Insight Platform Quick Start Guide

InsightIDR
Quick Start Guide
Contents
Revision history
Getting started with InsightIDR
Protecting your data with InsightIDR
Protecting your users with InsightIDR
Getting help
Gaining visibility into user activity
Planning your Collector deployment
Identifying Event Sources
12
User Attribution Event Sources
13
Configuring LDAP
14
Configuring Active Directory (AD)
18
Listen for Syslog
21
Log Aggregator
22
WMI
24
Configuring DHCP
25
Data Collection methods
28
Configuring Event Sources
30
Copying Event Sources to a Collector
34
Deleting a Collector
37
Data Collection
40
Data Collection Metrics
40
Setting an Intruder Trap
43
Honey Pots
44
Honey Users
45
Best Practices
47
Managing Honey Pots
47
Setup Data Exporter
48
Managing Exporters
49
Settings
51
Incident settings
52
User settings
53
Event Sources settings
55
Credential settings
56
Application settings
58
Incident modifications
59
Asset settings
60
Honey Users
60
Export Data
61
Static IP ranges
62
Unmanaged IP ranges
63
Network Zones
64
Network Policies
66
Tagged Domains
68
Unknown IP addresses
70
Running agents
70
General troubleshooting tips
71
Supported Event Sources
73
Event Source Categories
73
74
Troubleshooting Endpoint Monitoring
79
Revision history
Date
Revision
May 10, 2016
Created
August 29, 2016
Published to Community
Revision history

Protecting your data with InsightIDR
InsightIDR monitors authentication activity and provides customizable incidents to monitor
access to sensitive systems and environments deemed important from a security or business
perspective. Rules can be tailored to white- or blacklist users or user groups and to monitor
access to individual assets or entire network ranges. This helps businesses identify unauthorized
access from external and/or internal threats. Furthermore, these controls help enforce both
internal and external policy compliance.
Protecting your users with InsightIDR

InsightIDR is a security tool that begins and ends with the user in mind. It focuses on user
accounts that are the most common targets for sophisticated attacks, while most tools focus on
assets, executables, or packet signatures. InsightIDR automatically analyzes and correlates user
accounts with assets, network activity, and data from other security tools in your environment,
looking for irregular behavior and known indicators of compromise. Activity that may be indicative
of a breach generates an incident, which contains not only user data, but also the aforementioned
asset data so that, in the event of a breach, security teams have a more complete picture of not
just what was involved, but who was responsible, when the event happened, and where the
intruder is headed next.
Getting help
The InsightIDR technical support team is available to help you with any questions you may have.
For assistance, visit the Rapid7 Support page, www.rapid7.com/support, or send an e-mail
request to support@rapid7.com.
Rapid7 support page
For additional information, go to Security Street, the Rapid7 online community Web site, where
you will find InsightIDR users and others who are interested in data security. The site also hosts
documentation, blogs, and user comments related to InsightIDR and other security products.
InsightIDR community
Getting help

InsightIDR allows you to gain control of the vast amount of user activity data available from
devices that manage your network. Track the network resources your users are working on, the
devices they are using, and even the cloud services they are visiting. If you have concerns about
a web site, Web service, or mobile device, you can tell at a glance which accounts are using it.
The quality of information available in InsightIDR is determined by the configuration of your data
sources (see Planning your Collector deployment on page 9 and see User Attribution Event
Sources on page 13).
InsightIDR overview
Collectors aggregate and transmit data from Event Sources to InsightIDR which runs analytics
and populates views in the Web application. Event sources provide log data from devices that
access your corporate network from anywhere in the world.
In order to obtain access to this log data, the InsightIDR Collector requires domain administrator
credentials that have permission to read the Active Directory and Windows Endpoint log files.
The InsightIDR Collector is hosted on-premise in the customer's environment, and credentials
are never readable anywhere outside the Collector on the corporate network. The log files are
passed through a filter before the data is transmitted to ensure that only the most necessary
information is uploaded to the hardened InsightIDR backend for analysis.
To prepare your network to work with InsightIDR, identify a server or virtual machine where you
will deploy your Collector, and then identify the Event Sources that will provide user activity data
from your network.

The Collector is a machine on your network running Rapid7 software that either polls data or
receives data that is pushed from Event Sources and makes it available for InsightIDR analysis.
An Event Source represents a single device that sends logs to the Collector. For example, if you
have three firewalls, you will have one Event Source for each firewall in the Collector. The
Collector is the on-premise component of InsightIDR.
The Collector is responsible for gathering endpoint data. Note that it is oftentimes more efficient
to deploy multiple Collectors throughout an environment rather than break firewall rules or
overload a single Collector. Treat your Collectors as you would any other highly valuable asset
credentials for the various Event Sources you configure are stored on this device.
A Collector can be installed on a network server or virtual machine that meets the following
requirements:
l
Operating system: Linux 64-bit or Windows 64-bit
Minimum Hardware: 4 GB RAM and 60 GB disk space
2 CPUs recommended
CPU: 1 CPU per 16,000 endpoints scanned by the Endpoint Scan
Minimum network bandwidth: 100 Mbps network (recommended), 1000Mbps (strongly

recommended)
There can only be one Collector installed per machine on your network. Rapid7 strongly
recommends that the machine (physical or virtual) is dedicated to running the Collector.
Collectors, foundational sources, and additional sources
Begin by configuring multiple Event Sources on a single Collector. Later, you can add Collectors
as needed. For example, you may need to distribute the bandwidth across your network if you
have very high logging levels or if your network is geographically dispersed.
To plan your Collector deployment, have the following information available for each server or
virtual machine where you will install the Collector:
l
display name
network location
server host name and IP address
You must have administrator rights to install a service on the server.

