Network and Environment Audit
Before you begin using InsightIDR, gather as much information as possible about your environment so you can more easily deploy.
Therefore, you'll want to collect specific information about the following:
See Collector Requirements for detailed information.
Please identify and make note of the following:
- Domain Administrator account(s)
- Foundational Event Sources
- Server Host(s)
- Servers where log data originates from, especially for Foundational Event Sources
- Domain Controllers
- Network and security tools and services that will provide valuable data for InsightIDR to analyze, such as your Firewall, VPN, or DNS tools
- Other systems and configurations you use in your environment, such as your other supported Event Sources
- Admin accounts for all event sources
- Credentials to those event sources
- Administrator services
Additionally, prepare or plan the following:
- Service Accounts for all event sources
- Insight Agent deployment for at least 80% of assets to ensure network connectivity between both the Insight Agent and InsightIDR collector, and Insight Agent and Rapid7 infrastructure
When finished collecting these details, you will have a plan for collecting existing data to help InsightIDR understand the following:
- User details
- Asset details
- IP address history
Data Collection Methods
Once you identify all the potential event sources you are able to connect to InsightIDR, you need to identify how to collect the data. The “Collection Method” option in event source configuration specifies how the data will be either pushed to or pulled by your Collector.
See Data Collection Methods for more information.
Next, collect data about your network topology, or the way your network is connected. Once you gather this information and provide it to InsightIDR, the Insight Platform ingests all available information and properly attributes data.
Identify information regarding the network configuration, such as the following:
- Any internally assigned VPN IP addresses
- If using a public IP address range for internal IP addresses, the public IP address range
- The IP address ranges with static IPs
- The subnets that correspond to asset groupings (for example, server VLAN) of any kind
- The subnet and network location of your users
Once you collect this data and connect your network to InsightIDR, it will automatically correlate IP addresses with assets with active user sessions, using DHCP lease events and domain and local authentication events, respectively.