Other Deployment Options
While gathering information about your environment before and during deployment, SIEM (InsightIDR) provides support for organizations that use the following:
Azure Deployment
If you use Microsoft Azure in your environment, see the following pages for instructions on how to connect SIEM (InsightIDR) to your Azure infrastructure and collect the following corresponding data sources:
- LDAP user and account data
- Active Directory authentication and admin activity
- DHCP Hostname to IP mapping
SIEM (InsightIDR) fully supports Windows assets running in a hybrid cloud, an on-premises domain, or a cloud-only domain model. However, SIEM (InsightIDR) only partially supports Linux deployments in these scenarios.
Deploy in Multi-Domain Environments
If you have multiple domains in your environment, it is important that you specify a default domain for all event sources. This setting ensures that SIEM (InsightIDR) knows which domain should be used to attribute users to, particularly when that data is not provided in the event log. A default domain can be set for all event sources when configuring user attribution settings. To use a different default domain for a specific event source, you can customize it directly in the event source’s configuration settings.
For instance, if your company has DomainA and DomainB, but both domains have a user called John Smith, a default domain specifies which user the activity originated from. In this example, the default domain is DomainA. If SIEM (InsightIDR) receives data from John Smith that does not specify the domain, SIEM (InsightIDR) attributes data to John Smith from DomainA.
If you do not configure a default domain, SIEM (InsightIDR) may incorrectly attribute user information.
Applicable Event Sources
You can configure default domains for the following event source categories: