Network and Environment Audit

Before you begin using InsightIDR, gather as much information as possible about your environment so you can more easily deploy.

Therefore, you'll want to collect specific information about the following:

Collector Preparation

See Collector Requirements for detailed information.

Network Inventory

Please identify and make note of the following:

  • Domain Administrator account(s)
  • Foundational Event Sources
  • Server Host(s)
  • Servers where log data originates from, especially for Foundational Event Sources
  • Domain Controllers
  • Network and security tools and services that will provide valuable data for InsightIDR to analyze, such as your Firewall, VPN, or DNS tools
  • Other systems and configurations you use in your environment, such as your other supported Event Sources
  • Admin accounts for all event sources
  • Credentials to those event sources
  • Administrator services

Additionally, prepare or plan the following:

  • Service Accounts for all event sources
  • Insight Agent deployment for at least 80% of assets to ensure network connectivity between both the Insight Agent and InsightIDR collector, and Insight Agent and Rapid7 infrastructure

When finished collecting these details, you will have a plan for collecting existing data to help InsightIDR understand the following:

  • User details
  • Asset details
  • IP address history
  • Locations
  • Services
  • Policies
  • Threats

Data Collection Methods

Once you identify all the potential event sources you are able to connect to InsightIDR, you need to identify how to collect the data. The “Collection Method” option in event source configuration specifies how the data will be either pushed to or pulled by your Collector.

See Data Collection Methods for more information.

Network Information

Next, collect data about your network topology, or the way your network is connected. Once you gather this information and provide it to InsightIDR, the Insight Platform ingests all available information and properly attributes data.

Identify information regarding the network configuration, such as the following:

  • Any internally assigned VPN IP addresses
  • If using a public IP address range for internal IP addresses, the public IP address range
  • The IP address ranges with static IPs
  • The subnets that correspond to asset groupings (for example, server VLAN) of any kind
  • The subnet and network location of your users

Once you collect this data and connect your network to InsightIDR, it will automatically correlate IP addresses with assets with active user sessions, using DHCP lease events and domain and local authentication events, respectively.