The following process pairs the Collector installed in your network to Amazon Web Services
(AWS), where the InsightIDR servers are hosted. Note that no credentials are stored in AWS,
and raw logs are stripped by the Collector in your environment so that no sensitive data (i.e., PII,
medical records, etc.) is stored by Rapid7.
10
1. Configure firewall/web proxy rules to allow the Collector to reach

https://data.insight.rapid7.com and https://s3.amazonaws.com. If you have a firewall or
web proxy that restricts outgoing connections, you need to grant permission for the Collector
to be able to connect to the backend servers. Customers deployed in our Frankfurt, Germany
instance need to be able to reach https://eu.data.insight.rapid7.com and https://s3.eucentral-1.amazonaws.com.
2. All Collectors must be able to reach out to port 443 to: https://endpoint.ingress.rapid7.com
(US) or https://eu.endpoint.ingress.rapid7.com (EMEA).
3. Disable the local firewall (if possible).
4. From your desktop, navigate to https://insight.rapid7.com and log in with your InsightIDR
credentials (if you do not have credentials, contact a Rapid7 Sales Representative).
5. Download the Collector installer from https://insight.rapid7.com.
6. Copy it to the machine running InsightIDR.
7. Follow the installation wizard.
8. Click Activate Collector, name the Collector, paste the Agent Key, and click Activate.
9. All Collectors must be configured with a fully qualified domain name (e.g.
idrcollector23.myorg.com).
10. All endpoints need to be able to communicate back to the Collector via Collector ports:
l 5508
l
6608
range 20,000 - 30,000
11. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined
on Collector A should not be duplicated on Collector B. If this exists, it should be updated
before the migration or those ranges have to be manually updated after the migration.
12. Each Collector can only support one set of endpoint monitoring credentials per Collector. A
Collector instance will have to be setup for each set of endpoint monitoring credentials.
11

Collectors communicate with your network servers and gather data from your server logs to
produce a dashboard of user activity data for your security analysts.
To ensure complete coverage, take an inventory of your network servers and data logs that you
will configure as Event Sources.
View
Event Sources
User details
Microsoft Active Directory, LDAP server logs, Rapid7 Metasploit, Virus scanner,
VPN, and Endpoint Monitor
Asset details
Microsoft Active Directory security logs and the DHCP server logs, Nexpose,
and Endpoint Monitor
IP address history
Microsoft Active Directory security logs, DHCP server logs
Locations
VPN server logs, Cloud services for example, Cloud services (e.g. AWS,
Box.com), and Microsoft ActiveSync
Services
DNS server logs, firewall, Web proxy, Cloud service - Box.com, Okta,
Salesforce, and the Microsoft ActiveSync servers
Incidents
Microsoft Active Directory security logs, DHCP server logs, endpoint monitor,
VPN servers (IP address ranges), DNS server logs, Firewall, and the Web proxy
Threats
DNS server logs, Firewall, and the Web proxy
Important: Be sure to identify all of the servers that track user activity on your network and assign
them to a Collector. Otherwise, the InsightIDR dashboard may be incomplete, and you will not
have access to the data you need to keep your network, and your company's assets, safe.
Set up all of your User Attribution Event Sources before you set up any others. InsightIDR
provides step-by-step assistance as you set up your data sources.
12

InsightIDR requires log data from three types of event sources to properly attribute all of your
organizations events to the users involved. You also need to provide the IP address ranges
issued by your VPN appliances.
Note: To measure your progress, you need to provide the total number of servers of each type
that you will add to InsightIDR from your network.
The User Attribution event sourses to configure are:
l
LDAP Tracks user information essential to link account activity with real users and identify
privileged and service accounts.
DHCP Tracks IP addresses over time. DHCP logs are required for asset-to-IP correlation.
Domain Authentication Tracks all user logons including both successful and failed logons.
Required for effective use of InsightIDR ingress analytics. A domain administrator account is
required for each server. These logs are stored in the context of the Microsoft Active
Directory.
13
Configuring LDAP
1. Click Data Collection from the InsightIDR menu.
Click Data Collection
2. Click Add Event Source from the Setup Event Source menu.
Setup Event Source dropdown menu
3. The Add Event Source page displays. Click LDAP.
Configuring LDAP
14
Click LDAP
4. Select Windows Collector from the Collector dropdown menu.
Select Windows Collector
5. Select Microsoft Active Directory LDAP from the Event Source dropdown menu.
Select Microsoft LDAP
6. Check the Timezone box if you want to display only U.S. time zones.
Timezone check box
7. Select the time zone from the Timezone dropdown menu.
Configuring LDAP
15
Timezone menu
8. Enter the server name in the Server field.

9. Enter the user domain in the User Domain field.
10. Enter the refresh rate (in hours) in the Refresh Rate field.
11. Select the Credential from the Credential dropdown menu.
Credential menu
12. The Username field automatically populates based on the selected credential.
13. The Type field automatically populates based on the selected credential.
14. Enter the credential. In this example, the required credential is a password. The field name
reflects the credential type.
15. Optionally, enter the base distinguished name (Base DN) in the Base DN field.
16. Optionally, enter the admin group in the Admin Group field.
17. Click the SAVE button.
Configuring LDAP
16
LDAP Event Source fields
The LDAP automatically mirrors data across all LDAP servers; thus, even if you have multiple
LDAP servers, we only need to configure one LDAP event source (unless you have manually
disabled the auto-mirror feature).
Configuring LDAP
17

Click Data Collection
2. Click Add Event Source from the Setup Event Source menu.
18
3. The Add Event Source page displays. Click Active Directory.
Click Active Directory
Select Windows Collector
5. Select Microsoft Active Directory Security Logs from the Event Source dropdown menu.
Select Microsoft Active Directory Security Logs
Timezone check box
19
Timezone menu
8. Click the appropriate Collection Method.
Collection Methods
20
Listen for Syslog

1. Select the Protocol from the Protocol dropdown menu.
Select Protocol
2. Enter the port number in the Port field.

Syslog fields
Listen for Syslog
21
Log Aggregator
1. Select the Log Aggregator from the Log Aggregator dropdown menu.
Select Aggregator
2. Select the Protocol from the Protocol dropdown menu.
Select Protocol
3. Enter the port number in the Port field.
Log Aggregator
22
Log Aggregator fields
Log Aggregator
23
WMI
1. Enter the server name in the Server field.
2. Enter the user domain in the User Domain field.
3. Select the Credential from the Credential dropdown menu.
Credential menu
4. The Username field automatically populates based on the selected credential.

5. Enter the credential. In this example, the required credential is a password. The field name
reflects the credential type.
WMI fields
AD Domain Controllers do not mirror data repeat steps for each DC in your environment.
WMI
24
Configuring DHCP
Microsoft DHCP
1. On your DHCP server, create a new folder for DHCP logs we recommend placing this folder
on the root C drive (C:\dhcplogs).
2. Once the folder is created, right-click the folder, select Properties-->Sharing-->Advanced
Sharing-->Share this folder-->Permissions-->Add and provide the credentials that will
have access to this file (read-only access is adequate).
3. Once the folder is ready, launch the DHCP console and right-click IPv4 in the left pane, then
click Properties.
4. Under the Advanced tab, change the Audit log file path destination folder to the new folder you
just set up (C:\dhcplogs).
5. Restart the DHCP server to apply changes.
6. From the left panel of the Home page, click Data Collection.
7. Select ADD EVENT SOURCE from the SETUP EVENT SOURCE dropdown menu.
8. The Add Event Source screen displays. Click DHCP.
Click DHCP
Configuring DHCP
25
Collector dropdown menu
10. Select Microsoft DHCP from the Event Source dropdown menu.
DHCP Event Source menu
11. Click the Watch Directory under the Collection Method.
Click Watch Directory
Configuring DHCP
26
12. Enter the FQDN of the DHCP server and the file path to the folder (C:\dhcplogs).
Watch Folder settings
For more information, refer to the Preparing Microsoft DHCP and DNS for the Insight Platform
Collector document.
Other non-Microsoft DHCP sources
1. Ensure the DHCP host is logging all DHCP activity.
2. Configure DHCP source to send logs to your Collector by specifying it as a syslog server.
3. Use the Listen for Syslog Collection Method to ingest logs over a predetermined port.
Configuring DHCP
27

The following paragraphs describe the most common data collection methods. In some cases,
you provide the directory or file location where the Collector can access the server logs. You can
specify a local folder path or a Windows UNC (Universal Naming Convention) path to a hosted
network drive.
Important: Only those log entries that are added to the file after the Event Source is connected to
a Collector are uploaded to InsightIDR.
Watch directory
The watch directory is the network location of a watch directory where log files are copied. This
method monitors a specified directory on a local or remote host and uploads files added to the
directory, at 30-second scan intervals. Use this method for log files that roll over to new files, for
example, Microsoft DHCP and IIS (Internet Information Services) log files.
Tail file
This is the network location of a tail file where log data is stored. This method watches a specific
file written to disk using the equivalent of the UNIX tail command, at 20-second scan intervals.
Use this method for log files that are written continuously to a single file, for example, Windows
DNS log files.
Listen for Syslog
The TCP or UDP port where syslog events are being forwarded. Many network appliances can
be configured to deliver audit logs over syslog to a server. These appliances should be configured
to send their logs to a unique port on the Collector where an Event Source has been set up in
InsightIDR to ingest the logs. Collectors accept syslog messages over UDP or TCP.
SIEM
In some deployments, a SIEM may already collect data. You can configure your SIEM to send
logs to the Collector by selecting the appropriate SIEM under Log Aggregator when configuring
the Event Source in InsightIDR.
Honey Pot
A Honey Pot is a virtual server that you can deploy on your network from InsightIDR. The Honey
Pot provides a simple way to detect attackers from attempting to scan your network. For more
information, please refer to the Honey Pot documentation located in the InsightIDR online
community.
Endpoint Monitor
28
The Endpoint Monitor is a unique Event Source in the InsightIDR Collector infrastructure in that it
acts as a scanner to query endpoints across the network. The Endpoint Monitor technology
ingests this information into InsightIDR without requiring an agent to be installed on the endpoints
themselves. For more information, please refer to the Endpoint Monitoring in InsightIDR
documentation located in the InsightIDR online community.
29

Perform the following steps to configure Event Sources:
1. Click the Data Collection link from the InsightIDR menu.
2. Click Add Event Sources from the Setup Event Source dropdown menu.
Click Add Event Sources
3. The Add Event Source page displays. Click the appropriate Event Source.
Add Event Source page
30
3. Choose the Collector that the Event Source will be installed in. For this example, it is the
Active Directory.
Add Active Directory Event Source page
4. Click Windows Collector from the Collector dropdown menu.
Collector dropdown menu
5. Click Microsoft Active Directory Security Logs from the Event Source dropdown menu.
Event source dropdown menu
31
Timezone check box
Timezone menu
8. Click the appropriate Collection Method.Additional information may need to be entered based
on the Collection Method chosen.
Collection Method buttons
9. Click the Save button.

Please review the appropriate documentation for setting up additional data sources.
32
Note: If your network configuration includes resources that you can access with the same user
name and password, you can reuse those credentials across multiple data sources in InsightIDR.
This way, you only need to provide the credentials once.
When all of your data sources are configured and running successfully, the InsightIDR views are
populated with your company data.
Note: As a security measure, InsightIDR logs off automatically after 15 minutes of inactivity.
When you next log on after being logged off automatically, you return to the page you last visited.
33

There may be times when you want to use an exisiting Collector as the starting point for another
Collector. The existing Collector has many of the Event Sources that you need; you just need to
make a few modifications for your new Collector.
Perform the following steps to copy Event Sources from one Collector to another Collector.
2. Click Manage Collectors from the Setup Collector dropdown menu.
Click Manage Collectors
3. The Collectors page displays.
Data Collector page
34
4. Click the Copy event sources link for the Collector that you want to copy.
Copy event sources link
5. The Copy event sources dialog displays.
Copy event sources dialog
6. Select the Target Collector (the Collector you want to copy the Event Sources to) from the
Target Collector dropdown menu.
Select Target Collector
35
36
If you encounter a problem and need to delete a Collector from the Collectors list, you must also
uninstall it from the server or virtual machine where it is installed.
To delete a Collector:
1. Click the Data Collection link in the InsightIDR menu.
2. Click Manage Collectors from the Setup Collector dropdown menu.
Collect Manage Collectors
3. The Collectors page displays.
Data Collectors page
4. Click the Delete button of the Collector that you want to delete.
37
Delete button for Collector
5. The Delete Collector confirmation dialog displays. Enter the name of the Collector to confirm
the deletion.
6. Click the I UNDERSTAND, DELETE THIS COLLECTOR button.

The Collector and all Event Sources assigned to it are removed from the Collectors list. Data
from the Event Sources will no longer be ingested in InsightIDR.
Note: To ensure proper operation, you must uninstall the Collector from the server where it is
installed.
7. Go to the server where the Collector is installed and uninstall it:
38
In Windows, open the Start Menu, locate the Insight Platform folder, and then click the
Uninstall button.
Tip: If you cannot find the Uninstall shortcut, run the uninstall.exe file from the
InsightIDR\.install4j subdirectory of the destination directory where you installed the Collector.
l
In Linux, run the uninstall script from the .install4j subdirectory of the destination directory
where you installed the Collector.
When the Uninstaller finishes, the Collector has been removed from the server. If you later
decide to reinstall and reactivate the Collector on the same machine, you can do so.
39
Data Collection
The Data Collection page displays Collector, Event Source, and Honey Pot information.
Data Collection page
Additional options allow you to set up Event Sources, Collectors, and Data Exporters. Refer to
the Endpoint Monitoring Guide to learn how to set up Event Sources and Collectors.

The top of the page displays Data Collection Metrics: Collectors, Event Sources, and Honeypots.
Collector Metrics
Clicking the Collector metric displays the Collector page. The left side of the page allows you to
view Collectors by their state:
Data Collection
40
All
Registering
Generating Keys
Healthy
Warning, and
Error
Click a state to display Collectors matching that state. The middle of the page displays
information about the selected collectors.
Collectors page
41
Event Sources Metrics

Clicking the Event Sources metric displays the Event Sources page. This page displays Event
Sources and Collector information. Use the left panel to view Event Sources and Collectors by
type.
Event Sources page
42
Honey Pots Metrics

Clicking the Honeypots metric displays the Honey Pots page. Use the left panel to select Honey
Pots by a specific state.
Honey Pots page

The Set Intruder Trap menu allows you to:
l
Manage Honeypots
Download a Honeypot, and
Activate a Honeypot
43
Honey Pots
Honey Pots are fake assets that produce an alert any time a user attempts to connect to the
device. Once attackers find an initial foothold in a network, their next step is typically a network
scan to identify all the other assets in the network.
Deployment guide
1. On the Collectors page in Insight Platform, click Download Collector and select the Honeypot
(OVA).
Download collector
2. Download the Honey Pot.

3. In your VMware environment, create a new VM from the OVA.
4. Power on the VM. You will see the following prompt:
Powering the VM
Honey Pots
44
5. Provide a name that fits your network naming convention and makes the machine look
important.
6. You will be prompted to acknowledge the machines IP address. Continue until you see:
Acknowledge machine's IP address
7. Take note of the Agent key (xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx) that is displayed

8. On the Collectors page in the InsightIDR web interface, click Activate Collector. Enter a
name for the Honey pot and enter the Access Key to pair the Honey Pot OVA to your
InsightIDR instance.
9. Once paired successfully, you receive automated alerts to any connection attempts to the
Honey Pot; run a standard discovery scan, a vulnerability scan, throw some exploits, or
attempt to brute force the Honey Pot to trigger an incident! These are all common techniques
during the reconnaissance and enumeration phase of the attackers kill chain.
Honey Users
A Honey User is a dummy user that is not associated with a real person within the organization,
and therefore should never be accessed. Attackers frequently attempt to authenticate to as many
user accounts as possible during the reconnaissance phase of an attack; this helps expand their
footprint and gain access to more assets and privileges without tripping any traditional alarms.
Honey users, however, are a unique way to detect this activity; anytime someone attempts to log
in to a honey user account, InsightIDR generates a Honey User Authentication incident, which
shows when an attempt occurred and which asset was targeted.
Displaying information about a Honey User
Honey Users
45
Displaying information about a homey user
Creating a Honey User

1. Create a new user in Active Directory with a believable name, but dont give anyone access to
the account. This will be your new Honey User.
2. Give the Honey User every appearance of a normal employee of the company! This includes
things like a complex passphrase, organizational mappings, permissions, or whatever else
may trick an attacker into believing the user is an actual employee.
3. Remember that honey users may have multiple accounts! In fact, multiple accounts can
increase the likelihood that an attacker will target the user, as it seems more authentic and
provides additional chances for reaching an administrative role (or so the attacker thinks).
4. Log in to your account in InsightIDR. Select Settings --> Honey Users and enter the newly
created Honey Users name in the search bar. Select the name to mark the user as a Honey
User.
Honey Users
46
A honey user
Best Practices
If your organization uses a naming convention for assets and/or users, configure these intruder
traps to match all naming conventions; do not name your Honey Pot honeypot, or your honey
user John Doe. If an attacker is smart enough to get past perimeter defenses, then hes smart
enough to avoid obviously fake assets and users.
We also recommend deploying both Honey Pots and honey users throughout the environment
with an added emphasis on critical network segments or subnets. In the event of a breach, having
tiers of intruder traps can help isolate the precise location of an intruder or malicious insider in the
network, helping Incident Response teams lock down users and assets quickly to contain the
incident.
Managing Honey Pots

Perform the following steps to manage a Honey Pot.
1. Click Manage Honeypots from the Set Intruder Trap dropdown menu.
2. The Honey Pots page displays. The left side displays options to:
l View all Honey Pots
l
View registering Honey Pots
Generating keys
Healthy warning, and
View Honey Pots with errors.
3. The middle of the page displays information about the Honey Pots.
Best Practices
47
Honey Pots page
Setup Data Exporter

The Setup Data Exporter dropdown menu provides options to:
l
Add Data Exporter
Manage Exporters
Perform the following steps to add a Data Exporter.

1. Click Add Data Exporter from the Setup Data Export menu.
Setup Data Exporter menu
Setup Data Exporter
48
2. The Add Data Exporter dialog displays.

3. Click Collector from the Collector dropdown.
4. Click Data Exporter from the Data Exporter dropdown menu.
5. Optionally, enter a display name in the Display Name field.
Add Data Export dialog
Managing Exporters
Perform the following steps to manage Exporters.
Managing Exporters
49
1. Click Manage Exporters from the Setup Data Exporters dropdown menu.
2. The Data Exporters page displays. The left side of the page lists Exporters by type and state.
l Product
l All
l
Collector
l All
State
l
All
Running
Warning
Error
Stopped
3. Click a type or state to display more information about that Exporter.

4. The middle of the page displays information about the selected Exporters.
Data Exporters page
Managing Exporters
50
Settings
The Settings page allows you to configure InsightIDR to meet your needs. The following table
lists and explains the types of settings that you can define.
Setting
Incident Settings
User Settings
Event Source Settings
Credential Settings
Application Settings
Incident Modifications
Asset Settings
Honey Users
Export Data
Static IP Ranges
Unmanaged IP Ranges
Network Zones
Network Policies
Tagged Domains
Unknown IP Addresses
Definition
Incident Settings designate the types of incidents that InsightIDR tracks.
User Settings allow you to assign a role to a user. You can also add new
users and delete users.
Event Sources Settings allows you to specify the IP addresses for each
event source.
Credential Settings allow you to add new credentials for InsightIDR to
monitor.
Application Settings allow you to add applications for InsightIDR to
monitor.
Incident Modifications lists exceptions for incidents.
Asset Settings allows you to designate which assets are restricted
based on a Nexpose criticality setting. Note: You need Nexpose to use
this functionality.
View, mark, or delete users as Honey Users.
Export Data allows you to export account, asset, and mobile device
information from InsightIDR into a CSV file.
Static IP Ranges are assets that do not receive IP addresses via DHCP.
Most commonly, these are servers and any other assets who have a
statically assigned IP.
Unmanaged IP Ranges are ranges that are outside the managed
corporate network.
Network Zones allow the logical labeling of different systems or
business groups based on IP ranges.
Network Policies allow you to create alerts based on rules, for example,
the finance network zone can only be accessed by those in the finance
group within the Active Directory. This is driven from Network Zones
and Active Directory group membership.
Tagged Domains are owned or ignored by an organization. This is used
for the Spear Phishing URL detection incident.
InsightIDR tracks all IP addresses it receives from DHCP and VPN
assignments, but sometimes logs come in with IPs that have never been
seen before by any of the DHCP or VPN event sources. These IPs are
reported as Unknown IP Addresses in order to help you see if you might
be missing a DHCP or VPN event source in your environment
somewhere that you should hook up to a Collector.
Settings
51
Setting
Running Agents
Definition
Displays a list of running agents. The hostname and last seen time are
displayed.
Incident settings
Incident settings designate the types of incidents that InsightIDR tracks. To disable the tracking of
an incident, uncheck that incidents checkbox; to enable an incident, check that incident's
checkbox.
Enabling incident tracking
Some incident types allow you to designate information by:

l
specific user type
Incident by user type
time period
Incident by time period
priority
Incident by priority
Ingress type
Incident settings
52
Incident by Ingress type
User settings
User settings allow you to assign a role to a user. You can also add new users and delete users.
The following table explains the different user types and associated functionality.
Setting
Functionality
Admin
Can perform all Insight Platform functionality
Investigator
Can view incidents and start investigations
Read only
Can only view information
Adding a user
To add a user, perform the following steps.
1. Click the ADD USER button. The Create User dialog displays.
Add user button
2. Enter the users e-mail address in the Email field.

3. Enter the users first name in the First Name field.
4. Enter the users last name in the Last Name field.
User settings
53
5. Select the users role from the Role dropdown menu.
Setting role drop-down
6. Enter your password in the Password field.

7. Re-enter your password in the Confirm Password field.
8. Click the Create button.
Add user dialog
Changing a users role

To change the users role, select the appropriate role from the Role dropdown list for that user.
Change user role
User settings
54
Deleting a user
To delete a user, click the
on the right-sight of the row of the user to delete.
Delete user

Event source categories include:
User Attribution - In order to more easily understand the activity which occurs in your
environment, it is highly recommended that you configure the event sources necessary to tie
actions back to the users and assets involved. These foundational event sources are LDAP,
DHCP logs, and Active Directory Security Logs. These sources will not only add context to
analytics, but also make Search easier.
Endpoint Monitoring - For critical servers and endpoints belonging to remote employees, it is
recommended to install the Rapid7 persistent agent to enable real-time streaming of events and
ensure your team is not blind to the activities which occur when assets are off the network.
When a persistent agent is not desired, it is recommended to use the Rapid7 Agentless Endpoint
Scan. This option collects data from your endpoints periodically, monitors local user activity,
windows logon activity, event log tampering and enables process hashes to be identified,
analyzed for commonality, and checked against VirusTotal for known malware.
Rapid7 - If you already own any of our threat exposure management products such as Nexpose
and Metasploit, you can add exposure knowledge to your incident analysis.
Security Data - InsightIDR is designed to ease Search and Analytics across your entire
environment. To ensure you can perform all necessary investigative steps in one place, it is
suggested to not only transmit security logs and deploy agents, but also transmit any other
potentially useful data for searching, such as custom application logs.
Raw Data - InsightIDR is designed to ease Search and Analytics across your entire environment.
To ensure you can perform all necessary investigative steps in one place, it is suggested to not
only transmit security logs and deploy agents, but also transmit any other potentially useful data
for searching, such as custom application logs.
Entering a VPN IP address range or Local IP address range
To enter a VPN IP address range:
55
1. Enter the VPN IP address range in the VPN IP Address Range field.
2. Click the Submit button.
To enter a Local IP address range:
1. Enter the Local IP address range in the Local IP Address Range field.
Event source settings
Credential settings
Credential settings allows you to add new credentials for InsightIDR to monitor.
Credential settings
56
Credential settings
To add a new credential, perform the following steps:

1. Click the ADD CREDENTIAL button.
Add credential button
2. The NEW CREDENTIAL dialog displays.

3. Enter the name of the new credential in the Name field.
4. Enter the user name of the credential in the Username field.
5. Select the credential type from the Type dropdown menu.
Credential drop-down
6. Enter the password in the Password field.
Credential settings
57
7. Click the DEPLOY CREDENTIAL button.
New credential dialog
Application settings allows you to add applications for Insight Platform to monitor. To add an
application, perform the following steps:
1. Click the ADD APPLICATION button.
Add application button
2. The New Application dialog displays.

3. Enter the name of the application in the Name field.
4. Select the application type from the Type dropdown menu.
Application type drop-down
5. Click the CREATE button.
58
Add application dialog
Incident modifications list exceptions for incidents. These are generated when you determine to
either whitelist or blacklist an incident when you close them. Incidents include:
l
Permitted Disabled Authentication to Asset
Allowed Ingress From User
Suspicious Authentication To Asset
Allowed Ingress From Location
Suspicious Authentication To Asset
Honeypot Exception
Permitted Local Account Authentications
Permitted Impersonation
Permitted Brute Force
Permitted Brute Force User
Permitted Access to New Assets
Account Enabled Whitelist
Incident settings
59
Asset settings
Asset settings allows you to designate which assets are restricted based on a Nexpose criticality
setting. Note: You need Nexpose to use this functionality.
To set the Nexpose criticality setting, perform the following steps:
1. Tick the Use criticality setting from Nexpose checkbox.
2. Select the criticality level from the Criticality dropdown button.
Set criticality
Honey Users
This page allows you to mark, unmark, and view Honey Users.
Marking a user as a Honey User
To mark a user as a Honey User, perform the following steps:
1. Enter the name of the user that you want to mark as a Honey User in the Search field. As
you type in the name, InsightIDR displays a list of users based on what you have typed.
Asset settings
60
Searching for a user to mark as a honey users
2. Based on the results InsightIDR displays, if the users name displays, select it. If not,
continue typing until either the name displays or until you have typed the complete name.
3. Press the Enter key. The name displays in the Honey User list.
In this example, I selected Carla Hoffman.
Honey users list
Export Data
Export Data allows you to export account, asset, and mobile device information from InsightIDR
into a Comma Separated Values (CSV) file. Click the CSV button next to the file that you want to
download. You can open the file in Excel or any program, for example, a text editor, that can open
a CSV file.
Export data
Export Data
61
Static IP ranges
Static IP ranges are used to define assets that do not receive IP addresses via DHCP. Most
commonly, these are servers and any other assets that have a statically assigned IP. You can
add and edit ranges.
Adding a Static IP range
To add a Static IP range, perform the following instructions:
1. Click the ADD IP RANGE button.
Add IP range button
2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is xxx.xxx.x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range 192.168.1.0/24 defines the values 192.168.1.0, 192.168.1.1,
192.168.1.2, to the address 192.168.1.24.
4. Click the checkmark.
Add IP range
Static IP ranges
62
Editing a Static IP range

To edit a Static IP range, perform the following instructions:
1. Click on the pencil icon
to the right of the range that you want to edit.
2. Make the required edits.

Edit IP range
Unmanaged IP ranges
Unmanaged IP ranges are ranges that are outside the managed corporate network.
Adding an Unmanaged IP range
To add an Unmanaged IP Range, perform the following instructions:
1. Click the ADD IP RANGE button.
Add IP range button
192.168.1.2, to the address 192.168.1.24.
Unmanaged IP ranges
63
Add IP range
Network Zones
Network Zones allow the logical labeling of different systems or business groups based on IP
ranges.
Network zones
Adding a Network Zone

To add a Network Zone, perform the following instructions:
1. Click the ADD ZONE button.
Add zone button
192.168.1.2, to the address 192.168.1.24.
Network Zones
64
Add IP range
Network Zones
65
Editing a Network Zone

To edit a Network Zone, perform the following instructions:
1. Click on the pencil icon
to the right of the range that you want to edit.
2. Make the required edits.

Edit IP range
Network Policies
Network Policies allow you to create alerts based on rule violations. For example, the finance
network zone can only be accessed by those in the finance group within the Active Directory. This
is driven from Network Zones and Active Directory group membership.
Network policies
Adding a Network Policy

To add a network policy, perform the following steps:
1. Click the ADD POLICY button. The New Policy dialog displays.
Add policy button
2. Enter the group name in the Group Names search field. As you type in the name, the search
field is populated based on related information imported from the LDAP. If you don't see an
expected name, check your LDAP settings.
Network Policies
66
Network policies group names
3. Select the access policy from the Access Policy dropdown menu.
Access policies
4. Select the zone from the Zone dropdown menu.
Create policy zone
Network Policies
67
5. Enter the name of the zone in the Zone Name field. Note: If you select an existing zone, the
Zone Name and IP Ranges fields become hidden since they were defined when the existing
zone was defined. In this case, the group names and access policies are added to the
existing zone.
6. Enter the IP range(s) in the IP Ranges field. The format is xxx.xxx.x.x/xx where the values
before the slash (/) are the starting range and the value after the slash is the last entry in the
range. For example, the range 192.168.1.0/24 defines the values 192.168.1.0, 192.168.1.1,
192.168.1.2, to the address 192.168.1.24.
Tagged Domains
Tagged Domains are domains that are either owned or controlled by your organization or
domains that you organization wishes to ignored. This is used for the Spear Phishing URL
detection incident. In our example, Rapid7 is tagged as an owned domain. InsightIDR sends
alerts when it detects attempts to spoof this domain.
Referring to our example, Duosecurity.com is tagged as a domain to ignore. InsightIDR does not
send alerts regarding this domain.
Tagged Domains
68
Tagged domains
Tagged Domains
69
Tagging a new owned domain or a new ignored domain

To tag an owned domain or a domain to ignore, perform the following steps:
1. To tag a domain as owned, enter the domain name in the New Owned Domain field.
2. To tag a domain to ignore, enter the domain name in the New Ignored Domain field.
3. Click the appropriate Submit button.
InsightIDR tracks all IP addresses it receives from DHCP and VPN assignments, but sometimes
logs come in with IPs that have never been seen before by any of the DHCP or VPN event
sources. These IPs are reported as Unknown IP Addresses in order to help you see if you might
be missing a DHCP or VPN event source in your environment somewhere that you should hook
up to a Collector. Some of these might be related to DHCP servers or VPN servers that havent
been configured, some might be static IP ranges and others might be unmanaged. Select a
range and select a resolution option.
Running agents
This page displays a list of running agents. The hostname and last seen time are displayed. Use
the Search by hostname box to search for a host.
Running agents
70

Your InsightIDR pages are populated with user activity data derived from your network logs. If
your InsightIDR pages appear to be incomplete, you may need to check your data sources. For
more information, see Identifying Event Sources on page 12.
Q: I cannot activate the Collector. The activation key does not work.
A: First, make sure you have the correct activation key. It's located in the AgentKey.html file in the
Insight Platform/agent_key subdirectory of the destination directory where you installed the
Collector.
If the key is correct, but still does not work, it may have been voided. This can occur if you do not
activate the Collector immediately after installing it or if you have restarted the server where the
Collector is installed.
If the activation key has been voided, you will need to uninstall the Collector and then reinstall it:
To uninstall the Collector from the server where it is installed:
l
In Windows, open the Start Menu, locate the InsightIDR folder, and then click Uninstall.
TIP: If you cannot find the Uninstall shortcut, run the uninstall.exe file from the Insight
Platform\.install4jsubdirectory of the destination directory where you installed the Collector.
l
In Linux, run the uninstall script from the.install4j subdirectory of the destination directory
where you installed the Collector.
When the Uninstaller finishes, the Collector has been removed from the server. If you later
decide to reinstall and reactivate the Collector on the same machine, you can do so.
Reinstall the Collector on the server and then return to the InsightIDR Web application
immediately and activate the Collector. Do not shut down the server where the Collector is
installed until it has been activated in Insight Platform.
71
Q: How do I increase the amount of RAM Collector in environments that require a lot of
RAM?
A: If your Collector is handling more than 100,000 EPM, configure the Collector to use more
available memory from the server that it is installed on. Place a file in the same directory where
you installed the Collector with the name collector.vmoptions which contains the following line (no
spaces):
-Xmx#g
where "#" is the number of GB of memory the Collector should use. For a 4GB machine, you can
tell the Collector to use 3GB of memory by putting Xmx3g in the file. For an 8GB machine, you
can tell the Collector to take 6GB of memory by saving a collector.vmoptions file in the Collector
directory with the line Xmx6g.
Q: I have set up an Event Source using syslog data collection, but the log data is not
showing up in InsightIDR.
A: If the Collector has a local firewall running, that firewall may be blocking the port you
configured for the Event Source. Check your firewall settings to make sure the device can
communicate with the InsightIDR Collector via the configured port. If firewall settings seem to be
correct, try stopping the current Event Source and configuring a Rapid7 Generic Syslog Event
Source to listen to the same port. If the generic syslog shows EPM, there is a problem with the log
format. Contact support for further assistance.
Q: I have an Event Source that InsightIDR does not support. Is there a way for Insight
Platform to monitor that source?
A: Use the Rapid7 Generic Syslog Event Source to upload sample log files that are not supported
by any Event Source in InsightIDR. The Development team will work with the sample data to
create a new Event Source in InsightIDR. When they are done, you will be notified to delete the
Rapid7 Generic Syslog Event Source and add the new Event Source to your Collector.
72

The InsightIDR team is continually adding support for Event Sources. If you have a device that is
not listed in the preceding table, contact Technical Support (www.rapid7.com/support) with
details about the device and sample log output. Use the Rapid7 Generic Syslog Event Source to
upload sample log data.
Please refer to the Settings page for the latest information.
Event Source Categories

InsightIDRseamlessly integrates log data from each event source provided to deliver additional context
around user behaviors, compromised credentials, and other potentially malicious activity. We strongly
recommend that all log sources that meet supported collection methods be made available to InsightIDR.
User Attribution - In order to more easily understand the activity which occurs in your environment, it is
highly recommended that you configure the event sources necessary to tie actions back to the users and
assets involved. These foundational event sources are LDAP, DHCP logs, and Active Directory Security
Logs. These sources will not only add context to analytics, but also make Search easier.
Endpoint Monitoring - For critical servers and endpoints belonging to remote employees, it is
recommended to install the Rapid7 persistent agent to enable real-time streaming of events and ensure
your team is not blind to the activities which occur when assets are off the network.
When a persistent agent is not desired, it is recommended to use the Rapid7 Agentless Endpoint Scan.
This option collects data from your endpoints periodically, monitors local user activity, windows logon
activity, event log tampering and enables process hashes to be identified, analyzed for commonality, and
checked against VirusTotal for known malware.
Rapid7 - If you already own any of our threat exposure management products such as Nexpose and
Metasploit, you can add exposure knowledge to your incident analysis.
Security Data - InsightIDR is designed to ease Search and Analytics across your entire environment. To
ensure you can perform all necessary investigative steps in one place, it is suggested to not only transmit
security logs and deploy agents, but also transmit any other potentially useful data for searching, such as
custom application logs.
Raw Data - InsightIDR is designed to ease Search and Analytics across your entire environment. To
ensure you can perform all necessary investigative steps in one place, it is suggested to not only transmit
security logs and deploy agents, but also transmit any other potentially useful data for searching, such as
custom application logs.
73

