InsightIDR Quick Start Guide
InsightIDR is a SIEM security tool that consolidates your environment from the Collector and foundational event sources and attributes them to individual users and assets. You can review your data from a single place and identify gaps, overlap, and weak spots. You can also set up intruder traps, network rules, alerts, and compliance policies to meet industry standards. Ultimately, these actions enhance a security team's ability to prevent attacks.
Rapid7 supports InsightIDR in the following browsers: - Mozilla Firefox (latest stable release) - Google Chrome (latest stable release)
Getting Started Checklist
To maximize your time, we’ve created a checklist of important capabilities for you to explore. Click the links below for step-by-step directions to help you get up and running.
- Prepare Your Environment for Deployment
- Deploy a Collector
- Set Up Foundational Event Sources
- Review Your Data
- Enhance Effectiveness
- Automate Your Security Tasks
Prepare Your Environment for Deployment
The first thing Rapid7 recommends is taking an inventory of your network. InsightIDR is most effective when collecting and analyzing as much data as possible. Therefore, you should carefully collect information before you deploy or configure event sources.
Step 1. Identify Foundational Event Sources
Identify the network and security tools and services that will provide valuable data for InsightIDR to analyze.
To understand the relationships in your network, InsightIDR maps each active IP address in your network to an asset and the responsible user. This process, called User Attribution, attributes events from your foundational event sources to the associated parties.
The foundational event sources are:
- LDAP (Lightweight Directory Access Protocol)
- AD (Active Directory)
- DHCP (Dynamic Host Configuration Protocol)
- Insight Agent
See Foundational Event Sources for more information.
Step 2. Plan Collector Placement
Identify one or more suitable hosts for the Collector based on network topology and the critical event sources identified in step one.
Identify all the servers where event sources data originates from. Many networks consolidate security and network administration tools and services in a data center or corporate office. This central location is an ideal place to deploy a Collector on a dedicated host.
See Collector Requirements for more information.
Step 3. Provision and Configure the Collector
After you have verified that your host meets the system requirements, add outbound whitelisting rules and disable the local firewall so the Collector can listen on common and uncommon ports.
Next, document the systems, service accounts, configurations, and administrators necessary to configure each event source and foundational event sources.
Deploy a Collector
When your host is ready, you must download, install, and activate the Collector.
- You can download the Collector file from the Data Collection page of InsightIDR.
- When you run the executable file, make sure to copy the Activation Key.
- Activate the Collector in the InsightIDR interface.
See Collector Installation and Deployment for more information.
Set Up Foundational Event Sources
An event source is an application, appliance, server, service, or other IT asset that generates log events. The Collector captures the generated data and then compresses, encrypts, and pushes it to the Insight platform. The Insight platform normalizes, attributes, analyzes, and presents the data for log search.
See InsightIDR Event Sources for a complete list of event sources available for parsing in InsightIDR.
How to Configure an Event Source
There are two ways to configure event sources: automatically or manually. Either way, make sure to set up event source credentials before you attempt to connect to it.
Auto-Configure uses domain admin credentials to scan server hosts in your environment and discover all available event sources. See Auto Configure event sources for more information.
The LDAP event source allows InsightIDR to query the LDAP tree to identify your users, accounts, and administrators. See LDAP for more information.
The Active Directory event source provides authentication and administrative events for your domain users. See the Active Directory for more information.
The DHCP event source provides IP lease information that correlates IP addresses from log data with the host at the time of the event. See DHCP for more information.
The Insight Agent collects endpoint logs from servers, workstations, laptops, desktops, and VDI infrastructure in order to correlate data. Collecting data from assets provides visibility into local account activity and analysis of the processes running on endpoints. It also gives InsightIDR the ability to alert on log event changes.
See The Insight Agent help pages for detailed information on setting this up.
Review Your Data
After you've setup your foundational event sources, InsightIDR will immediately begin normalizing and analyzing your data. You will see various pages, dashboards, widgets, and key performance indicators (KPIs) appear in the tool automatically.
Review the data InsightIDR is now cataloguing to confirm it's correct.
See all available raw data in the form of logs. Write queries for more targeted, granular information. See Log Collection and Storage for more information.
