Before you can start using InsightIDR, make sure that you’ve met the following requirements in your environment:
- Collector Requirements
- Insight Agent Requirements
- Honeypot Requirements
- Foundational Event Source Requirements
- Service Account Permission Requirements
See Collector Requirements for specific details.
Insight Agent Requirements
When you install the Insight Agent on your endpoints and assets, make sure that the agent can communicate back to the Collector through TCP on the following Collector ports:
If you are using the Collector for Endpoint Monitoring, please also ensure the following ports are open:
- 20000 – 30000
See the Insight Agent for more information.
Insight Agent OS Requirements
See the Insight Agent requirements for what operating systems can support the Insight Agent.
The honeypot is a VMware formatted OVA running 1GB RAM and 10GB disk space. It requires a fully qualified domain name (FQDN).
A honeypot uses the following resources:
- 1 CPU
- 1GB RAM
- 10 GB hard disk space
Honeypot deployment and communication with the Insight platform is very similar to a Collector. If you haven't already, you must allowlist the following URLs in firewalls and web proxies according to your region:
|Region||Data endpoint||Storage (S3 endpoint)|
|United States - 1|
|United States - 2|
|United States - 3|
See Honeypots for more deployment information.
Foundational Event Source Requirements
Please refer to the Foundational Event Sources page for detailed information.
Service Accounts Permission Requirements
InsightIDR requires that you configure at least one account in each Windows domain that has permissions to collect event logs in the domain. Depending on your environment, this account will be used to collect:
- Domain Controller Security Logs with the Active Directory event source.
- User and group information from the Windows domain using the LDAP event source.
- Microsoft DHCP logs using the Microsoft DHCP event source.
- Microsoft DNS logs using the Microsoft DNS event source.
- Microsoft OWA/ActiveSync logs using the Microsoft Outlook Web Access/ActiveSync event source.
You may create one account and use it for the collection of all of the event sources. However, you can also create separate service accounts for each different type of log collection.
See Service Accounts for more information.