Insight Agent Help has been moved!
See our new Insight Agent Help pages for complete agent installation and deployment documentation for all your Insight products.
You can utilize the Insight Agent in two specific ways: scan mode and persistent mode.
Persistent Mode is the normal Insight Agent that you download on your assets, with minimum bandwidth impact and the ability to provide real time updates.
Scan mode, or Endpoint Monitoring, is exclusive to InsightIDR as an “agentless scan” that deploys along the Collector instead of through installed software. Learn more about the Endpoint Monitoring.
MDR Customers must install the "persistent" Insight Agent on at least 80% of assets.
MDR Customers cannot use scan mode ranges in their environment.
1102, 4624, 4625, 4648, 4720
Security logs when running on a Domain Controller*
1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769
*Note that users must opt in to collect Security Event Logs from the Domain Controller. Contact support for more information.
In addition to monitoring, the data provided by the Insight Agent contributes to the following alerts:
- brute force - asset
- brute force - local account
- detection evasion - event log deletion
- detection evasion - local event log deletion
- endpoint threat intelligence match
- exploit mitigated
- flagged hash on asset
- flagged process on asset
- honey file accessed
- kerberos privilege elevation exploit
- lateral movement - local administrator impersonation
- lateral movement - local credentials
- local honey credential privilege escalation attempt
- malicious hash on asset
- new local user account created
- protocol poisoning detected
- remote file execution detected