Insight Agent

Insight Agents collect system information from your endpoints to send it back to the Rapid7 platform for analysis. You can deploy Insight Agents to all your endpoints to monitor basic things like logon histories, running processes, and other types of forensic data.

Data collected by the Insight Agent

The Insight Agent is continuously running and sending data back to the platform in real-time. Both the Insight Agent and the agentless endpoint monitor scan collect the same data for detection purposes: local authentication logs, local process hashes, and local security and event logs.

Generally, collection includes the following types of data:

  • Process starts and stops
  • Security log event codes
  • System event codes
  • Honey credentials
  • Protocol poisoning traps

Specifications

The agent's footprint is under 50 MB on disk, uses less than 25 MB of RAM at rest, and transmits less than 1 MB daily from each endpoint.

System requirements

Insight Agents are officially supported on the following systems:

  • Windows - Windows XP and newer OS versions

Windows systems running the agent must have:

  • WMI enabled - The agent loads the python WMI module in several jobs, in particular, the ui_realtime job. In some cases, if WMI is disabled, the agent will start, but certain jobs will fail. If WMI has been turned off, but has a startup type of "Automatic" or "Manual," the agent will attempt to start WMI.
  • Event Log enabled - The ui_realtime job requires the Event Log to be running in order for the job to work, although this will not prevent the agent from starting (except on Windows XP and Windows Server 2003). The event log needs to be started on Windows XP and Windows 2003. Windows 2003 SP1 does not need the event log to be running.
  • All currently available Insight Agent updates applied - The Insight Agent must have all currently available updates applied. The agent updates automatically, and information regarding the update is logged in the agent.log file. No new jobs can be launched until the all agent updates are applied.

Account requirements

Administrator privileges for the target system are required.

Bandwidth requirements

Each agent requires a bandwidth of approximately 1.3-1.7 Kbps.

Resource usage

The Rapid7 Insight Agent consumes about 15MB of RAM in an idle state. It is usually in an idle state unless there is a forensic job or data collection activity it taking place.

The Task Manager will usually show resource usage by the agent at 0%. If resources are being used, it generally never exceeds 2%.

Installing the Insight Agent

Installation is simple. You just need to download the agent and install it on the endpoint. Just remember that you can only install one agent per machine.

To install the agent:

  1. Go to the "Data Collection" tab and click the Download Endpoint Package button.
  2. From the "Download Insight Agent" page, download the agent. The agent is packaged in a ZIP file. The necessary license keys and certificates are provisioned in the downloaded file.
  3. Copy the ZIP file to the target system and unzip it. You will find the installer, as well as three security files: client.key, client.crt, and cafile.pem.

Run the installer to install the agent. The agent will be installed as a service, and the security files will also be automatically installed. By default, the agent is installed in c:\Program Files (x86)\Rapid7\Endpoint Agent and the service name will be Rapid7 Endpoint Agent.

After you install an agent, it will automatically start to work; there are no additional steps you need to perform for it to run.