Parsing and Normalizing Data
InsightIDR parses any logs that it is able to automatically, and then normalizes the logs into JSON. Along with raw data about your assets and users, you can query this data for more granular information.
Users & Assets page
InsightIDR automatically identifies information by building a dedicated page for every user, asset, and process observed in your environment. See the Users and Accounts on Your Domain for more information.
See all the information about admin users, what groups the admin belongs to, whether or not they are local administrators, and more.
Non-Expiring User Accounts
This page will show a list of all users who own accounts with non-expiring passwords. Non-expiring user accounts help attackers maintain presence in compromised networks, enabling "low-and-slow" attacks that go unnoticed. Rapid7 recommends setting password expiration policies for all users as a best practice.
See Non-Expiring Accounts for more information.
InsightIDR automatically tags service accounts by identifying non-expiring accounts with non-human names. Rapid7 recommends reviewing these, especially any active Service Accounts.
Learn how to set up a Service Account to collect information about log events and endpoint scans.
Otherwise, see Non-Expiring and Service Accounts to learn about how InsightIDR recognizes service accounts.
Tag User and Service Accounts Accurately
If InsightIDR mislabels employees as service accounts (or vice-versa), be sure to tag them appropriately! The behavioral algorithms and alerts are quite different for service and domain accounts. See Users and Accounts for more information.
InsightIDR has a list of built-in detections. These detections are pre-sorted into one of two categories, Notable Behaviors and Alerts.
Notable Behaviors are typically single, anomalous events for the associated user. Alerts are typically patterns in data or individual events commonly associated with attacker behavior.
See Alerts for information on how to manage, change, and disable alerts.
While an initial configuration is fundamental, you should setup additional configurations that will help the solution make sense of your data. These configurations are in user account settings. See Network Rules, Restricted Asset, and Watchlist Users for more information.
Connect additional value-add event sources, deploy deception technology, and enable alerts based on threat intelligence.
Powered by foundational event sources, InsightIDR's user attribution services can attribute a user or asset's log events from firewall, VPN, and/or DNS event sources. These event sources provide context on remote ingress to the network, connection information, cloud service utilization, and alerts based on threat intelligence.
Adding firewall data allows InsightIDR to track cloud service utilization and browsing on malicious domains. Note that rather than just collecting configuration and change logs, InsightIDR looks for connection events to attribute events to users and assets generating the traffic.
Learn how to configure Firewall event sources.
VPN logs provide visibility into users' remote network ingress activity. Learn how to configure VPN event sources.
DNS logs provide more information about web traffic than firewall logs. DNS also provides greater visibility into destination URLs, which appear in Account Visited Suspicious Link incidents.
Learn how to configure DNS event sources.
Restricted Asset and Network Policies
Define which assets in your environment are the most important, so you can see which users access those machines. Restricted Assets will notify you for each new authentication event, allowing you to “whitelist” access to the system. You may also define Network Policies, which use Active Directory group membership to identify which users should or should not access certain network zones.
Both of these alerts help identify suspicious and potentially risky access to critical infrastructure.
In addition to the detections based on user behavior and endpoints, InsightIDR provides various alerts tied to Threat Intelligence. When you subscribe to various threats, InsightIDR utilizes the new alerts. Each threat feed contains indicators that are allegedly malicious in nature, such as IP addresses, domains, hashes, or URLs. Whenever one of these indicators interacts with or appears on your network, InsightIDR fires an alert.
Cloud Service Data
InsightIDR integrates with cloud services by accessing APIs, pulling events, and correlating activity with your domain users. Because cloud service provides the data, InsightIDR will collect and display cloud service access from on or off your network.
Learn how to configure Cloud Services.
Once everything else is in place, configure intruder traps, or fake assets, users, and files that trigger an alert. If an intruder attempts to access or use an intruder trap, InsightIDR will trigger various alarms to notify you of the attacker behavior. Because these entities serve no real business purpose, do not allow your users to access them.
Learn how to Deploy Deception Technology in your environment.
Automate Your Security Tasks
Automation allows you to reduce the number of manual security tasks that you have to perform. To help you efficiently streamline your security processes, Get Started with Automation.