Enhanced Endpoint Telemetry

When a process starts on an endpoint that is monitored by the Insight Agent, the agent collects this data and sends it to InsightIDR in the form of detailed logs. These logs include valuable information such as asset name, hostname, process start time, and more.

The Enhanced Endpoint Telemetry add-on module

Enhanced Endpoint Telemetry is available as an add-on to your InsightIDR license. When you purchase the EET add-on module, you receive full access to the archive of process start data that is captured by the Insight Agent. For pricing information, contact your Rapid7 Account Representative.

Benefits of Enhanced Endpoint Telemetry

While InsightIDR provides out-of-the-box detections for suspicious and malicious events, the information captured by the Insight Agent contains rich metadata that is useful for creating custom detections, accelerating alert investigations, and facilitating complete incident response.

You can use enhanced endpoint telemetry to improve the security of your organization in a variety of ways:

  • Create custom alerts for tactics that uniquely target your organization, such as a powershell command executed by your custom web application.
  • Investigate suspicious activity in context to understand the likelihood of a real threat. For example, you can query your process start data and display all commands that were executed before and after an alert was captured.
  • Understand the true scope of an event and respond with greater precision. You can query all endpoint data to determine if a suspicious event was isolated to a specific user or asset, or if multiple users and assets were affected.
  • Identify when users are playing games or running other unapproved software on an endpoint.

Requirements

To access EET data, you need:

  • A license for the Enhanced Endpoint Telemetry add-on module. For pricing and purchasing options, contact your Rapid7 representative.
  • The latest version of the Insight Agent installed on your endpoints.

Data retention

EET data is available for 30 days in hot storage and 90 days in cold storage. For details about log storage and retention in InsightIDR, view this solution brief.

From the InsightIDR left menu, click Log Search. Select the Endpoint Activity log set. Adjust the date range on the date picker as needed.

InsightIDR Endpoint Activity

Query your Process Start Data

In this section, we'll go over ways to unlock the value embedded in your Process Start data.

For sample queries, check out the following sections:

Create custom queries

Custom queries allow you to capture and alert on activity that is uniquely relevant to your organization. To query by endpoint activity data, go to the InsightIDR left menu and click Log Search. Select the Endpoint Activity log set, and create a query using the query bar. To get started, you can check out these sample queries.

Tips for querying your data:

  • Select the Case insensitive and partial mapping checkbox in Log Search
  • Select the Endpoint Activity logset filter
  • Replace values in bold from the queries below with real data from your logs
  • Update the date range selected in the date picker as needed.

Enable case insensitive and partial mapping in log search

We strongly recommend that you select the Case insensitive and partial mapping checkbox before running a search to ensure the best possible results.

Save a query

After creating a query, click the Save button to the right of the query bar.

InsightIDR Save a query

View saved queries

To view your saved queries, select the Queries dropdown to the left of the query bar.

InsightIDR View saved queries

Sample Queries

The queries contain placeholder variables (indicated by bold text) that should be replaced with real values from your logs.

Tips for querying your endpoint activity data:

  • Select the Case insensitive and partial mapping checkbox in Log Search
  • Select the Endpoint Activity logset filter
  • Use Advanced mode
  • Replace values in bold from the queries below with real data from your logs
  • Update the date range selected in the date picker as needed

Query historical user and asset data

When a suspicious event is detected on the endpoint, you can create a query to view all activity that occurred on the host prior to the event. The following section provides 2 queries that you can use to display users and assets associated with a process start event.

Find unique assets associated with a process

where('hostname'="%HOSTNAME%") groupby(process.cmd_line, process.exe_path) calculate(count)

Find unique assets and users associated with a process

where('hostname'="%HOSTNAME%" and ‘process.username’=’'%USER_NAME%') groupby(process.cmd_line, process.exe_path) calculate(count)

Drill into a process that triggered an alert

When a suspicious process is identified, you can review additional information such as user, hash, and environment variables by including the Process ID and the hostname of the asset in your query.

where(process.pid="PID" and hostname="%HOSTNAME%", loose)

Group by process and host

The following query groups your data by process/command line to create patterns of text that make it easy to spot infrequently run commands. Anomalous command lines often indicate that suspicious activity has occurred.

Before running the sample query, be sure to select a date range and update the values in bold as outlined below:

  • Replace %PROCESS_NAME% with the name of the process you want to group by
  • Replace %HOSTNAME% with the hostname of the asset
  • Replace %LIMIT% with desired number of returned results, e.g. 20

where("process.name" = "%PROCESS_NAME%" AND "hostname" = "%HOSTNAME%") groupby(data.cmdLine) calculate(count) limit(%LIMIT%)

Find unsigned Windows processes

The query below can help you identify potentially malicious unsigned Windows processes.

where("process.exe_file.signing_status.status"!="SIGNED_VALID") groupby(process.name, hostname) calculate(count)

Investigate suspicious login activity

If an Insight Agent is installed on a destination asset, you can identify suspicious login activity using the following query. Replace values in bold with real data from your logs.

where('hostname'="%HOSTNAME%" and ‘process.username’=’"%USER_NAME%")

Find malicious hashes

You can use the following query to identify all instances of a malicious file on a machine, regardless of whether or not the file is currently being accessed.

where( "process.exe_file.hashes.sha1" = "%HASH%") groupby(hostname) calculate(count)

Create alerts from custom queries

You can create an alert based on a custom query. To do so, enter your query in the Query Bar, and click the Search icon. Then, click Add Alert and select an alert type. For more information on creating alerts, see Create and Manage Custom Alerts.

