Rapid7 Universal Antivirus

If Rapid7 does not support the logging format of your antivirus solution, you can still send data into InsightIDR so long as you transform your logs to meet this universal event format (UEF) contract.

Need help transforming your logs?

Read instructions on transforming your logs in this Rapid7 blog post or on the Transform Logs to UEF help page.

Required Fields

Ensure that your antivirus logs contain the following fields so that you can construct a valid UEF Virus Alert object. Objects that violate the UEF will not be ingested by InsightIDR and will be unavailable for log search.

Field	Required?	Validation	Description
event_type	Yes	This field must be VIRUS_ALERT in order to indicate the type of Universal Event.	The event type of this Universal Event.
version	Yes	InsightIDR currently supports version v1.	The version of the VIRUS_ALERT event_type. New versions may be added in the future with documented fields added, removed, or modified.
time	Yes	Must be a valid ISO 8601 extended timestamp with millisecond precision, such as the following: `yyyy-MM-ddTHH:mm:SS.SSSZ`	The ISO 8601 extended timestamp.
source_address	Yes	This must be an IP address or an hostname. If an IP address, it must be an IPv4 address or IPv4 mapped IPv6 address. Use a fully qualified domain name if possible, otherwise short hostnames are accepted.	IP address or hostname.
alert_title	Yes	The value must be nonempty, such as `File Quarantined`	A descriptive title of the virus alert.
account	No	This should be a non- empty string, such as `jdoe`	The account associated with the virus alert. If the account matches any known accounts associated with a user, InsightIDR will attribute the virus alert to that user.
account_domain	No	The value must either be null or nonempty, such as `CORP`	The Active Directory domain of the account.
file_path	No	The value must either be null or nonempty, such as `C:\Users\jdoe\virus.exe`	The filepath of a file associated with the virus alert.
custom_data	No	Must be a JSON object.	Use this field to send any additional information. This data will be available for log search and LEQL queries.

Example Format

You must send events to the InsightIDR collector in UTF-8 format, with each log entry representing a single event, and a newline delimiting each event.

For example: {"version": "v1", "event_type": "VIRUS_ALERT", "time": "2018-06-07T18:18:31.123Z", "source_address": "nyc-2306.corp.company.com", "alert_title": "File Quarantined", "account": "jdoe", "account_domain": "CORP", "file_path": "C:\Users\jdoe\virus.exe"}

Each event sent to InsightIDR must not contain newline characters; InsightIDR only permits newlines that delimit separate Universal Events.

Here are some examples of a Universal Virus Alert Event with readable formatting:


 
1

2
{
3
  "version": "v1",
4
  "event_type": "VIRUS_ALERT",
5
  "time": "2018-06-07T18:18:31.123Z",
6
  "source_address": "nyc-2306.corp.company.com",
7
  "alert_title": "File Quarantined"
8
}
9

10

Or:


 
1
{
2
  "version": "v1",
3
  "event_type": "VIRUS_ALERT",
4
  "time": "2018-06-07T18:18:31.123Z",
5
  "source_address": "nyc-2306.corp.company.com",
6
  "alert_title": "File Quarantined",
7
  "account": "jdoe",
8
  "account_domain": "CORP",
9
  "file_path": "C:\Users\jdoe\virus.exe",
10
  "custom_data": {
11
     "arbitrary_field": "arbitrary_value",
12
     "arbitrary_number": 123
13
  }
14
}
15

Did this page help you?

Event Source Configuration

Rapid7 Universal DHCP

Event Source Configuration

Rapid7 Universal Ingress Authentication