Insight Platform Quick Start Guide
Insight Platform Quick Start Guide
Contents
Revision history
Getting help
12
13
Configuring LDAP
14
18
21
Log Aggregator
22
WMI
24
Configuring DHCP
25
28
30
34
Deleting a Collector
37
Data Collection
40
40
43
Honey Pots
44
Honey Users
45
Best Practices
47
47
48
Managing Exporters
49
Settings
51
Incident settings
52
User settings
53
55
Credential settings
56
Application settings
58
Incident modifications
59
Asset settings
60
Honey Users
60
Export Data
61
Static IP ranges
62
Unmanaged IP ranges
63
Network Zones
64
Network Policies
66
Tagged Domains
68
Unknown IP addresses
70
Running agents
70
71
73
73
74
79
Revision history
Date
Revision
Created
Published to Community
Revision history
Getting help
The InsightIDR technical support team is available to help you with any questions you may have.
For assistance, visit the Rapid7 Support page, www.rapid7.com/support, or send an e-mail
request to support@rapid7.com.
For additional information, go to Security Street, the Rapid7 online community Web site, where
you will find InsightIDR users and others who are interested in data security. The site also hosts
documentation, blogs, and user comments related to InsightIDR and other security products.
InsightIDR community
Getting help
InsightIDR overview
Collectors aggregate and transmit data from Event Sources to InsightIDR which runs analytics
and populates views in the Web application. Event sources provide log data from devices that
access your corporate network from anywhere in the world.
In order to obtain access to this log data, the InsightIDR Collector requires domain administrator
credentials that have permission to read the Active Directory and Windows Endpoint log files.
The InsightIDR Collector is hosted on-premise in the customer's environment, and credentials
are never readable anywhere outside the Collector on the corporate network. The log files are
passed through a filter before the data is transmitted to ensure that only the most necessary
information is uploaded to the hardened InsightIDR backend for analysis.
To prepare your network to work with InsightIDR, identify a server or virtual machine where you
will deploy your Collector, and then identify the Event Sources that will provide user activity data
from your network.
2 CPUs recommended
There can only be one Collector installed per machine on your network. Rapid7 strongly
recommends that the machine (physical or virtual) is dedicated to running the Collector.
Begin by configuring multiple Event Sources on a single Collector. Later, you can add Collectors
as needed. For example, you may need to distribute the bandwidth across your network if you
have very high logging levels or if your network is geographically dispersed.
To plan your Collector deployment, have the following information available for each server or
virtual machine where you will install the Collector:
l
display name
network location
10
6608
11. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined
on Collector A should not be duplicated on Collector B. If this exists, it should be updated
before the migration or those ranges have to be manually updated after the migration.
12. Each Collector can only support one set of endpoint monitoring credentials per Collector. A
Collector instance will have to be setup for each set of endpoint monitoring credentials.
11
Event Sources
User details
Microsoft Active Directory, LDAP server logs, Rapid7 Metasploit, Virus scanner,
VPN, and Endpoint Monitor
Asset details
Microsoft Active Directory security logs and the DHCP server logs, Nexpose,
and Endpoint Monitor
IP address history
Locations
VPN server logs, Cloud services for example, Cloud services (e.g. AWS,
Box.com), and Microsoft ActiveSync
Services
DNS server logs, firewall, Web proxy, Cloud service - Box.com, Okta,
Salesforce, and the Microsoft ActiveSync servers
Incidents
Microsoft Active Directory security logs, DHCP server logs, endpoint monitor,
VPN servers (IP address ranges), DNS server logs, Firewall, and the Web proxy
Threats
Important: Be sure to identify all of the servers that track user activity on your network and assign
them to a Collector. Otherwise, the InsightIDR dashboard may be incomplete, and you will not
have access to the data you need to keep your network, and your company's assets, safe.
Set up all of your User Attribution Event Sources before you set up any others. InsightIDR
provides step-by-step assistance as you set up your data sources.
12
LDAP Tracks user information essential to link account activity with real users and identify
privileged and service accounts.
DHCP Tracks IP addresses over time. DHCP logs are required for asset-to-IP correlation.
Domain Authentication Tracks all user logons including both successful and failed logons.
Required for effective use of InsightIDR ingress analytics. A domain administrator account is
required for each server. These logs are stored in the context of the Microsoft Active
Directory.
