Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Explore
Products
- NEW!
  Exposure Command
  Take Command of Your Attack Surface
  Request Demo
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The 2024 Attack Intelligence Report
  Read the latest research by Rapid7 Labs
  READ NOW
Company
Partners
Sign In

InsightIDR

Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Explore
Products
- NEW!
  Exposure Command
  Take Command of Your Attack Surface
  Request Demo
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The 2024 Attack Intelligence Report
  Read the latest research by Rapid7 Labs
  READ NOW
Company
Partners

Sign In

Documentation
InsightIDR
Release Notes

Getting Started with InsightIDR

InsightIDR Overview
Essential | Quick Start Guide
Advanced | Quick Start Guide
Ultimate | Quick Start Guide

Setup and Deployment

System Requirements
- Setting Up a Service Account
Network and Environment Audit
Ports Used by InsightIDR
Collector Overview
Insight Agent
FIM Recommendations
Other Deployment Options

Automation

Get Started with Automation
Get Started with Automation for Legacy Detection Rules and Basic Detection Rules
- Triggers for Legacy Detection Rules and Basic Detection Rules
Insight Orchestrator Overview
- Configure Connections For Automation
- Automation Workflow Templates
Automation Workflows
Automated Enrichment Workflows
- Enrich Alert Data with Open Source Plugins
Get Started with On Demand Response Actions
Automation Troubleshooting
Send InsightConnect Events to InsightIDR

How To

Manage Credentials
Search Your Logs
Transform Logs to Universal Event Format
Delete and Reinstall a Collector
Deploy Deception Technology
Investigate an Asset or User
Manage Event Sources
- Edit Event Sources
- Copy Event Sources to a New Collector
Export Data
Access AWS Resources with EC2 IAM Roles
Monitor Your Security Operations Activities

Concepts and Usage

Rapid7 Resource Names
Detection Rules
Notable Events
Alerts
- Take Action on an Alert
- Anatomy of an Alert
Investigations
Investigate Threat Command Alerts
Velociraptor
Assets on Your Domain
Dashboards and Reports
- R7 Managed: Endpoint Visibility Validation Dashboard
Deception Technology
File Access Activity Monitoring
File Integrity Monitoring
- File Integrity Monitoring for Linux
- Search Logs for FIM Events
Log Search
Network Rules
Network Traffic Analysis
Threats
- Utilize Existing Threats
- Add and Manage Threats
Users and Accounts
Quick Actions
Data Storage and Retention FAQs

Detection Library

Overview
Rules by Rule Set
Rules by Endpoint
Legacy Detection Rules

InsightIDR REST APIs

InsightIDR REST APIs

Event Source Configuration

InsightIDR Event Sources
Data Collection Methods
Advanced Event Source Settings
Monitor Event Source Health
Event Source Troubleshooting
Auto Configure
Rapid7 Products
Active Directory
- Microsoft Active Directory Security Logs
- Troubleshooting Active Directory
Advanced Malware
- FireEye NX
Cloud Services
Data Exporter
Database
- Microsoft SQL Database Audit Logs
DHCP
DNS
Email and ActiveSync
- Microsoft ActiveSync and Outlook Web Access
Firewall
IDS
Ingress Authentication
- Zscaler LSS
LDAP
- LDAP Troubleshooting
- AWS Managed Microsoft AD
Universal Event Sources
Raw Data
Log Aggregators
Third Party Alerts
Virus Scan
VPN
Web Proxy
Web Server Access
- Microsoft IIS

Administration

Monthly Data Usage
Browser Settings
Email Notifications
User Management
Single Sign-On

Release Notes

InsightIDR release notes

Support

Contact the Rapid7 Support team
Share an idea with Rapid7

On This Page

Requirements for Log Aggregators
Supported Log Aggregators
Event Sources that support Log Aggregators

Getting Started with InsightIDR

InsightIDR Overview
Essential | Quick Start Guide
Advanced | Quick Start Guide
Ultimate | Quick Start Guide

