System Requirements
Before you can start using SIEM (InsightIDR), make sure that you’ve met the following requirements in your environment:
- Collector Requirements
- Rapid7 Agent (Insight Agent) Requirements
- Honeypot Requirements
- Core Event Source Requirements
- Service Account Permission Requirements
- Rapid7 Network Sensor (Insight Network Sensor) Requirements
Collector Requirements
See Collector Requirements for specific details.
Rapid7 Agent (Insight Agent) Requirements
When you install the Rapid7 Agent (Insight Agent) on your endpoints and assets, make sure that the agent can communicate back to the Collector through TCP on the following Collector ports:
- 5508
- 6608
- 8037
If you are using the Collector for Endpoint Scanning, please also ensure the following ports are open:
- 5508
- 6608
- 20000 – 30000
See the Rapid7 Agent (Insight Agent) for more information.
Rapid7 Agent (Insight Agent) OS Requirements
See the Rapid7 Agent (Insight Agent) requirements for what operating systems can support the Rapid7 Agent (Insight Agent).
Honeypot Requirements
The honeypot is a VMware formatted OVA running 1GB RAM and 10GB disk space. It requires a fully qualified domain name (FQDN).
A honeypot uses the following resources:
- 1 CPU
- 1GB RAM
- 10 GB hard disk space
Honeypot deployment and communication with the Insight platform is very similar to a Collector. If you haven’t already, you must allowlist the following URLs in firewalls and web proxies according to your region:
| Region | Data endpoint | Storage (S3 endpoint) |
|---|---|---|
| United States - 1 | data.insight.rapid7.com | s3.amazonaws.com |
| United States - 2 | us2.data.insight.rapid7.com | s3.us-east-2.amazonaws.com |
| United States - 3 | us3.data.insight.rapid7.com | s3.us-west-2.amazonaws.com |
| Canada | ca.data.insight.rapid7.com | s3.ca-central-1.amazonaws.com |
| Europe | eu.data.insight.rapid7.com | s3.eu-central-1.amazonaws.com |
| Japan | ap.data.insight.rapid7.com | s3-ap-northeast-1.amazonaws.com |
| Australia | au.data.insight.rapid7.com | s3-ap-southeast-2.amazonaws.com |
See Honeypots for more deployment information.
Core Event Source Requirements
See the Core Event Sources page for detailed information.
Service Accounts Permission Requirements
SIEM (InsightIDR) requires that you configure at least one account in each Windows domain that has permissions to collect event logs in the domain. Depending on your environment, this account will be used to collect:
- Domain Controller Security Logs with the Active Directory event source.
- User and group information from the Windows domain using the LDAP event source.
- Microsoft DHCP logs using the Microsoft DHCP event source.
- Microsoft DNS logs using the Microsoft DNS event source.
- Microsoft OWA/ActiveSync logs using the Microsoft Outlook Web Access/ActiveSync event source.
You may create one account and use it for the collection of all of the event sources. However, you can also create separate service accounts for each different type of log collection.
See Service Accounts for more information.
Rapid7 Network Sensor (Insight Network Sensor) Requirements
See the Rapid7 Network Sensor (Insight Network Sensor) Requirements page for detailed information on host system and network requirements.