Insight Agents with InsightIDR

InsightIDR offers powerful endpoint detection and response (EDR), Network Traffic Analysis, and built-in behavioral analytics, enabling you to detect and investigate threats on your endpoints without any integrations or additional configuration. The Insight Agent is critical to InsightIDR’s ability to provide real-time endpoint detection and response, which is necessary for identifying the early signs of an attack. It is a lightweight software you can install on supported assets, in Cloud or on-premises environments.

Deploy Insight Agents to access InsightIDR's out-of-the-box detections

When a customer purchases Managed Detection and Response (MDR), our team of SOC Analysts require at least 80% of supported assets to leverage the Insight Agent. For our InsightIDR customers, Rapid7 strongly recommends deploying the Insight Agent to access real-time endpoint scanning and out-of-the-box threat detections. Gain complete Security Operations Center (SOC) visibility by installing and deploying the Insight Agent to as many as possible on supported assets.

Benefits of Using the Insight Agent with InsightIDR

The Insight Agent provides several benefits to InsightIDR users, including the following:

  • Detect Early in the Attack Chain: According to a study by industry analysts at International Data Corporation (IDC), 70% of successful breaches start on the endpoint. Deploying the Insight Agent will give you visibility on supported asset for consistent monitoring, including authentications, running processes and specific account information.
  • Unlock endpoint-specific detection rules: Rapid7 has created hundreds of detection rules for attacker analytics that are reliant on start process data. Deploy the Insight Agent in order to access these detection rules and bolster your environment security.
  • View assets running from remote locations: You may have assets in your organization that operate outside of your company network for long periods of time and regularly connect to the internet in different locations. Use the Insight Agent to get complete visibility of these remote assets.
  • Contain compromised users and assets: The Insight Agent allows InsightIDR customers to quickly respond to endpoint threats by automatically containing compromised users and assets that show suspicious activity.
  • Utilize endpoint deception technology: The Insight Agent allows you to bait hackers with available Honey Credentials on supported assets.
  • File Integrity Monitoring (FIM): Using the Insight Agent allows you to audit changes to critical files and folders for compliance purposes. When enabling FIM, InsightIDR communicates with the Insight Agent to directly attribute users to file modification activity.
  • Download with ease: While many agents are notoriously known for occupying large amounts of hard drive space and consuming excessive CPU, the Insight Agent has a small footprint on your asset with a simple installation.
  • Leverage Velociraptor for Digital Forensics and Incident Response (DFIR): InsightIDR Ultimate customers have access to a version of the open source DFIR tool, Velociraptor, which is integrated with the Insight Platform as a component of the Insight Agent.

Monitored Event Codes

By default, the Endpoint Monitor and the Insight Agent monitor the following event codes. Every event code listed contributes to built-in detection rules in InsightIDR, but may not appear in Log Search.

Log Origin

Codes

System

7045

Security

1102, 4624, 4625, 4648, 4720

Security logs when running on a Domain Controller*

1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769

Windows Defender Antivirus

1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1116, 1117, 1118, 1119, 1120, 1150, 1151, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2010, 2011, 2012, 2013, 2020, 2021, 2030, 2031, 2040, 2041, 2042, 3002, 3007, 5000, 5001, 5004, 5007, 5008, 5009, 5010, 5011, 5012, 5100, 5101

You must set the Insight Agent to collect Security Event Logs from the Domain Controller

To set the Insight Agent to collect Security Event Logs from the Domain Controller, navigate to Settings > Insight Agent, select the Domain Controller Events tab, and switch the toggle to YES. Once you've switched the toggle ON, if the Insight Agent is installed on a Domain Controller, the additional Security events will be collected. This is an optional alternative to using an Active Directory event source for each Domain Controller.

Prevent duplication with Active Directory

To collect the domain controller Security log events, use either the Active Directory event source or the Insight Agent. Using both may result in duplicate events being collected.

Legacy Detection Rule Contribution

The data provided by the Insight Agent and the Endpoint Monitor contributes to the following legacy User Behavior Analytics (UBA) detection rules:

  • Brute Force - Asset
  • Brute Force - Local Account
  • Detection Evasion - Event Log Deletion
  • Detection Evasion - Local Event Log Deletion
  • Endpoint Threat Intelligence Match
  • Exploit Mitigated
  • Flagged Hash On Asset
  • Flagged Process On Asset
  • Honey File Accessed
  • Kerberos Privilege Elevation Exploit
  • Lateral Movement - Local Administrator Impersonation
  • Lateral Movement - Local Credentials
  • Local Honey Credential Privilege Escalation Attempt
  • Malicious Hash On Asset
  • New Local User Account Created
  • Protocol Poisoning Detected
  • Remote File Execution Detected

Optimization and performance tuning

InsightIDR engineering teams utilize a variety of tuning measures to optimize for system performance and data storage limits. These measures may include removal of excessively noisy, irrelevant, or duplicated data that would otherwise clutter dashboards and log sets, as well as data compression to make the best use of your available storage space. When implementing these measures, InsightIDR engineering teams work closely with Rapid7 researchers and security experts to ensure we are collecting data that is the most effective for detecting and investigating malicious activity in your environment.

Learn More on the Insight Agent Help Pages

Insight Agents are an important part of the deployment process. For this reason, Rapid7 continually develops and maintains a dedicated documentation set for all Insight Agent related resources. Check out the Insight Agent Help pages to read more about the following topics:

  • Overview information, including the types of data that the Insight Agent collects and how the agent software updates.
  • Comprehensive requirements, including supported operating systems, network configuration, and application settings.
  • Complete download and install instructions for both Insight Agent installer types
  • Mass deployment guidelines.
  • Advanced configuration options.
  • Common troubleshooting solutions.