Setup and Deployment

System Requirements
- Setting Up a Service Account
Network and Environment Audit
Ports Used by InsightIDR
Collector Overview
Insight Agent
FIM Recommendations
Other Deployment Options

Automation

Get Started with Automation
Get Started with Automation for Legacy Detection Rules and Basic Detection Rules
- Triggers for Legacy Detection Rules and Basic Detection Rules
Insight Orchestrator Overview
- Configure Connections For Automation
- Automation Workflow Templates
Automation Workflows
Automated Enrichment Workflows
- Enrich Alert Data with Open Source Plugins
Get Started with On Demand Response Actions
Automation Troubleshooting
Send InsightConnect Events to InsightIDR

How To

Manage Credentials
Search Your Logs
Transform Logs to Universal Event Format
Delete and Reinstall a Collector
Deploy Deception Technology
Investigate an Asset or User
Manage Event Sources
- Edit Event Sources
- Copy Event Sources to a New Collector
Export Data
Access AWS Resources with EC2 IAM Roles
Monitor Your Security Operations Activities

Concepts and Usage

Rapid7 Resource Names
Detection Rules
Notable Events
Alerts
- Take Action on an Alert
- Anatomy of an Alert
Investigations
Investigate Threat Command Alerts
Velociraptor
Assets on Your Domain
Dashboards and Reports
- R7 Managed: Endpoint Visibility Validation Dashboard
Deception Technology
File Access Activity Monitoring
File Integrity Monitoring
- File Integrity Monitoring for Linux
- Search Logs for FIM Events
Log Search
Network Rules
Network Traffic Analysis
Threats
- Utilize Existing Threats
- Add and Manage Threats
Users and Accounts
Quick Actions
Data Storage and Retention FAQs

Detection Library

Overview
Rules by Rule Set
Rules by Endpoint
Legacy Detection Rules

InsightIDR REST APIs

InsightIDR REST APIs

Event Source Configuration

InsightIDR Event Sources
Data Collection Methods
Advanced Event Source Settings
Monitor Event Source Health
Event Source Troubleshooting
Auto Configure
Rapid7 Products
Active Directory
- Microsoft Active Directory Security Logs
- Troubleshooting Active Directory
Advanced Malware
- FireEye NX
Cloud Services
Data Exporter
Database
- Microsoft SQL Database Audit Logs
DHCP
DNS
Email and ActiveSync
- Microsoft ActiveSync and Outlook Web Access
Firewall
IDS
Ingress Authentication
- Zscaler LSS
LDAP
- LDAP Troubleshooting
- AWS Managed Microsoft AD
Universal Event Sources
Raw Data
Log Aggregators
Third Party Alerts
Virus Scan
VPN
Web Proxy
Web Server Access
- Microsoft IIS

Administration

Monthly Data Usage
Browser Settings
Email Notifications
User Management
Single Sign-On

Release Notes

InsightIDR release notes

Support

Contact the Rapid7 Support team
Share an idea with Rapid7

Log Aggregators

A log aggregator is not an event source itself, but a place from which event source data can be pulled from the original source. Think of a SIEM like a "middle man" between InsightIDR and the original event source. If you already have logs going into a log aggregator on a network (e.g. SIEM or Splunk), you can use the aggregator to forward logs to InsightIDR.

Requirements for Log Aggregators

InsightIDR requires the following:

The logs must be split up into separate streams into the collector so that each parser will only have logs going to it that it knows how to parse.
- For example, AD logs can be sent to UDP port 6000 while firewall logs can be sent to port 6001, IDS logs to port 6002, etc.
Logs must be sent to the collector before they are processed by the SIEM so they look the same to the collector as if they came from the original network appliance.

