Supported Event Sources

InsightIDR requires log data from the following event sources to properly attribute all of your organization’s events to the users involved:

  • LDAP – Tracks user information essential to link account activity with real users and identify privileged and service accounts.
  • DHCP – Tracks IP addresses over time. DHCP logs are required for asset-to-IP correlation.
  • Active Directory – Tracks all user logons including both successful and failed logons. Required for effective use of the InsightIDR ingress analytics. A domain administrator account is required for each server. These logs are stored in the context of the Microsoft Active Directory.

Supported Event Sources

InsightIDR seamlessly integrates log data from each event source provided to deliver additional context around user behaviors, compromised credentials, and other potentially malicious activity. We strongly recommend that all log sources that meet supported collection methods be made available to InsightIDR.

User Attribution

In order to more easily understand the activity which occurs in your environment, it is highly recommended that you configure the event sources necessary to tie actions back to the users and assets involved. These foundational event sources are LDAP, DHCP logs, and Active Directory Security Logs. These sources will not only add context to analytics, but also make searching easier.

LDAP

  • Microsoft Active Directory LDAP

Active Directory

  • Microsoft

DHCP

  • Alcatel-Lucent VitalQIP
  • Bluecat
  • Cisco IOS
  • Cisco Meraki
  • Infoblox Trinzic
  • ISC dhcpd
  • Microsoft
  • MicroTik
  • Sophos UTM

Endpoint Monitoring

For critical servers and endpoints belonging to remote employees, it is recommended to install the InsightIDR persistent agent to enable real-time streaming of events and ensure your team is not blind to the activities which occur when assets are off the network.

When a persistent agent is not desired, it is recommended to use the InsightIDR Agentless Endpoint Scan. This option collects data from your endpoints periodically, monitors local user activity, windows logon activity, event log tampering and enables process hashes to be identified, analyzed for commonality, and checked against VirusTotal for known malware.

The following event sources are supported:

  • Continuous Endpoint Agent (Windows)
  • Agentless Endpoint Scan (Windows)
  • Agentless Endpoint Scan (Mac)
  • Linux Asset Monitor

Rapid7

If you own any of our threat exposure management products such as Nexpose and Metasploit, you can add exposure knowledge to your incident analysis.

Security Data

InsightIDR is designed to ease Search and Analytics across your entire environment. To ensure you can perform all necessary investigative steps in one place, it is suggested to not only transmit security logs and deploy agents, but also transmit any other potentially useful data for searching, such as custom application logs.

DNS

  • Bluecat ISC
  • Infoblox Trinzic
  • ISC Bind9
  • Microsoft
  • MikroTik
  • PowerDNS

IDS/IPS

  • Cisco Sourcefire
  • Dell iSensor
  • Dell SonicWall
  • HP TippingPoint
  • McAfee IDS
  • Metaflows IDS
  • Security Onion
  • Snort

Firewall

  • Barracuda NG
  • Cisco ASA + VPN
  • Cisco IOS
  • Cisco Meraki
  • Check Point
  • Clavister W20
  • Fortinet Fortigate
  • Juniper Junos OS
  • Juniper Netscreen
  • McAfee
  • Palo Alto Networks and VPN (also includes Wildfire support)
  • pfSense
  • SonicWALL
  • Sophos
  • Stonesoft
  • Watchguard XTM

Advanced Malware

  • FireEye NX
  • Palo Alto Networks WildFire

VPN

  • Barracuda NG
  • Cisco ASA
  • Citrix NetScaler
  • F5 Networks FirePass
  • Fortinet FortiGate
  • Juniper SA
  • Microsoft IAS (RADIUS)
  • Microsoft Network Policy Server
  • Microsoft Remote Web Access
  • MobilityGuard OneGate
  • OpenVPN
  • SonicWALL
  • VMware Horizon
  • WatchGuard XTM

Web Proxy

  • Barracuda Web Filter
  • Blue Coat
  • Cisco IronPort
  • Fortinet FortiGate
  • Intel Security (fka McAfee) Web Reporter
  • McAfee Web Reporter
  • Sophos Secure Web Gateway
  • Squid
  • TrendMicro Control Manager
  • Watchguard XTM
  • WebSense Web Security Gateway
  • Zscalar NSS

E-mail and ActiveSync

  • Microsoft Exchange Transport Agent (Email monitoring)
  • OWA/ActiveSync (Ingress monitoring, mobile device attribution)

Cloud Services

  • Microsoft Office 365
  • AWS CloudTrail
  • Box.com
  • Duo Security
  • Google Apps
  • Okta
  • Salesforce

Application Scanning

  • Atlassian Confluence
  • Microsoft SQL Server

Virus Scanners

  • Cylance Protect
  • Check Point AV
  • F-Secure
  • McAfee ePO
  • Sophos
  • Symantec Enduser Protection
  • TrendMicro OfficeScan
  • TrendMicro Control Manager

Data Exporters

Data exporters send data from the Insight Platform. The following data exporters are supported:

  • FireEye Threat Analytics Platform (TAP)
  • HP ArcSight and HP ArcSight Logger
  • Splunk

SIEMs/Log Aggregators

Aggregators receive data from these platforms into Insight Platform. The following aggregators are supported:

  • HP ArcSight
  • IBM QRadar
  • LogRhythm
  • McAfee Enterprise Security Manager (previously known as Nitrosecurity)
  • Splunk

Raw Data

InsightIDR is designed to ease Search and Analytics across your entire environment. To ensure you can perform all necessary investigative steps in one place, it is suggested to not only transmit security logs and deploy agents, but also transmit any other potentially useful data for searching, such as custom application logs.

Generic Syslog

  • Rapid7Generic Syslog
  • Rapid7 Generic Windows Event Log
  • Rapid7Raw Data

Adding a New Event Source

We are always looking to expand our event source portfolio as customers request new vendors and types of event sources. To request support for a new event source, use the Feedback button to send a sample of the log or access to the cloud service’s SDK, along with information of how the data would be sent to the Collector (e.g. syslog). With that information, we can create new parsing rules and update InsightIDR.

What's Next?