Network and Environment Audit
Before you begin using InsightIDR, gather as much information as possible about your environment so you can more easily deploy.
Therefore, you'll want to collect specific information about the following:
Is your Rapid7 product subscription provisioned for the United States? Check your region code first!
As of April 12th, 2021, all new customers subscribing to Rapid7 Insight products that elect to store their data in the United States will be provisioned for one of three data centers. Since these data centers have unique endpoints, any firewall rules you configure must correspond to the data center your organization is assigned to. Follow these steps to determine which United States data center your organization is part of:
- Go to insight.rapid7.com and sign in with your Insight account email address and password.
- Navigate to the Platform Home page.
- If you are not taken to this page by default, expand the product dropdown in the upper left and click My Account.
- Look for the Data Storage Region tag in the upper right corner of the page below your account name. Your United States region tag will show one of the following data centers:
- United States - 1
- United States - 2
- United States - 3
See Collector Requirements for detailed information.
Please identify and make note of the following:
- Domain Administrator account(s)
- Core Event Sources
- Server Host(s)
- Servers where log data originates from, especially for Core Event Sources
- Domain Controllers
- Network and security tools and services that will provide valuable data for InsightIDR to analyze, such as your Firewall, VPN, or DNS tools
- Other systems and configurations you use in your environment, such as your other supported Event Sources
- Admin accounts for all event sources
- Credentials to those event sources
- Administrator services
Additionally, prepare or plan the following:
- Service Accounts for all event sources
- Insight Agent deployment for at least 80% of assets to ensure network connectivity between both the Insight Agent and InsightIDR collector, and Insight Agent and Rapid7 infrastructure
When finished collecting these details, you will have a plan for collecting existing data to help InsightIDR understand the following:
- User details
- Asset details
- IP address history
Data Collection Methods
Once you identify all the potential event sources you are able to connect to InsightIDR, you need to identify how to collect the data. The “Collection Method” option in event source configuration specifies how the data will be either pushed to or pulled by your Collector.
See Data Collection Methods for more information.
Next, collect data about your network topology, or the way your network is connected. Once you gather this information and provide it to InsightIDR, the Insight Platform ingests all available information and properly attributes data.
Identify information regarding the network configuration, such as the following:
- Any internally assigned VPN IP addresses
- If using a public IP address range for internal IP addresses, the public IP address range
- The IP address ranges with static IPs
- The subnets that correspond to asset groupings (for example, server VLAN) of any kind
- The subnet and network location of your users
Once you collect this data and connect your network to InsightIDR, it will automatically correlate IP addresses with assets with active user sessions, using DHCP lease events and domain and local authentication events, respectively.