Virus Scan
Copy link

The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, SIEM (InsightIDR) uses this data to produce some notable behaviors and alerts.

Most of the Virus Scan event sources use the two common collection methods, Listen on Network Port and Log Aggregator. See each individual event source for further details.

Antivirus Event Sources
Copy link

Collecting antivirus events allows for more contextual information to be added to an asset. The only type of AV event that is parsed in SIEM (InsightIDR) is when a virus is detected by the AV software. Collecting the AV events let you view viruses found on an asset when looking at the asset in Insight.

Rapid7 can integrate with the following antivirus tools to generate alerts in SIEM (InsightIDR) and the Insight Platform:

For other antivirus products, use the vendor documentation to configure the antivirus server to send syslog to the collector on a unique UDP or TCP port (above 1024).

ℹ️

Not seeing log data?

SIEM (InsightIDR) only parses an event from your Virus Scan event source when a virus is found.