13
Configuring LDAP
1. Click Data Collection from the InsightIDR menu.
2. Click Add Event Source from the Setup Event Source menu.
Configuring LDAP
14
Click LDAP
5. Select Microsoft Active Directory LDAP from the Event Source dropdown menu.
6. Check the Timezone box if you want to display only U.S. time zones.
Configuring LDAP
15
Timezone menu
Credential menu
12. The Username field automatically populates based on the selected credential.
13. The Type field automatically populates based on the selected credential.
14. Enter the credential. In this example, the required credential is a password. The field name
reflects the credential type.
15. Optionally, enter the base distinguished name (Base DN) in the Base DN field.
16. Optionally, enter the admin group in the Admin Group field.
17. Click the SAVE button.
Configuring LDAP
16
The LDAP automatically mirrors data across all LDAP servers; thus, even if you have multiple
LDAP servers, we only need to configure one LDAP event source (unless you have manually
disabled the auto-mirror feature).
Configuring LDAP
17
2. Click Add Event Source from the Setup Event Source menu.
18
5. Select Microsoft Active Directory Security Logs from the Event Source dropdown menu.
6. Check the Timezone box if you want to display only U.S. time zones.
19
Timezone menu
Collection Methods
20
Select Protocol
Syslog fields
21
Log Aggregator
1. Select the Log Aggregator from the Log Aggregator dropdown menu.
Select Aggregator
Select Protocol
Log Aggregator
22
Log Aggregator
23
WMI
1. Enter the server name in the Server field.
2. Enter the user domain in the User Domain field.
3. Select the Credential from the Credential dropdown menu.
Credential menu
WMI fields
AD Domain Controllers do not mirror data repeat steps for each DC in your environment.
WMI
24
Configuring DHCP
Microsoft DHCP
1. On your DHCP server, create a new folder for DHCP logs we recommend placing this folder
on the root C drive (C:\dhcplogs).
2. Once the folder is created, right-click the folder, select Properties-->Sharing-->Advanced
Sharing-->Share this folder-->Permissions-->Add and provide the credentials that will
have access to this file (read-only access is adequate).
3. Once the folder is ready, launch the DHCP console and right-click IPv4 in the left pane, then
click Properties.
4. Under the Advanced tab, change the Audit log file path destination folder to the new folder you
just set up (C:\dhcplogs).
5. Restart the DHCP server to apply changes.
6. From the left panel of the Home page, click Data Collection.
7. Select ADD EVENT SOURCE from the SETUP EVENT SOURCE dropdown menu.
Click DHCP
Configuring DHCP
25
10. Select Microsoft DHCP from the Event Source dropdown menu.
Configuring DHCP
26
12. Enter the FQDN of the DHCP server and the file path to the folder (C:\dhcplogs).
For more information, refer to the Preparing Microsoft DHCP and DNS for the Insight Platform
Collector document.
Other non-Microsoft DHCP sources
1. Ensure the DHCP host is logging all DHCP activity.
2. Configure DHCP source to send logs to your Collector by specifying it as a syslog server.
3. Use the Listen for Syslog Collection Method to ingest logs over a predetermined port.
Configuring DHCP
27
28
The Endpoint Monitor is a unique Event Source in the InsightIDR Collector infrastructure in that it
acts as a scanner to query endpoints across the network. The Endpoint Monitor technology
ingests this information into InsightIDR without requiring an agent to be installed on the endpoints
themselves. For more information, please refer to the Endpoint Monitoring in InsightIDR
documentation located in the InsightIDR online community.
29
3. The Add Event Source page displays. Click the appropriate Event Source.
30
3. Choose the Collector that the Event Source will be installed in. For this example, it is the
Active Directory.
5. Click Microsoft Active Directory Security Logs from the Event Source dropdown menu.
31
6. Check the Timezone box if you want to display only U.S. time zones.
Timezone menu
8. Click the appropriate Collection Method.Additional information may need to be entered based
on the Collection Method chosen.
32
Note: If your network configuration includes resources that you can access with the same user
name and password, you can reuse those credentials across multiple data sources in InsightIDR.
This way, you only need to provide the credentials once.
When all of your data sources are configured and running successfully, the InsightIDR views are
populated with your company data.
Note: As a security measure, InsightIDR logs off automatically after 15 minutes of inactivity.
When you next log on after being logged off automatically, you return to the page you last visited.
33
34
4. Click the Copy event sources link for the Collector that you want to copy.
6. Select the Target Collector (the Collector you want to copy the Event Sources to) from the
Target Collector dropdown menu.
35
36
Deleting a Collector
If you encounter a problem and need to delete a Collector from the Collectors list, you must also
uninstall it from the server or virtual machine where it is installed.
To delete a Collector:
1. Click the Data Collection link in the InsightIDR menu.
2. Click Manage Collectors from the Setup Collector dropdown menu.
4. Click the Delete button of the Collector that you want to delete.
Deleting a Collector
37
5. The Delete Collector confirmation dialog displays. Enter the name of the Collector to confirm
the deletion.
Deleting a Collector
38
In Windows, open the Start Menu, locate the Insight Platform folder, and then click the
Uninstall button.
Tip: If you cannot find the Uninstall shortcut, run the uninstall.exe file from the
InsightIDR\.install4j subdirectory of the destination directory where you installed the Collector.
l
In Linux, run the uninstall script from the .install4j subdirectory of the destination directory
where you installed the Collector.
When the Uninstaller finishes, the Collector has been removed from the server. If you later
decide to reinstall and reactivate the Collector on the same machine, you can do so.
Deleting a Collector
39
Data Collection
The Data Collection page displays Collector, Event Source, and Honey Pot information.
Additional options allow you to set up Event Sources, Collectors, and Data Exporters. Refer to
the Endpoint Monitoring Guide to learn how to set up Event Sources and Collectors.
Collector Metrics
Clicking the Collector metric displays the Collector page. The left side of the page allows you to
view Collectors by their state:
Data Collection
40
All
Registering
Generating Keys
Healthy
Warning, and
Error
Click a state to display Collectors matching that state. The middle of the page displays
information about the selected collectors.
Collectors page
41
42
Manage Honeypots
Activate a Honeypot
43
Honey Pots
Honey Pots are fake assets that produce an alert any time a user attempts to connect to the
device. Once attackers find an initial foothold in a network, their next step is typically a network
scan to identify all the other assets in the network.
Deployment guide
1. On the Collectors page in Insight Platform, click Download Collector and select the Honeypot
(OVA).
Download collector
Powering the VM
Honey Pots
44
5. Provide a name that fits your network naming convention and makes the machine look
important.
6. You will be prompted to acknowledge the machines IP address. Continue until you see:
Honey Users
A Honey User is a dummy user that is not associated with a real person within the organization,
and therefore should never be accessed. Attackers frequently attempt to authenticate to as many
user accounts as possible during the reconnaissance phase of an attack; this helps expand their
footprint and gain access to more assets and privileges without tripping any traditional alarms.
Honey users, however, are a unique way to detect this activity; anytime someone attempts to log
in to a honey user account, InsightIDR generates a Honey User Authentication incident, which
shows when an attempt occurred and which asset was targeted.
Honey Users
45
Honey Users
46
A honey user
Best Practices
If your organization uses a naming convention for assets and/or users, configure these intruder
traps to match all naming conventions; do not name your Honey Pot honeypot, or your honey
user John Doe. If an attacker is smart enough to get past perimeter defenses, then hes smart
enough to avoid obviously fake assets and users.
We also recommend deploying both Honey Pots and honey users throughout the environment
with an added emphasis on critical network segments or subnets. In the event of a breach, having
tiers of intruder traps can help isolate the precise location of an intruder or malicious insider in the
network, helping Incident Response teams lock down users and assets quickly to contain the
incident.
Generating keys
3. The middle of the page displays information about the Honey Pots.
Best Practices
47
Manage Exporters
48
Managing Exporters
Perform the following steps to manage Exporters.
Managing Exporters
49
1. Click Manage Exporters from the Setup Data Exporters dropdown menu.
2. The Data Exporters page displays. The left side of the page lists Exporters by type and state.
l Product
l All
l
Collector
l All
State
l
All
Running
Warning
Error
Stopped
Managing Exporters
50
Settings
The Settings page allows you to configure InsightIDR to meet your needs. The following table
lists and explains the types of settings that you can define.
Setting
Incident Settings
User Settings
Event Source Settings
Credential Settings
Application Settings
Incident Modifications
Asset Settings
Honey Users
Export Data
Static IP Ranges
Unmanaged IP Ranges
Network Zones
Network Policies
Tagged Domains
Unknown IP Addresses
Definition
Incident Settings designate the types of incidents that InsightIDR tracks.
User Settings allow you to assign a role to a user. You can also add new
users and delete users.
Event Sources Settings allows you to specify the IP addresses for each
event source.
Credential Settings allow you to add new credentials for InsightIDR to
monitor.
Application Settings allow you to add applications for InsightIDR to
monitor.
Incident Modifications lists exceptions for incidents.
Asset Settings allows you to designate which assets are restricted
based on a Nexpose criticality setting. Note: You need Nexpose to use
this functionality.
View, mark, or delete users as Honey Users.
Export Data allows you to export account, asset, and mobile device
information from InsightIDR into a CSV file.
Static IP Ranges are assets that do not receive IP addresses via DHCP.
Most commonly, these are servers and any other assets who have a
statically assigned IP.
Unmanaged IP Ranges are ranges that are outside the managed
corporate network.
Network Zones allow the logical labeling of different systems or
business groups based on IP ranges.
Network Policies allow you to create alerts based on rules, for example,
the finance network zone can only be accessed by those in the finance
group within the Active Directory. This is driven from Network Zones
and Active Directory group membership.
Tagged Domains are owned or ignored by an organization. This is used
for the Spear Phishing URL detection incident.
InsightIDR tracks all IP addresses it receives from DHCP and VPN
assignments, but sometimes logs come in with IPs that have never been
seen before by any of the DHCP or VPN event sources. These IPs are
reported as Unknown IP Addresses in order to help you see if you might
be missing a DHCP or VPN event source in your environment
somewhere that you should hook up to a Collector.
Settings
51
Setting
Running Agents
Definition
Displays a list of running agents. The hostname and last seen time are
displayed.
Incident settings
Incident settings designate the types of incidents that InsightIDR tracks. To disable the tracking of
an incident, uncheck that incidents checkbox; to enable an incident, check that incident's
checkbox.
time period
priority
Incident by priority
Ingress type
Incident settings
52
User settings
User settings allow you to assign a role to a user. You can also add new users and delete users.
The following table explains the different user types and associated functionality.
Setting
Functionality
Admin
Investigator
Read only
Adding a user
To add a user, perform the following steps.
1. Click the ADD USER button. The Create User dialog displays.
User settings
53
User settings
54
Deleting a user
To delete a user, click the
Delete user
55
1. Enter the VPN IP address range in the VPN IP Address Range field.
2. Click the Submit button.
To enter a Local IP address range:
1. Enter the Local IP address range in the Local IP Address Range field.
2. Click the Submit button.
Credential settings
Credential settings allows you to add new credentials for InsightIDR to monitor.
Credential settings
56
Credential settings
Credential drop-down
Credential settings
57
Application settings
Application settings allows you to add applications for Insight Platform to monitor. To add an
application, perform the following steps:
1. Click the ADD APPLICATION button.
Application settings
58
Incident modifications
Incident modifications list exceptions for incidents. These are generated when you determine to
either whitelist or blacklist an incident when you close them. Incidents include:
l
Honeypot Exception
Permitted Impersonation
Incident settings
Incident modifications
59
Asset settings
Asset settings allows you to designate which assets are restricted based on a Nexpose criticality
setting. Note: You need Nexpose to use this functionality.
To set the Nexpose criticality setting, perform the following steps:
1. Tick the Use criticality setting from Nexpose checkbox.
2. Select the criticality level from the Criticality dropdown button.
3. Click the Submit button.
Set criticality
Honey Users
This page allows you to mark, unmark, and view Honey Users.
Marking a user as a Honey User
To mark a user as a Honey User, perform the following steps:
1. Enter the name of the user that you want to mark as a Honey User in the Search field. As
you type in the name, InsightIDR displays a list of users based on what you have typed.
Asset settings
60
2. Based on the results InsightIDR displays, if the users name displays, select it. If not,
continue typing until either the name displays or until you have typed the complete name.
3. Press the Enter key. The name displays in the Honey User list.
In this example, I selected Carla Hoffman.
Export Data
Export Data allows you to export account, asset, and mobile device information from InsightIDR
into a Comma Separated Values (CSV) file. Click the CSV button next to the file that you want to
download. You can open the file in Excel or any program, for example, a text editor, that can open
a CSV file.
Export data
Export Data
61
Static IP ranges
Static IP ranges are used to define assets that do not receive IP addresses via DHCP. Most
commonly, these are servers and any other assets that have a statically assigned IP. You can
add and edit ranges.
