InsightIDR Event Sources
Cloud event sources are being phased in from December 2023
InsightIDR is adding cloud event collection capabilities to a select number of supported event sources. This will be a phased release, so if your environment is not yet displaying the Run on Cloud option for the event sources listed, please be patient–your environment will update shortly.
To send log events in InsightIDR, you can either forward them from a Security Information and Event Management system (SIEM) or you can collect the log events directly from the event sources.
It is also possible to combine these methods: You can forward some event types from the SIEM and then send the remaining ones directly.
Cloud Event Sources
For a select number of event sources, there are two ways to send data to InsightIDR; event collection through the Cloud or through an on-premises Rapid7 Collector.
Currently, these event sources support cloud event collection:
- 1Password
- Carbon Black Cloud
- Cisco Umbrella
- Duo Security
- Mimecast
- Okta
- Proofpoint TAP
- Salesforce
- Workday
- SentinelOne
- Zoom Pro
The benefits of cloud event sources are:
- You can set up your event sources without the need for an on-premises collector. This saves you the time you would have spent installing the collector and the cost of maintaining the computer on which it's installed.
- Event logs are directly ingested into the Rapid7 Platform. This cuts down on network traffic and means that your data reaches InsightIDR much faster.
- Rapid7 can more easily provide support and maintenance if you need to troubleshoot an issue.
Event sources parse logs in English only
The data that InsightIDR receives from an event source can be parsed only through English. If the ingested data fields are not in English, the data will go to the Unparsed Data log set. Read more about unparsed data.
InsightIDR Event Sources
Active Directory
Browse our Active Directory event source documentation:
InsightIDR also supports:
- Snare Active Directory via Dell SecureWorks LogVault
Advanced Malware
Browse our Advanced Malware event source documentation:
Cloud Services
Data Exporters
Browse our Data Exporter event source documentation:
InsightIDR also supports:
- FireEye Threat Analytics Platform (TAP)
Deception Technology
Browse our Deception Technology event source documentation:
DHCP
Browse our DHCP event source documentation:
InsightIDR also supports:
- Alcatel-Lucent VitalQIP
- Dnsmasq DHCP
- MikroTik
- Sophos UTM
- Bluecat
DNS
Browse our DNS event source documentation:
InsightIDR also supports:
- Bluecat
- Infoblox DNS
- MikroTik
- PowerDNS
- Dnsmasq DNS
E-mail & ActiveSync
Browse our E-mail & ActiveSync event source documentation:
- OWA/ActiveSync (Ingress monitoring, mobile device attribution)
Firewall
Browse our Firewall event source documentation:
- Firewall Overview
- Barracuda Firewall
- Cisco ASA Firewall + VPN
- Cisco FirePower Threat Defense
- Cisco Meraki
- Check Point
- Fortinet Firewall
- Palo Alto Firewall, VPN and Wildfire
- pfSense Firewall
- SonicWALL
- WatchGuard XTM
- Versa Networks
InsightIDR also supports:
- Cisco IOS Firewall
- Juniper Netscreen
- Juniper Junos OS
- McAfee Firewall
- Sophos Firewall
- Stonesoft Firewall
IDS/IPS
Browse our IDS/IPS event source documentation:
- Cisco FirePower (Sourcefire IDS)
- F5 Networks BIG-IP Local Traffic Manager
- McAfee IDS
- Security Onion
- Sentinel IPS
- Snort
InsightIDR also supports:
- Corero IPS
- Dell iSensor
- Dell SonicWall
- HP TippingPoint
- Juniper Junos
- Metaflows IDS
Ingress Authentication
Browse our Ingress Authentication event source documentation:
LDAP
Browse our LDAP event source documentation:
SIEMs/Log Aggregators
Browse our SIEMs/Log Aggregators event source documentation:
InsightIDR also supports:
- McAfee Enterprise Security Manager (formally known as Nitrosecurity)
Virus Scanners
Browse our Virus Scanner event source documentation:
- CylancePROTECT
- Carbon Black Cloud
- ESET Antivirus
- Kaspersky Anti-Virus
- MalwareBytes Endpoint Protection
- McAfee ePO
- SentinelOne EDR
- Sophos Central
- Sophos Intercept X
- Sophos Enduser Protection
- Symantec Endpoint Protection
- Trend Micro Apex One
- Trend Micro Deep Security
- Trend Micro OfficeScan
InsightIDR also supports:
- F-Secure
- Rapid7 Universal Antivirus
- Trend Micro Control Manager
VPN
Browse our VPN event source documentation:
- Barracuda Firewall & VPN
- Cisco ASA Firewall & VPN
- Citrix NetScaler VPN
- Juniper Pulse Connect Secure
- Microsoft Remote Web Access
- OpenVPN
- WatchGuard XTM
- Microsoft IAS (RADIUS)(doc:microsoft-ias-radius)
InsightIDR also supports:
- Cisco ACS NAS
- Fortinet FortiGate
- F5 Networks FirePass
- Microsoft Network Policy Server
- MobilityGuard OneGate
- SonicWALL Firewall & VPN
- VMware Horizon
Web Proxy
Browse our Web Proxy event source documentation:
- Barracuda Web Security Gateway
- Blue Coat Proxy
- McAfee Web Gateway
- Sophos Secure Web Gateway
- WebSense Web Security Gateway
- Web Proxy Overview
- zScaler NSS
InsightIDR also supports:
- Cisco IronPort
- Fortinet FortiGate
- Intel Security (formerly McAfee) Web Reporter
- Livigent Content Filter
- McAfee Web Reporter Web Proxy
- Squid
- TrendMicro Control Manager
- Watchguard XTM
- Versa Networks
Rapid7 Universal Event Sources
InsightIDR can now universally support selected data types from any product’s logs, so long as you convert the log output from your product to JSON that matches the Universal Event Format (UEF) contract.
Raw Data Event Sources
Raw Data event sources allow you to collect log events that do not fit InsightIDR's user behavior model or are otherwise unsupported at this time. Raw Data event sources allow you to collect and ingest data for log centralization, search, and data visualization from any event source in your network.
Browse our Raw Logs event source documentation:
You can also utilize NXLog to transform logs from your application.
Third Party Alerts
Browse our Third Party Alert event source documentation:
- AWS GuardDuty
- Carbon Black EDR
- Crowdstrike Falcon
- CyberArk Vault
- Cybereason
- CylancePROTECT Cloud
- Darktrace
- Microsoft Defender ATP
- Netskope
- Palo Alto Networks Traps ESM
- Palo Alto Networks Cortex XDR Incidents
- Salesforce Threat Detection
- SCADAFence
- Varonis DatAdvantage
- Vectra Networks
InsightIDR also supports:
Web Server Access Logs
Browse our Web Server Access event source documentation: