Created a couple of honey files. Agent existed on the system prior to their creation. Correct event auditing already configured and confirmed. Configured in Insight with actual path on server as agent would see it. Access files from network share, modified them, zipped them into an archive. No alerts. Anyone working with these? Did I miss a step? Install the Insight Agent on the Windows server hosting a network file share. DONE Enable the Audit Detailed File Share logging (if it is not already enabled). This can be configured in group policy or in the system's Local Security Policy. DONE Create a new file in the desired location on the network file share. The file can be of any type, name, or content. DONE Make note of the full path to the file. DONE From your InsightIDR homepage, select Settings on the left menu. Find and select Honey Files in the list. Click the Add a New Honey File button in the top right corner. DONE A panel will appear. Enter the full local path to the file, as the Insight Agent would see it. Select the asset that you previously configured. DONE Click Add. DONE Test fails. No alerts generated
Posted by Kerry LeBlanc 7 days ago
Using the pre-built RESTRICTED ASSET AUTHENTICATION - NEW USER alert. I want to make a custom alert that will only notify on Interactive logins. How would I go about getting this setup in IDR? Kind regards,
Posted by Alan Ngo about a month ago
where( /4624/ OR /4625/ OR /4678/ OR /4769/ OR /4776/ OR /4672/ AND destination_account != "idr_admin") I am trying to eliminate the idr_admin account from the results, but when I run it, I still have that account listed in the returned results. What am I missing?
Posted by Kerry LeBlanc 2 months ago
Hi Fairly new to InsightIDR so apologies if I'm missing something. I have set up an ActiveSync & OWA Event Source according the tutorial in the help section, and it is running OK, but I want to check it is actually working. I can't see anything in the Raw Logs. It has been running now for around 2 hours. I have OWA disabled by default so was wondering if an alert would be triggered if I attempted to connect to it multiple times ?? Or does it not work like that ? Activesync is turned on so I would expect to see something here. There are logs in the folder that I have specified and the folder is shared out with the same credentials as was set in the Event Source. I also have a similar issue with a event source on my Kaspersky security centre. Thats been running OK for 2 weeks but no logs ? I feel I am missing something ?? Thanks Matthew
Posted by Matthew Hinchliffe 2 months ago
I am looking for some advice on monitoring for SQL events using InsightIDR. I already set up the SQL server to allow IDR to get the events and I see them in the raw logs on IDR but I am not sure what the proper format is for queries. It seems like everything I run returns no results but I can see the data in the Log Search screen when I do not put anything in the query text box. Any help would be appreciated. Thanks!
Posted by Ron Gallimore 3 months ago
Can I move event sources to a second collector to offload some work? I have a second collector just installed in a remote location and I want it to capture the events local to it. I do not see any way to transfer the resources over. I do not want to move all of them, just the international ones to the new collector. Will it screw up existing records? Any way to do it or do I need to delete them and then add to the new one?
Posted by Kerry LeBlanc 4 months ago
I have Domain controllers trying to connect to the network honeyot below are a few examples Is this normal behavior? thanks mrodc01.servers.ipswitch.com attempted to connect to the network honeypot on port 58375 3 time(s) over UDP using a datagram packet, starting at Feb 26, 2019 6:58:16 PM and ending at Feb 26, 2019 6:58:23 PM o Honeypot Connection mrodc01.servers.ipswitch.com attempted to connect to the network honeypot on port 50263 3 time(s) over UDP using a datagram packet, starting at Feb 26, 2019 6:58:27 PM and ending at Feb 26, 2019 6:58:34 PM o Honeypot Connection mrodc01.servers.ipswitch.com attempted to connect to the network honeypot on port 54361 3 time(s) over UDP using a datagram packet, starting at Feb 26, 2019 6:58:16 PM and ending at Feb 26, 2019 6:58:23 PM
Posted by Robert York 5 months ago
Has anyone actually been able to do this? The documentation below is BEYOND terrible. Does not make Rapid7 look good as a SIEM, especially next to Splunk whose documentation is, you know, helpful. https://insightidr.help.rapid7.com/docs/splunk#section-data-source
Posted by Jeff Smithwick 5 months ago
I have a system called Squared Up that I use to interface some other systems for dashboarding. I have been looking around trying to find a webapi for Insight IDR but I haven't found one. Does this exist and if not, can we get this added please? I'd like to be able to have a dashboard in my tool that displays alerts from SCOM and our Citrix Netscalers as well as display certain saved reports from IDR (AD/Exchange/Security related). This functionality would be fantastic. Otherwise, we will have an extra system to have to log into and sort through rather than being able to just use one. Thanks. Gary
Posted by Gary Jackson about a year ago
Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?
Posted by Martin Austin about a year ago
Has anyone tried to utilize the exchange transport in Insight IDR with Exchange 2010. I know that the official stance is that it is not supported, however, I would like to know if anyone has tried it, if it worked or if it blew up their exchange 2010 server
Posted by Jack Rider about a year ago