Adding a Static IP range
To add a Static IP range, perform the following instructions:
1. Click the ADD IP RANGE button.
2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is xxx.xxx.x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range 192.168.1.0/24 defines the values 192.168.1.0, 192.168.1.1,
192.168.1.2, to the address 192.168.1.24.
4. Click the checkmark.
Add IP range
Static IP ranges
62
Edit IP range
Unmanaged IP ranges
Unmanaged IP ranges are ranges that are outside the managed corporate network.
Adding an Unmanaged IP range
To add an Unmanaged IP Range, perform the following instructions:
1. Click the ADD IP RANGE button.
2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is xxx.xxx.x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range 192.168.1.0/24 defines the values 192.168.1.0, 192.168.1.1,
192.168.1.2, to the address 192.168.1.24.
4. Click the checkmark.
Unmanaged IP ranges
63
Add IP range
Network Zones
Network Zones allow the logical labeling of different systems or business groups based on IP
ranges.
Network zones
2. Enter the name for the range in the Zone Name field.
3. Enter the range in the IP Range field. The format is xxx.xxx.x.x/xx where the values before
the slash (/) are the starting range and the value after the slash is the last entry in the range.
For example, the range 192.168.1.0/24 defines the values 192.168.1.0, 192.168.1.1,
192.168.1.2, to the address 192.168.1.24.
4. Click the checkmark.
Network Zones
64
Add IP range
Network Zones
65
Edit IP range
Network Policies
Network Policies allow you to create alerts based on rule violations. For example, the finance
network zone can only be accessed by those in the finance group within the Active Directory. This
is driven from Network Zones and Active Directory group membership.
Network policies
2. Enter the group name in the Group Names search field. As you type in the name, the search
field is populated based on related information imported from the LDAP. If you don't see an
expected name, check your LDAP settings.
Network Policies
66
3. Select the access policy from the Access Policy dropdown menu.
Access policies
Network Policies
67
5. Enter the name of the zone in the Zone Name field. Note: If you select an existing zone, the
Zone Name and IP Ranges fields become hidden since they were defined when the existing
zone was defined. In this case, the group names and access policies are added to the
existing zone.
6. Enter the IP range(s) in the IP Ranges field. The format is xxx.xxx.x.x/xx where the values
before the slash (/) are the starting range and the value after the slash is the last entry in the
range. For example, the range 192.168.1.0/24 defines the values 192.168.1.0, 192.168.1.1,
192.168.1.2, to the address 192.168.1.24.
7. Click the Save button.
Tagged Domains
Tagged Domains are domains that are either owned or controlled by your organization or
domains that you organization wishes to ignored. This is used for the Spear Phishing URL
detection incident. In our example, Rapid7 is tagged as an owned domain. InsightIDR sends
alerts when it detects attempts to spoof this domain.
Referring to our example, Duosecurity.com is tagged as a domain to ignore. InsightIDR does not
send alerts regarding this domain.
Tagged Domains
68
Tagged domains
Tagged Domains
69
Unknown IP addresses
InsightIDR tracks all IP addresses it receives from DHCP and VPN assignments, but sometimes
logs come in with IPs that have never been seen before by any of the DHCP or VPN event
sources. These IPs are reported as Unknown IP Addresses in order to help you see if you might
be missing a DHCP or VPN event source in your environment somewhere that you should hook
up to a Collector. Some of these might be related to DHCP servers or VPN servers that havent
been configured, some might be static IP ranges and others might be unmanaged. Select a
range and select a resolution option.
Running agents
This page displays a list of running agents. The hostname and last seen time are displayed. Use
the Search by hostname box to search for a host.
Running agents
Unknown IP addresses
70
In Windows, open the Start Menu, locate the InsightIDR folder, and then click Uninstall.
TIP: If you cannot find the Uninstall shortcut, run the uninstall.exe file from the Insight
Platform\.install4jsubdirectory of the destination directory where you installed the Collector.
l
In Linux, run the uninstall script from the.install4j subdirectory of the destination directory
where you installed the Collector.
When the Uninstaller finishes, the Collector has been removed from the server. If you later
decide to reinstall and reactivate the Collector on the same machine, you can do so.
Reinstall the Collector on the server and then return to the InsightIDR Web application
immediately and activate the Collector. Do not shut down the server where the Collector is
installed until it has been activated in Insight Platform.
71
Q: How do I increase the amount of RAM Collector in environments that require a lot of
RAM?
