Hi there, I'm new to advanced log search functionality in InsightIDR, I'm looking to use the log search to identify where a domain service account may be used across our monitored estate. Would anyone have any suggestions on a good way to do this? I'm looking to change up service account passwords, but I'm trying to determine the impact of making that change. So given that InsightIDR is recording the eventlog data, and I have the agent on all my domain controllers, this information should be within our dataset ?? For example searching for something like: "where(eventcode=4624 AND destination_account = "service_account_id")" I can't seem to get the right syntax for it to display. Ideally I'd like to be able to get it into a format which would group by asset, so that I can track down where that account is being used. Even better would be able to get that 'grouped by' table and put it into a dasboard. Any guidance you have would be very much appreciated.
Posted by Paul Deasy 4 days ago
I have been trying to deploy the IDR agent using GPO with no luck. I turned on debugging and the installer cannot find the configuration files. I have followed the guide here: https://insightagent.help.rapid7.com/docs/mass-deployments#section-microsoft-group-policy Here is the error: Failure: One or more of the following files were not found: config.json, cafile.pem, client.crt, client.key. Make sure you locate these files in the same directory as the installer. I also used ADSI edit to add the additional files as follows to the msiFileList variable : 0:\\fs01\Software Deployment\agentInstaller-x86_64.msi 1:\\fs01\Software Deployment\config.json 2:\\fs01\Software Deployment\client.key 3:\\fs01\Software Deployment\client.crt 4:\\fs01\Software Deployment\cafile.pem Has anyone deployed this successfully with a GPO? Thanks!
Posted by Phil 14 days ago
We have installed InsightIDR a week ago, and we have configured 2 SQL database servers as Event Sources. These worked for only a few hours yesterday. From noon onwards, Unknown error: com.rapid7.net.wmi.exception.WMIException error is showing. Can you please help? #insightidr
Posted by David Spiteri about a month ago
In my InsightIDR portal, I enter the username in the search bar at the top, find the name in the dropdown provided and click, and nothing.. I can't get to User Details at all. One other dept member said he experienced this as well. Using both Chrome and Firefox. Nothing listed in the forums. Anyone have problems searching for users in InsightIDR?
Posted by Kevin Lanning about a month ago
Created a couple of honey files. Agent existed on the system prior to their creation. Correct event auditing already configured and confirmed. Configured in Insight with actual path on server as agent would see it. Access files from network share, modified them, zipped them into an archive. No alerts. Anyone working with these? Did I miss a step? Install the Insight Agent on the Windows server hosting a network file share. DONE Enable the Audit Detailed File Share logging (if it is not already enabled). This can be configured in group policy or in the system's Local Security Policy. DONE Create a new file in the desired location on the network file share. The file can be of any type, name, or content. DONE Make note of the full path to the file. DONE From your InsightIDR homepage, select Settings on the left menu. Find and select Honey Files in the list. Click the Add a New Honey File button in the top right corner. DONE A panel will appear. Enter the full local path to the file, as the Insight Agent would see it. Select the asset that you previously configured. DONE Click Add. DONE Test fails. No alerts generated
Posted by Kerry LeBlanc 2 months ago
where( /4624/ OR /4625/ OR /4678/ OR /4769/ OR /4776/ OR /4672/ AND destination_account != "idr_admin") I am trying to eliminate the idr_admin account from the results, but when I run it, I still have that account listed in the returned results. What am I missing?
Posted by Kerry LeBlanc 4 months ago
Hi Fairly new to InsightIDR so apologies if I'm missing something. I have set up an ActiveSync & OWA Event Source according the tutorial in the help section, and it is running OK, but I want to check it is actually working. I can't see anything in the Raw Logs. It has been running now for around 2 hours. I have OWA disabled by default so was wondering if an alert would be triggered if I attempted to connect to it multiple times ?? Or does it not work like that ? Activesync is turned on so I would expect to see something here. There are logs in the folder that I have specified and the folder is shared out with the same credentials as was set in the Event Source. I also have a similar issue with a event source on my Kaspersky security centre. Thats been running OK for 2 weeks but no logs ? I feel I am missing something ?? Thanks Matthew
Posted by Matthew Hinchliffe 4 months ago
I am looking for some advice on monitoring for SQL events using InsightIDR. I already set up the SQL server to allow IDR to get the events and I see them in the raw logs on IDR but I am not sure what the proper format is for queries. It seems like everything I run returns no results but I can see the data in the Log Search screen when I do not put anything in the query text box. Any help would be appreciated. Thanks!
Posted by Ron Gallimore 5 months ago
Can I move event sources to a second collector to offload some work? I have a second collector just installed in a remote location and I want it to capture the events local to it. I do not see any way to transfer the resources over. I do not want to move all of them, just the international ones to the new collector. Will it screw up existing records? Any way to do it or do I need to delete them and then add to the new one?
Posted by Kerry LeBlanc 5 months ago
I have Domain controllers trying to connect to the network honeyot below are a few examples Is this normal behavior? thanks mrodc01.servers.ipswitch.com attempted to connect to the network honeypot on port 58375 3 time(s) over UDP using a datagram packet, starting at Feb 26, 2019 6:58:16 PM and ending at Feb 26, 2019 6:58:23 PM o Honeypot Connection mrodc01.servers.ipswitch.com attempted to connect to the network honeypot on port 50263 3 time(s) over UDP using a datagram packet, starting at Feb 26, 2019 6:58:27 PM and ending at Feb 26, 2019 6:58:34 PM o Honeypot Connection mrodc01.servers.ipswitch.com attempted to connect to the network honeypot on port 54361 3 time(s) over UDP using a datagram packet, starting at Feb 26, 2019 6:58:16 PM and ending at Feb 26, 2019 6:58:23 PM
Posted by Robert York 7 months ago
Has anyone actually been able to do this? The documentation below is BEYOND terrible. Does not make Rapid7 look good as a SIEM, especially next to Splunk whose documentation is, you know, helpful. https://insightidr.help.rapid7.com/docs/splunk#section-data-source
Posted by Jeff Smithwick 7 months ago
I have a system called Squared Up that I use to interface some other systems for dashboarding. I have been looking around trying to find a webapi for Insight IDR but I haven't found one. Does this exist and if not, can we get this added please? I'd like to be able to have a dashboard in my tool that displays alerts from SCOM and our Citrix Netscalers as well as display certain saved reports from IDR (AD/Exchange/Security related). This functionality would be fantastic. Otherwise, we will have an extra system to have to log into and sort through rather than being able to just use one. Thanks. Gary
Posted by Gary Jackson about a year ago
Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?
Posted by Martin Austin about a year ago
Has anyone tried to utilize the exchange transport in Insight IDR with Exchange 2010. I know that the official stance is that it is not supported, however, I would like to know if anyone has tried it, if it worked or if it blew up their exchange 2010 server
Posted by Jack Rider about a year ago