InsightIDR Event Sources
To send log events in InsightIDR, you can either forward them from a Security Information and Event Management system (SIEM) or you can collect the log events directly from an InsightIDR Event Source. It is also possible to combine these methods: you can forward some event types from the SIEM and then send the remaining ones directly. InsightIDR also supports generic event collection from a variety of sources and technologies and exporting events to another tool.
SIEM
You can use a SIEM tool or log aggregator to forward events from a source to InsightIDR. For all SIEM/log aggregation productions, follow the vendor documentation to forward the log/event data to a collector using standard syslog for both the log format and also the transport methodology.
Before your InsightIDR deployment, if you will be forwarding logs from your SIEM, you should be prepared to perform the necessary steps on the SIEM. You can either complete the setup before the deployment or complete the setup with your Rapid7 Consultant during the deployment.
InsightIDR supports the following log aggregators:
InsightIDR also supports:
- McAfee Enterprise Security Manager (formally known as Nitrosecurity)
- FireEye Threat Analytics Platform (TAP)
InsightIDR Event Sources
Event Sources can send data to InsightIDR in two ways:
On-premises Rapid7 Collector - The benefits of using a Rapid7 Collector are normalization and data attribution. Review the Collector Overview for more information. Most Event Sources support the Rapid7 Collector. You can find the full list by navigating to Data Collection > Event Sources > Add Event Source and filtering by Collected By > Collectors.
Cloud (Rapid7 Cloud Platform) - The benefits of cloud Event Sources are:
- You can set up your Event Sources without the need for an on-premises collector. This saves you the time you would have spent installing the collector and the cost of maintaining the computer on which it's installed.
- Event logs are directly ingested into the Rapid7 Platform. This cuts down on network traffic and means that your data reaches InsightIDR much faster.
- Rapid7 can more easily provide support and maintenance if you need to troubleshoot an issue.
You can find the full list of cloud Event Sources by navigating to Data Collection > Event Sources > Add Event Source and filtering by Collected By > Rapid7 Cloud Platform.
Event sources parse logs in English only
The data that InsightIDR receives from an Event Source can be parsed only through English. If the ingested data fields are not in English, the data will go to the Unparsed Data log set. Read more about unparsed data.
Event source types
The following collapsible sections list the Event Sources that are supported by InsightIDR organized by category:
Active Directory
InsightIDR also supports:
- Azure Active Directory
- Snare Active Directory via Dell SecureWorks LogVault
Advanced Malware
Cloud Service
- 1Password
- Auth0
- Amazon Security Lake
- AWS AppFabric
- AWS CloudTrail
- Box.com
- Centrify
- Cisco AMP
- Cloud Services Overview
- Cloudflare
- Duo Security
- Google Apps
- Google Cloud Platform
- Idaptive
- Microsoft Azure
- Mimecast
- Office 365 (plus GCC and GCC High)
- Okta.com
- OneLogin
- Palo Alto Networks Cortex Data Lake
- Ping Identity PingOne
- Proofpoint Targeted Attack Protection
- Salesforce.com
- Workday
- Zoom
Database
DHCP
- Alcatel-Lucent VitalQIP
- Bluecat DNS/DHCP
- Cisco IOS
- Cisco Meraki DHCP
- Dnsmasq DHCP
- Infoblox Trinzic
- ISC dhcpd
- Microsoft DHCP
- MikroTik
- Rapid7 Universal DHCP
- Sophos UTM
DNS
- Cisco Umbrella
- Dnsmasq DNS
- Infoblox Trinzic
- ISC Bind9
- Microsoft DNS
- PowerDNS
InsightIDR also supports:
- Bluecat
- MikroTik
Email & ActiveSync
Firewall
- Arista Next Generation Firewall
- Barracuda Firewall