A: If your Collector is handling more than 100,000 EPM, configure the Collector to use more
available memory from the server that it is installed on. Place a file in the same directory where
you installed the Collector with the name collector.vmoptions which contains the following line (no
spaces):
-Xmx#g
where "#" is the number of GB of memory the Collector should use. For a 4GB machine, you can
tell the Collector to use 3GB of memory by putting Xmx3g in the file. For an 8GB machine, you
can tell the Collector to take 6GB of memory by saving a collector.vmoptions file in the Collector
directory with the line Xmx6g.
Q: I have set up an Event Source using syslog data collection, but the log data is not
showing up in InsightIDR.
A: If the Collector has a local firewall running, that firewall may be blocking the port you
configured for the Event Source. Check your firewall settings to make sure the device can
communicate with the InsightIDR Collector via the configured port. If firewall settings seem to be
correct, try stopping the current Event Source and configuring a Rapid7 Generic Syslog Event
Source to listen to the same port. If the generic syslog shows EPM, there is a problem with the log
format. Contact support for further assistance.
Q: I have an Event Source that InsightIDR does not support. Is there a way for Insight
Platform to monitor that source?
A: Use the Rapid7 Generic Syslog Event Source to upload sample log files that are not supported
by any Event Source in InsightIDR. The Development team will work with the sample data to
create a new Event Source in InsightIDR. When they are done, you will be notified to delete the
Rapid7 Generic Syslog Event Source and add the new Event Source to your Collector.
72
73
ACTIVE DIRECTORY
l
Microsoft
DHCP
l
Alcatel-Lucent VitalQIP
Bluecat
Cisco IOS
Cisco Meraki
Infoblox Trinzic
ISC dhcpd
Microsoft
MicroTik
Sophos UTM
Endpoint Monitoring
l
Rapid7
l
Rapid7 Metasploit
Rapid7 Nexpose
74
Security Data
DNS
l
Bluecat ISC
Infoblox Trinzic
ISCBind9
Microsoft
MikroTik
PowerDNS
IDS/IPS
l
Cisco Sourcefire
Dell iSensor
Dell SonicWall
HP TippingPoint
McAfee IDS
Metaflows IDS
Security Onion
Snort
75
FIREWALL
l
Barracuda NG
Cisco IOS
Cisco Meraki
Check Point
Clavister W20
Fortinet Fortigate
Juniper Junos OS
Juniper Netscreen
Mcafee
pfSense
SonicWALL
Sophos
Stonesoft
Watchguard XTM
ADVANCED MALWARE
l
FireEye NX
76
VPN
l
Barracuda NG
Cisco ASA
Citrix NetScaler
F5 Networks FirePass
Fortinet FortiGate
Juniper SA
MobilityGuard OneGate
OpenVPN
SonicWALL
VMware Horizon
WatchGuard XTM
WEB PROXY
l
Blue Coat
Cisco IronPort
Fortinet FortiGate
Squid
Watchguard XTM
Zscalar NSS
77
CLOUD SERVICES
l
AWS CloudTrail
Box.com
Duo Security
Google Apps
Okta
Salesforce
APPLICATION MONITORING
l
Atlassian Confluence
VIRUS SCANNERS
l
Cylance Protect
Check Point AV
F-Secure
McAfee ePO
Sophos
TrendMicro OfficeScan
78
Splunk
SIEMs/LOG AGGREGATORS (Receive data from these platforms into Insight Platform)
l
HP ArcSight
IBM QRadar
LogRhythm
Splunk
Raw Data
GENERIC SYSLOG
l
79
3. Endpoint credentials should include the domain in addition to the username. Ex.
domain\username
4. All endpoints need to be able to communicate back to the collector via TCP on collector ports:
a. 5508
b. 6608
c. range 20,000 - 30,000
5. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined
on Collector A should not be duplicated on Collector B. If this exists, it should be updated ASAP.
When a customer does not see endpoints returning logs in their scans or in their Continuous
Agents, the first thing to do is review the following diagram (next page) to confirm that all ports are
available as expected.
If the external firewall and web proxies are configured correctly, check a sample endpoint for
agent log files. For the scan agent, there should be a Rapid7 folder in either:
l
C:\Windows\Temp\, or
C:\Users\<<IDR_service_account>>\AppData\Local\Temp\
For the Continuous Agent, the Rapid7 folder should be found in c:\program files(x86)\.
Inside the Rapid7, folder look for the following 3 files and send them to engineering if available for
review:
l
agent.log
config.json
powershell.log
80
Endpoint network
81