Core Event Sources

An event source is an application, appliance, server, service, or other IT asset that generates log events. The Collector captures the data generated by these event sources, compresses the data, encrypts it, and pushes it up to the Insight platform. The Insight platform will then normalize, attribute, analyze, and present that data for search.

The core event sources provide the most data in regards to user attribution. User attribution correlates endpoint activity to individual users, including what endpoint applications they use and when. Attribution gives you a more complete image of your security posture, as user accounts are the most common targets for sophisticated attacks.

The core event sources are:

After you configure these, you can also prepare additional event sources.

LDAP

Adding a Lightweight Directory Access Protocol (LDAP) server allows InsightIDR to track the users, admins, and security groups contained in the domain and to link account activity with real users to identify privileged and service accounts.

LDAP automatically mirrors data across all LDAP servers if you enable the auto-mirror feature. Even if you have multiple LDAP servers, you only need to configure one LDAP event source.

To add the LDAP event source:

  1. Designate a Service Account with the correct permissions.
  2. Open Port 636 (LDAPS) between the Collector and the LDAP server.

For detailed setup instructions, see LDAP.

You can use the same service account for both LDAP and Active Directory.

Active Directory

Active Directory provides security logs from your domain controllers and authentication and administrative events for your domain users. Make sure that you add one Active Directory event source for each domain controller.

To add the Active Directory event source:

  • Open ports 135, 139, and 445 between the Collector and Active Directory.
  • Designate a Service Account with the correct permissions.

For detailed setup instructions, see Active Directory.

DHCP

Dynamic Host Configuration Protocol (DHCP) event logs provide IP lease information to correlate each IP address with its assigned host at the time of the event.

If your network lacks DHCP servers and is entirely composed of fixed-IP systems, InsightIDR can still support the environment with special setup instructions for the Collector. This method is intended to be a supplementary option for your environment.

  1. When setting up the core event sources on the Collector page, set the expected number of DHCP server count to "0".
  2. Reload the page in the browser. If you've added LDAP and Active Directory, you'll now be able to add additional event sources.
  3. InsightIDR will still use Active Directory logs and the Endpoint Monitor as long as these are Windows assets in order to tie the fixed IP to specific assets.

It is recommended that you also use Microsoft Active Directory, LDAP, and Domain Controllers in your environment with this setup.

To add the DHCP event source:

Choose one of the following methods:

  • Domain Admin Account: Use this method if you want to collect logs using a Domain Admin account.
  • NXLog: Use this method if you don’t want to use a Domain Admin account to collect logs.

DNS

Connecting DNS as an event source allows InsightIDR to track services, incidents, and threats found on your network. DNS logs gathered from a DNS event source provide more information about web traffic. DNS also provides greater visibility into destination URLs, which can be flagged in Account Visited Suspicious Link incidents.

To add the DNS event source:

For instructions on how to configure DNS appliances with InsightIDR, see the in-depth DNS documentation.

VPN

VPN logs provide visibility into users' remote network ingress activity and allow you to collect and verify information about user activity.

To add the VPN event source:

For setup instructions, view our VPN documentation.

Firewall

By introducing Firewall data, you allow InsightIDR to track visits to malicious domains or cloud services. More than simply collecting configuration logs and change logs, InsightIDR can automatically attribute connection events to the users and endpoints that are accessing such websites.

To add the Firewall event source:

Determine which Firewall event source(s) best suits your needs and follow the related configuration steps.

For setup instructions for each type of Firewall event source, see Firewall.

Prepare Additional Event Sources

Besides the user attribution event sources, you can ingest additional high-value logs into your InsightIDR platform. These additional events allow you to search and analyze data across your entire environment.

If possible, connect all of the following types of event sources:

See the InsightIDR Event Sources page for a complete list. To configure event sources, you can manually create them or use the InsightIDR Auto Configure feature.