User Attribution
LDAP
l
Microsoft Active Directory LDAP
ACTIVE DIRECTORY
l
Microsoft
DHCP
l
Alcatel-Lucent VitalQIP
Bluecat
Cisco IOS
Cisco Meraki
Infoblox Trinzic
ISC dhcpd
Microsoft
MicroTik
Sophos UTM
Endpoint Monitoring
l
Rapid7 Continuous Endpoint Agent - Windows
Rapid7 Agentless Endpoint Scan - Windows
Rapid7 AgentlessEndpoint Scan - Mac
Rapid7 Linux Asset Monitor
Rapid7
l
Rapid7 Metasploit
Rapid7 Nexpose
74
Security Data
DNS
l
Bluecat ISC
Infoblox Trinzic
ISCBind9
Microsoft
MikroTik
PowerDNS
IDS/IPS
l
Cisco Sourcefire
Dell iSensor
Dell SonicWall
HP TippingPoint
McAfee IDS
Metaflows IDS
Security Onion
Snort
75
FIREWALL
l
Barracuda NG
Cisco ASA + VPN
Cisco IOS
Cisco Meraki
Check Point
Clavister W20
Fortinet Fortigate
Juniper Junos OS
Juniper Netscreen
Mcafee
Palo Alto Networks and VPN (also includes Wildfire support)
pfSense
SonicWALL
Sophos
Stonesoft
Watchguard XTM
ADVANCED MALWARE
l
FireEye NX
Palo Alto Networks WildFire
76
VPN
l
Barracuda NG
Cisco ASA
Citrix NetScaler
F5 Networks FirePass
Fortinet FortiGate
Juniper SA
Microsoft IAS (RADIUS)
Microsoft Network Policy Server
Microsoft Remote Web Access
MobilityGuard OneGate
OpenVPN
SonicWALL
VMware Horizon
WatchGuard XTM
WEB PROXY
l
Barracuda Web Filter
Blue Coat
Cisco IronPort
Fortinet FortiGate
Intel Security (fka McAfee) Web Reporter
McAfee Web Reporter
Sophos Secure Web Gateway
Squid
TrendMicro Control Manager
Watchguard XTM
WebSense Web Security Gateway
Zscalar NSS
77
E-MAIL & ACTIVESYNC

l
Microsoft Exchange Transport Agent (Email monitoring)
OWA/ActiveSync (Ingress monitoring, mobile device attribution)
CLOUD SERVICES
l
Microsoft Office 365
AWS CloudTrail
Box.com
Duo Security
Google Apps
Okta
Salesforce
APPLICATION MONITORING
l
Atlassian Confluence
Microsoft SQL Server
VIRUS SCANNERS
l
Cylance Protect
Check Point AV
F-Secure
McAfee ePO
Sophos
Symantec Enduser Protection
TrendMicro OfficeScan
TrendMicro Control Manager
78
DATA EXPORTERS (Send data from Insight Platform)

l
FireEye Threat Analytics Platform (TAP)
HP ArcSight and HP ArcSight Logger
Splunk
SIEMs/LOG AGGREGATORS (Receive data from these platforms into Insight Platform)
l
HP ArcSight
IBM QRadar
LogRhythm
McAfee Enterprise Security Manager (fka Nitrosecurity)
Splunk
Raw Data
GENERIC SYSLOG
l
Rapid7 Generic Syslog
Rapid7 Generic Windows Event Log
Rapid7 Raw Data

Endpoint and Collector Requirements:
1. All collectors must be
a. Configured with a fully qualified domain name (e.g. idrcollector23.myorg.com)
b. Able to reach out to over port 443 to:
1. https://endpoint.ingress.rapid7.com (US) or
2. https://eu.endpoint.ingress.rapid7.com (EMEA)
2. Each Collector can contain no more than one set of endpoint credentials. Ex. if you have two
sets of endpoint credentials you must have at least two Collectors.
79
3. Endpoint credentials should include the domain in addition to the username. Ex.
domain\username
4. All endpoints need to be able to communicate back to the collector via TCP on collector ports:
a. 5508
b. 6608
c. range 20,000 - 30,000
5. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined
on Collector A should not be duplicated on Collector B. If this exists, it should be updated ASAP.
When a customer does not see endpoints returning logs in their scans or in their Continuous
Agents, the first thing to do is review the following diagram (next page) to confirm that all ports are
available as expected.
If the external firewall and web proxies are configured correctly, check a sample endpoint for
agent log files. For the scan agent, there should be a Rapid7 folder in either:
l
C:\Windows\Temp\, or
C:\Users\<<IDR_service_account>>\AppData\Local\Temp\
For the Continuous Agent, the Rapid7 folder should be found in c:\program files(x86)\.
Inside the Rapid7, folder look for the following 3 files and send them to engineering if available for
review:
l
agent.log
config.json
powershell.log
80
Endpoint network
81

Insight Platform Quick Start Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Insight Platform Quick Start Guide

Uploaded by

Copyright:

Available Formats

InsightIDR

Quick Start Guide

Getting started with InsightIDR

Protecting your data with InsightIDR

Protecting your users with InsightIDR

Gaining visibility into user activity

Planning your Collector deployment

Identifying Event Sources

User Attribution Event Sources

Configuring Active Directory (AD)

Listen for Syslog

Data Collection methods

Configuring Event Sources

Copying Event Sources to a Collector

Data Collection Metrics

Setting an Intruder Trap

Managing Honey Pots

Setup Data Exporter

Event Sources settings

General troubleshooting tips

Supported Event Sources

Event Source Categories

Supported Event Sources

Troubleshooting Endpoint Monitoring

May 10, 2016

August 29, 2016

Getting started with InsightIDR

Protecting your users with InsightIDR

Getting started with InsightIDR

Rapid7 support page

Gaining visibility into user activity

Gaining visibility into user activity

Gaining visibility into user activity

Planning your Collector deployment

Operating system: Linux 64-bit or Windows 64-bit

Minimum Hardware: 4 GB RAM and 60 GB disk space

CPU: 1 CPU per 16,000 endpoints scanned by the Endpoint Scan

Minimum network bandwidth: 100 Mbps network (recommended), 1000Mbps (strongly

Planning your Collector deployment

Collectors, foundational sources, and additional sources

server host name and IP address

You must have administrator rights to install a service on the server.

Planning your Collector deployment

1. Configure firewall/web proxy rules to allow the Collector to reach

range 20,000 - 30,000

Planning your Collector deployment

Identifying Event Sources

Microsoft Active Directory security logs, DHCP server logs

DNS server logs, Firewall, and the Web proxy

Identifying Event Sources

User Attribution Event Sources

User Attribution Event Sources

Click Data Collection

Setup Event Source dropdown menu

3. The Add Event Source page displays. Click LDAP.

4. Select Windows Collector from the Collector dropdown menu.

Select Windows Collector

Select Microsoft LDAP

Timezone check box

7. Select the time zone from the Timezone dropdown menu.

8. Enter the server name in the Server field.

LDAP Event Source fields

Configuring Active Directory (AD)

Click Data Collection