InsightIDR Overview

Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats, and highlights suspicious activity so you don’t have to weed through thousands of data streams.

InsightIDR combines the full power of endpoint forensics, log search, and sophisticated dashboards into a single solution. It is a SaaS (Software as a Service) tool that collects data from your existing network security tools, authentication logs and endpoint devices. InsightIDR then aggregates the data at an on-premise Collector, or a dedicated host machine that centralizes your data.

Use this Collector to gather and transmit your logs securely to AWS, which hosts customer databases and the web interface. Rapid7 runs analytics on this data to correlate users, accounts, authentications, alerts, and privileges. The analysis provides insight into user behavior while searching for known indicators of compromise.

Rapid7 recommends keeping a dedicated Collectors on-premise to collect event data, log data, and endpoint data.

For real-time endpoint data collection, you should also plan to install the Insight Agent on your asset(s).

Why Use InsightIDR?

Unify your data into a single security view

Track user network resources, their devices, and their visited cloud services. InsightIDR normalizes network data and attributes it to users, so you know the origin, owner, and time of event.

Analyze raw logs, endpoint data, and network traffic

InsightIDR collects data streams from every possible place, and brings them together in one convenient place for you to analyze. Sift through raw logs, visualize your endpoint data, or organize your network traffic from users.

Receive alerts for suspicious activity

Whether or not suspicious activity is happening on your network, InsightIDR sets up traps that alert you of security gaps.

Prioritize events

Because traffic and data is normalized, InsightIDR automatically prioritizes network events and brings notable events to your attention. InsightIDR filters out non-critical events so you focus on the important ones.

Investigate events

In the event of a breach, security teams will have contextual information of compromised data, time of event, and possible next actions of the intruder.

How Does InsightIDR Work?

Various Operation departments use InsightIDR at companies large and small, but an Information Security team uses InsightIDR everyday to keep a network safe.

In Action

While at work, an email alert notifies the InfoSec of suspicious behavior. Logging into InsightIDR, they immediately select the Alerts tab and then move to Investigate Alerts. After confirming the alert, they'll select the Incident for further details and scan the activity collected in the incident. When did it happen? What user was present? What was the suspicious activity? This Information Discovery leads the InfoSec team to select Evidence, which details the user, asset owner, and issues that need attention.

The team places the user the Watchlist for heightened monitoring while investigating and checking with other Ops teams to determine if the event was malicious. InfoSec will search logs, browse firewall activity, and comb IP encounters to make contextual decisions about the user's actions.

Incident Response

Many times, the incidents are false positives (false alarms). But in the case where something malicious occurred, the InfoSec team can wipe an asset, reinstall a clean OS, and start over. In extreme cases, InfoSe teams will destroy an asset if it is beyond repair.