Supported Log Aggregators

InsightIDR supports the following log aggregators:

HP ArcSight
LogRhythm
IBM QRadar
Splunk

InsightIDR also supports:

McAfee Enterprise Security Manager (formally known as Nitrosecurity)
FireEye Threat Analytics Platform (TAP)

Event Sources that support Log Aggregators

You can configure the following event sources to use log aggregators as their collection method:

Active Directory

Microsoft Active Directory Security Logs

Advanced Malware

FireEye NX

DHCP

Cisco Meraki
Infoblox Trinzic
ISC dhcpd
Microsoft DHCP
Sophos UTM
Alcatel-Lucent VitalQIP
MikroTik
Dnsmasq DHCP

DNS

Infoblox Trinzic
ISC Bind9
Microsoft DNS
Dnsmasq DNS
PowerDNS

Firewall

Check Point
Barracuda Firewall
Cisco ASA Firewall + VPN
Cisco FirePower Threat Defense
Cisco Meraki
ForcePoint Firewall
Fortinet Firewall
Palo Alto Networks Firewall and VPN (plus Wildfire)
pfSense Firewall
SonicWALL
WatchGuard XTM
Juniper Netscreen
Sophos Firewall
Cisco IOS Firewall
Clavister W20
Juniper Junos OS
McAfee Firewall
Stonesoft Firewall

IDS

Cisco FirePower (Sourcefire IDS)
F5 Networks BIG-IP Local Traffic Manager
Security Onion
Sentinel IPS
Cisco FireSIGHT
Sourcefire 3D
Corero IPS
Dell iSensor
Trend Micro TippingPoint

Ingress Authentication

Zscaler LSS

Virus Scanners

BitDefender
CylancePROTECT
ESET Antivirus
Kaspersky Anti-Virus
McAfee ePO
MalwareBytes Endpoint Protection
SentinelOne EDR
Sophos Central
Sophos Intercept X
Symantec Endpoint Protection
Trend Micro Apex One
Trend Micro Deep Security
Trend Micro OfficeScan
Rapid7 Universal Antivirus
F-Secure
Trend Micro Control Manager

VPN

Cisco ASA Firewall & VPN
Barracuda Firewall & VPN
Cisco ISE
Microsoft IAS (RADIUS)
Microsoft Remote Web Access
Citrix NetScaler VPN
OpenVPN
Juniper Pulse Connect Secure
Cisco ACS NAS
F5 Networks FirePass
Microsoft Network Policy Server
MobilityGuard OneGate
VMware Horizon

Web Proxy

Barracuda Web Security Gateway
Sophos Secure Web Gateway
WebSense Web Security Gateway
zScaler NSS
Cisco IronPort
Livigent Content Filter
McAfee Web Reporter Web Proxy
Squid

Rapid7 Universal Event Sources

Rapid7 Universal Antivirus
Rapid7 Generic Windows Event Log
Rapid7 Custom Logs

Raw Data Event Sources

Rapid7 Generic Syslog
Rapid7 Generic Windows Event Log
Rapid7 Custom Logs

Web Server Access Logs

Microsoft IIS

Did this page help you?

Event Source Configuration

Event Source Configuration

On This Page

Requirements for Log Aggregators
Supported Log Aggregators
Event Sources that support Log Aggregators

CUSTOMER SUPPORT

+1-866-390-8113 (Toll Free)

SALES SUPPORT

+1-866-772-7437 (Toll Free)

Need to report an Escalation or a Breach?

SOLUTIONS

The Command Platform Exposure Command Managed Threat Complete

SUPPORT & RESOURCES

Product Support Resource Library Our Customers Events & Webcasts Training & Certification Cybersecurity Fundamentals Vulnerability & Exploit Database

ABOUT US

Company Diversity, Equity, and Inclusion Leadership News & Press Releases Public Policy Open Source Investors

CONNECT WITH US

Contact Blog Support Login Careers

Rapid7 Official Cybersecurity Partner of the Boston Bruins

© Rapid7

|

|

|

Trust