Insight Agent

Insight Agent Help has been moved!

See our new Insight Agent Help pages for complete agent installation and deployment documentation for all your Insight products.

Insight Agent Modes

You can utilize the Insight Agent in two specific ways: persistent mode and scan mode.

Persistent Mode is the normal Insight Agent that you download on your assets, with minimum bandwidth impact and the ability to provide real time updates.

Scan mode, or Endpoint Monitoring, is exclusive to InsightIDR as an “agentless scan” that deploys along the Collector instead of through installed software. Learn more about the Endpoint Monitoring.

MDR Customers must install the "persistent" Insight Agent on at least 80% of assets.

MDR Customers cannot use scan mode ranges in their environment.

Monitored Event Codes

By default, the Insight Agent monitors the following event codes:

Log Origin




1102, 4624, 4625, 4648, 4720

Security logs when running on a Domain Controller*

1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769

*Note that users must opt in to collect Security Event Logs from the Domain Controller. Contact support for more information.

Data Contribution

In addition to monitoring, the data provided by the Insight Agent contributes to the following alerts:

  • brute force - asset
  • brute force - local account
  • detection evasion - event log deletion
  • detection evasion - local event log deletion
  • endpoint threat intelligence match
  • exploit mitigated
  • flagged hash on asset
  • flagged process on asset
  • honey file accessed
  • kerberos privilege elevation exploit
  • lateral movement - local administrator impersonation
  • lateral movement - local credentials
  • local honey credential privilege escalation attempt
  • malicious hash on asset
  • new local user account created
  • protocol poisoning detected
  • remote file execution detected

Updated 20 days ago

Insight Agent

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.