- Cato Networks
- Check Point Firewall
- Cisco ASA Firewall/VPN
- Cisco Firepower Threat Defense
- Cisco IOS Firewall
- Cisco Meraki Firewall/VPN
- Clavister W20
- Forcepoint Firewall
- Fortinet Firewall
- Juniper Junos OS
- Juniper Networks ScreenOS
- McAfee Firewall
- Palo Alto Networks Firewall and VPN (plus Wildfire)
- pfSense Firewall
- SilverPeak SD WAN
- SonicWALL
- Sophos UTM
- Sophos XG Firewall
- Stonesoft Firewall
- Versa Networks
- WatchGuard XTM
IDS
- Cisco FirePower (Sourcefire IDS, Cisco FireSIGHT)
- Corero IPS
- Dell iSensor
- F5 Networks BIG-IP Local Traffic Manager
- McAfee IDS
- Metaflows IDS
- Security Onion
- Sentinel IPS
- Snort
- Trend Micro TippingPoint
InsightIDR also supports:
- Dell SonicWall
- Network Sensor
Ingress Authentication
Third Party Alerts
- AWS GuardDuty
- Carbon Black EDR
- Code42
- Crowdstrike Falcon
- CyberArk Vault
- Cybereason
- CylancePROTECT Cloud
- Darktrace
- Google Cloud Platform Security Command Center
- Microsoft Defender for Endpoint
- Microsoft Security
- Netskope
- Palo Alto Networks Cortex XDR
- Palo Alto Networks Traps ESM
- Salesforce Threat Detection
- SCADAFence
- Varonis DatAdvantage
- Vectra Networks
Virus Scanners
- BitDefender
- Carbon Black Cloud
- CylancePROTECT
- ESET Antivirus
- F-Secure
- Kaspersky Anti-Virus
- MalwareBytes Endpoint Protection
- McAfee ePO
- Palo Alto Networks Traps TSM
- Rapid7 Universal Antivirus
- SentinelOne EDR
- Sophos Central
- Sophos Enduser Protection
- Sophos Intercept X
- Symantec Endpoint Protection
- Trend Micro Apex One
- Trend Micro Control Manager
- Trend Micro Deep Security
- Trend Micro OfficeScan
VPN
- Barracuda Firewall & VPN
- Cisco ACS
- Cisco ASA
- Cisco ISE
- F5 Networks FirePass
- Microsoft IAS (RADIUS)
- Microsoft Network Policy Server
- Microsoft Remote Web Access
- MobilityGuard OneGate
- Citrix NetScaler VPN
- OpenVPN
- Juniper Pulse Connect Secure
- Rapid7 Universal VPN
- VMware Horizon
InsightIDR also supports:
- Fortinet FortiGate
- SonicWALL Firewall & VPN
Web Proxy
- Barracuda Web Security Gateway
- Blue Coat Proxy
- Cisco IronPort
- Livigent Content Filter
- McAfee Web Gateway
- Sophos Secure Web Gateway
- Squid
- WebSense Web Security Gateway
- Zscaler NSS
InsightIDR also supports:
- Fortinet FortiGate
- Intel Security (formerly McAfee) Web Reporter
- TrendMicro Control Manager
- Watchguard XTM
- Versa Networks
Web Server Access Logs
- Barracuda Web Security Gateway
- Blue Coat Proxy
- Cisco IronPort
- Livigent Content Filter
- McAfee Web Gateway
- Sophos Secure Web Gateway
- Squid
- WebSense Web Security Gateway
- Zscaler NSS
InsightIDR also supports:
- Fortinet FortiGate
- Intel Security (formerly McAfee) Web Reporter
- TrendMicro Control Manager
- Watchguard XTM
- Versa Networks
Miscellaneous event collection and exporting
Rapid7 supports event collection from miscellaneous sources as well as exporting events to other tools. The following collapsible sections contain more information about each type of supported event collection or export method.
Data Exporters
Browse our Data Exporter documentation:
Deception Technology
Browse our Deception Technology documentation:
Rapid7 Universal Event Sources
InsightIDR can now universally support selected data types from any product’s logs, so long as you convert the log output from your product to JSON that matches the Universal Event Format (UEF) contract.
Raw Data Event Sources
Raw Data event sources allow you to collect log events that do not fit InsightIDR's user behavior model or are otherwise unsupported at this time. Raw Data event sources allow you to collect and ingest data for log centralization, search, and data visualization from any event source in your network.
Browse our Raw Logs event source documentation:
You can also utilize NXLog to transform logs from your application.