Description

This detection identifies when one or more of the Linux hosts in your environment has an auditd Compatibility Mode misconfiguration. Hosts that report this issue will not be able to send process start logs to the Insight Platform, which inhibits InsightIDR’s ability to detect malicious activity on the endpoint.

Recommendation

If you install the Insight Agent on Linux assets for use with InsightIDR, the auditd library must be present, but the service must be disabled. InsightIDR must have exclusive use of the auditd service to successfully run the agent.job.linux.ui_realtime job.

If your organization requires that auditd be enabled at all times, you must configure auditd Compatibility Mode to ensure that both the Insight Agent and auditd services can run together.

To identify the list of machines that are currently misconfigured:

1. Navigate to Log Search from the InsightIDR left menu.
2. Run this query on the Job Status log (located in Endpoint Health log set) with a time range of “Today” to see the latest reports: where(job = "agent.jobs.linux.ui_realtime" AND status = "job.status.failed" AND message ISTARTS-WITH "Auditd is enabled") groupby(hostname)limit(10000)
3. For each Linux host that is returned, ensure the auditd library is installed, but the service is disabled. If your organization requires that auditd remain enabled at all times, follow the instructions to configure auditd Compatibility Mode: https://docs.rapid7.com/insight-agent/auditd-compatibility-mode-for-linux-assets/ .

To validate that the Linux host is configured correctly: Run a search on the process start events log to ensure logs are coming from the host: where("hostname" = "my-hostname"). Note that logs take a minimum of 7 minutes to appear in Log Search.

Description

This detection identifies antivirus software detecting Rapid7 Insight Agent directories or components as a threat. If the antivirus software quarantines or deletes components of Rapid7 Insight Agent, this may lead to loss of visibility and coverage across endpoints.

Recommendation

Review the alert in question. If necessary, contact the antivirus vendor for instructions on how to add the Rapid7 Insight Agent to an allow list.

Description

This detection identifies blocked requests to 'insight.rapid7.com' or 'endpoint.ingress.rapid7.com'. Endpoints running the Insight Agent need access to one of these domains to deliver information to the InsightIDR platform for monitoring purposes. Endpoints need access through one of three available methods: direct network connection, access to an InsightIDR Collector, or a proxy that has network access to these domains.

Recommendation

If you are running the Insight Agent in an environment that needs to restrict outbound agent access to InsightIDR, this alert can tell you which web proxies are configured as expected. If you operate in this type of environment, you may want to turn off the alert. Contact your Customer Advisor about best practices and potential tuning requests for this alert.

If you are not restricting how the Insight Agent connects to InsightIDR, this alert means your environment may be misconfigured. Review the configuration of the web proxies involved and ensure they are not blocking 'rapid7.com'.

For more information on the networking requirements, view the documentation: https://docs.rapid7.com/insight-agent/requirements/#insight-platform-connectivity-requirements