Virus Scan
The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, SIEM (InsightIDR) uses this data to produce some notable behaviors and alerts.
Most of the Virus Scan event sources use the two common collection methods, Listen on Network Port and Log Aggregator. See each individual event source for further details.
Antivirus Event Sources
Collecting antivirus events allows for more contextual information to be added to an asset. The only type of AV event that is parsed in SIEM (InsightIDR) is when a virus is detected by the AV software. Collecting the AV events let you view viruses found on an asset when looking at the asset in Insight.
Rapid7 can integrate with the following antivirus tools to generate alerts in SIEM (InsightIDR) and the Insight Platform:
- BitDefender
- Carbon Black Cloud
- CylancePROTECT
- ESET Antivirus
- F-Secure
- Kaspersky Anti-Virus
- MalwareBytes Endpoint Protection
- McAfee ePO
- Palo Alto Networks Traps TSM
- Rapid7 Universal Antivirus
- SentinelOne EDR
- Sophos Central
- Sophos Enduser Protection
- Sophos Intercept X
- Symantec Endpoint Protection
- Trend Micro Apex One
- Trend Micro Control Manager
- Trend Micro Deep Security
- Trend Micro OfficeScan
For other antivirus products, use the vendor documentation to configure the antivirus server to send syslog to the collector on a unique UDP or TCP port (above 1024).
Not seeing log data?
SIEM (InsightIDR) only parses an event from your Virus Scan event source when a virus is found.