Rapid7 Universal Antivirus

If Rapid7 does not support the logging format of your antivirus solution, you can still send data into InsightIDR so long as you transform your logs to meet this universal event format (UEF) contract.

Need help transforming your logs?

Read instructions on transforming your logs in this Rapid7 blog post or on the Transform Logs to UEF help page.

Required Fields

Ensure that your antivirus logs contain the following fields so that you can construct a valid UEF Virus Alert object. Objects that violate the UEF will not be ingested by InsightIDR and will be unavailable for log search.

Field

Required?

Validation

Description

event_type

Yes

This field must be VIRUS_ALERT in order to indicate the type of Universal Event.

The event type of this Universal Event.

version

Yes

InsightIDR currently supports version v1.

The version of the VIRUS_ALERT event_type. New versions may be added in the future with documented fields added, removed, or modified.

time

Yes

Must be a valid ISO 8601 extended timestamp with millisecond precision, such as the following:
yyyy-MM-ddTHH:mm:SS.SSSZ

The ISO 8601 extended timestamp.

source_address

Yes

This must be an IP address or an hostname. If an IP address, it must be an IPv4 address or IPv4 mapped IPv6 address. Use a fully qualified domain name if possible, otherwise short hostnames are accepted.

IP address or hostname.

alert_title

Yes

The value must be nonempty, such as File Quarantined

A descriptive title of the virus alert.

account

No

This should be a non- empty string, such as jdoe

The account associated with the virus alert. If the account matches any known accounts associated with a user, InsightIDR will attribute the virus alert to that user.

account_domain

No

The value must either be null or nonempty, such as CORP

The Active Directory domain of the account.

file_path

No

The value must either be null or nonempty, such as C:\Users\jdoe\virus.exe

The filepath of a file associated with the virus alert.

custom_data

No

Must be a JSON object.

Use this field to send any additional information. This data will be available for log search and LEQL queries.

Example Format

You must send events to the InsightIDR collector in UTF-8 format, with each log line representing a single event, and a newline delimiting each event.

For example: {"version": "v1", "event_type": "VIRUS_ALERT", "time": "2018-06-07T18:18:31.123Z", "source_address": "nyc-2306.corp.company.com", "alert_title": "File Quarantined", "account": "jdoe", "account_domain": "CORP", "file_path": "C:\Users\jdoe\virus.exe"}

Each event sent to InsightIDR must not contain newline characters; InsightIDR only permits newlines that delimit separate Universal Events.

Here are some examples of a Universal Virus Alert Event with readable formatting:

1
2
{
3
"version": "v1",
4
"event_type": "VIRUS_ALERT",
5
"time": "2018-06-07T18:18:31.123Z",
6
"source_address": "nyc-2306.corp.company.com",
7
"alert_title": "File Quarantined"
8
}
9
10

Or:

1
{
2
"version": "v1",
3
"event_type": "VIRUS_ALERT",
4
"time": "2018-06-07T18:18:31.123Z",
5
"source_address": "nyc-2306.corp.company.com",
6
"alert_title": "File Quarantined",
7
"account": "jdoe",
8
"account_domain": "CORP",
9
"file_path": "C:\Users\jdoe\virus.exe",
10
"custom_data": {
11
"arbitrary_field": "arbitrary_value",
12
"arbitrary_number": 123
13
}
14
}
15