firewall Rules for specific information.

Review the Network Requirements to make sure the Endpoint Monitor functions properly on your network. Note that when scanning the defined IP ranges, the Endpoint Monitor cannot see systems that leave the network.

Install the Insight Agent for critical servers and remote endpoints

For critical servers and endpoints belonging to remote employees, you should install the Insight Agent to enable real-time streaming of events and assets off of the network.

Bandwidth Impact

Once you enter an IP address or IP address range, the Collector starts a scan within minutes. Because a typical Collector scan takes between 30–60 minutes, the Endpoint Monitor scans an asset only once every hour or once every 2 hours for a class C (/24) subnet.

For most environments, there is minimal or negligible bandwidth impact because the scanner enforces a 30-minute cooldown period between each scan.

IPs / CPU

Time between scans of each endpoint

1–16,000

1 hour for each scan

16,000–32,000

2.5 hours for each scan

32,000–64,000

5–8 hours for each scan

A single Collector can handle about 16,000 endpoints scanned for each CPU that it has available. You may split up the endpoint IP ranges over multiple Endpoint Monitor scans. However, to avoid overlapping endpoint ranges, do not define an IP address or IP range on multiple Collectors.

Be cautious with /8 and /16 subnets or you may configure the Endpoint Monitor to scan too many assets.

Low-Bandwidth Environments

For extremely low-bandwidth environments, the Endpoint Monitor uses the following resources during a scan:

  • Approximately 300KB for each asset for each scan to gather endpoint information
  • An additional 10MB transfer for each scan to transfer data to the Collector

Configure the Endpoint Monitor and Endpoint Range

To configure the Endpoint Monitor and add endpoint ranges:

  1. From your InsightIDR home page, select Assets & Endpoints.
  2. In the upper right corner of the page, click Set Up Scan Agents.

You'll see the Scan Agent Ranges page, which shows both configured asset ranges and assets with ranges that have not been configured yet.

  1. Click Add Endpoint Range from the upper right corner of the page. A peek panel will appear from the right side.
  1. Enter the IP address range you want to monitor.

Ranges cannot be larger than CIDR /16

The Endpoint Monitor ranges cannot be larger than CIDR /16, which is a maximum of 65,536 hosts. If possible, use the smallest range needed to cover your specific endpoint range. For individual assets, include /32 CIDR notation.

  1. Select the Collector you want to use from the Collector name dropdown menu.
  2. Select the Credential from the Credential name dropdown menu.
  3. Optionally, enter an IP range name in the IP range name field.
  4. Click the Create New Range button.

Data will populate in the Scan Agent Ranges section of Endpoint Monitoring.

Asset Data Collection

The Endpoint Monitor collects the following data from your assets and endpoints:

  • Local user activity
  • Windows logon activity
  • Event log tampering
  • Process hash identification
  • Process commonality analysis
  • Process malware analysis

However, the Endpoint Monitor does NOT collect the following data:

  • Forensic Jobs
  • Real-time/continuous collection
  • Exploit mitigated
  • Honey file accessed
  • Local honey credential privilege Escalation attempt
  • Protocol poisoning detected
  • Remote file execution detected

Troubleshooting

If you experience issues when using the Endpoint Monitor, review the following solutions to solve the problem:

Endpoints not returning logs during an Endpoint Monitor Scan

If you do not see endpoints returning logs in their scans or from the Insight Agents, complete the following steps:

  1. Confirm that the expected ports are open and available. See Network Requirements for specific information.
  2. If you correctly configure the external firewall and web proxies, check a sample endpoint for agent log files in either of the following folders:
    • C:\Windows\Temp\
    • C:\Users\IDR_service_account\AppData\Local\Temp\
  3. Find the Rapid7 folder and look for the following 3 files:
    • agent.log
    • config.json
    • powershell.log
  4. Compress the files and send them to Rapid7 Support for review.

Read Scan Log Results

At the end of each scan, the Endpoint Monitor will report the results of the scan in the collector.log.

If you experience issues with the Endpoint Monitor, you can review the log for errors by using the following command:

1
2015-08-24 17:03:04.943 INFO win-endpoint-monitor-scheduled-scan-00 com.rapid7.domain.collector.endpointmonitor.AbstractEndpointMonitorDataSource:203 - bulk scan total statistics for all ranges: BulkAssetScanStatistics{totals=ScanStatistics{success=192, domainController=2, unavailable=70570, error=324, badCredential=13, timedOut=187, ipsScanned=71086}, totalScanTime=13435777}
2
2015-08-24 17:03:04.943 WARN win-endpoint-monitor-scheduled-scan-00 com.rapid7.domain.collector.endpointmonitor.AbstractEndpointMonitorDataSource:224 - Failed to scan 10.0.000.00 and 123 other asset(s): com.rapid7.net.wmi.exception.WMIException: Message not found for errorCode: 0x80041003

Error Codes

Use the following table to determine what an error means in your scan log:

Error Code

Definition

unavailable

There is no asset listening on the IP that was attempted. There may be a firewall blocking the connection, part of the network may be unreachable, or there are simply no assets running on that IP address.

error

An error code was received from the endpoint during attempted communication.

badcredential

There was an attempt to connect to the endpoint but the attempt was denied.

timedout

A connection was established but no response was received.

Error Messages on the Endpoint Monitor Page

Many errors on the Endpoint Monitoring page are due to network interruptions that self-resolve. However, take note of the following errors:

  • If you notice that an entire IP range is showing errors, there may be a networking issue.
  • If a particular endpoint consistently shows the same error, you may have misconfigured that device or it is otherwise inaccessible.

Error 0x80041003

An endpoint returning error 0x80041003 means that the endpoint does not allow remote WMI queries. To fix this error:

  1. On the endpoint, either run wmimgmt, or go to Administrative Tools > Computer Management. The WMI Control Panel appears.
  2. On the left panel, right click WMI Control (Local) > Properties.
  3. Select the Security tab.
  4. Expand the Root folder and select the CIMV2 option.
  5. Click Security to display the ROOT\CIMV2 security and add the credential you configured in the Endpoint Monitor.
  6. Be sure to grant the following permissions to the newly added credential:
    • Execute Methods
    • Enable Account
    • Remote Enable