InsightIDR Add Alert

Add process start event data to an investigation

All of your process start data is available for use in Investigations.

To add process start events to an investigation:

  1. Open the investigation you want to update.
  2. Select Explore Contextual Data > Search Logs. This will take you to Log Search.
  3. Select the Endpoint Activity log set.

InsightIDR Endpoint Activity

  1. Define your query. Refer to the examples above, or check out the Log Search documentation for guidance on writing queries.
  2. Select the checkboxes beside the log lines you want to add to the investigation, and click Send to Investigation.

InsightIDR Send to Investigation

  1. Add the applicable context to the log lines.
  2. Click Save. The log line will then appear in the Investigation timeline.

Enhanced Endpoint Telemetry Metadata

This section provides a detailed look at the endpoint activity data the Insight Agent sends to Log Search. You can create any number of queries to group and alert on this data. Note that the fields that appear in Log Search vary on your operating system.

Process Start Event

The following table provides information about the process start event metadata collected by the Insight Agent. Some fields vary based on Operating System. If "All" is listed in the Operating System column, the field will be sent to Log Search regardless of operating system.

FieldDescriptionOperating System
hostnameHostname of the endpoint running the processAll
dns_domainDomain of the endpoint running the processAll
os_typeEndpoint operating systemAll
r7_hostidRapid7 Host IDAll
processAll data related to the captured processAll
parent_processAll data related to the process that spawned the started processAll
env_varsThis object shows the environment variables when the process and its parent were launched. The parent value is listed only if it differs from the process value. The process value can be used to find processes that made changes to environment variables prior to launching a child process. If the env_vars of a process is null and the parent process includes environment variables, we will populate this with the parent’s environment variables.Windows
duplicated_eventsThis represents the count of identical events that occurred in a process. This is populated only if we see similar process events.Linux

Process Details

The Insight Agent collects and sends the following information about both the process triggering the event and the parent process. Some fields vary based on the Operating System the process or executible file is running on. If "All" is listed in the Operating System column, the field is sent to Log Search regardless of operating system.

FieldDescriptionOperating System
start_timeTime that this process startedAll
nameName of processAll
pidSystem Process IDAll
ppidParent system process IDMac/Linux, parent only
r7_idAgent-generated ID unique to a process startAll
exe_pathPath to the executableAll
img_pathPath to the executable. This may differ from exe_path if the executable is on a mounted remote file share. Only sent if it differs from exe_path.Windows
cmd_lineCommand line invocation used to start process, including argumentsAll
usernameLocal user who started the processAll
account_domainAD domain of the user who started the processWindows
uidUser IDMac/Linux
groupGroup nameMac/Linux
gidGroup IDMac/Linux
euid_nameEffective user nameMac/Linux
euidEffective user IDMac/Linux
egid_nameEffective group nameMac/Linux
egidEffective group IDMac/Linux
ruid_nameReal user nameMac
ruidReal user IDMac
rgid_nameReal group nameMac
rgidReal group IDMac
fsuidFile system user IDLinux
fsgidFile system group IDLinux
suidSaved user IDLinux
sgidSaved group IDLinux
sessionLogin session ID that launched the processAll
addrRemote address that the user is connecting fromMac
portPort the process usedMac
exe_fileInformation about the executable fileAll

Executable File

The following table outlines the metadata that the Insight Agent collects from the executable file.

FieldDescriptionOperating System
exe_file.ownerOwner of the executable fileAll
exe_file.uidID of the executable file ownerMac/Linux
exe_file.groupGroup of the executable fileMac/Linux
exe_file.gidGroup ID of the executable fileMac/Linux
exe_file.permissionsPermissions string of the executable fileMac/Linux
exe_file.orig_filenameThe original filename from the file metadataWindows
exe_file.descriptionThe description from the file metadataWindows
exe_file.product_nameProduct name of the executable as reported by the file metadataWindows
exe_file.authorCompany who produced the executable as reported by the file metadataWindows
exe_file.versionBuild version of the file from file metadataWindows
exe_file.createdExecutable file creation dateAll
exe_file.last_modifiedExecutable file last modification dateAll
exe_file.last_accessedExecutable file last accessed dateMac/Linux
exe_file.sizeExecutable file sizeAll
exe_file.internal_nameInternal name of the executable file from the metadataWindows
hashesCollection of different hashes of the processAll
signing_statusSignature statusWindows
signing_chainSignature chainWindows
countersigning_chainCountersignature chainWindows

Hashes

The Insight Agent collects and sends the following process hash information:

FieldDescriptionOperating System
hashes.md5MD5 hashAll
hashes.sha256SHA256 hashAll
hashes.sha1SHA1 hashAll