InsightIDR Quick Start Guide
Contents Revision history
4
Getting started with InsightIDR
5
Protecting your data with InsightIDR
5
Protecting your users with InsightIDR
5
Getting help
5
Gaining visibility into user activity
7
Planning your Collector deployment
9
Identifying Event Sources
12
Userr Attribut Use Attributio ion n Event Event Sources
13
Configuring LDAP
14
Configuring Active Directory (AD)
18
Li List sten en for Syslo Syslog g
21
Log Aggregator
22
WMI
24
Config Conf iguri uring ng DHCP
25
Data Collection methods
28
Configuring Event Sources
30
Copying Event Sources to a Collector
34
Deleting a Collector
37
Data Collection
40
Data Da ta Collection Metrics
40
Setting an Intruder Trap
43
Honey Pots
44
Hon Ho ney Users
45
Best Practices
47
2
Managing Honey Pots
47
Setup Data Exporter
48
Managing Exporters
49
Settings
51
Incident settings
52
User settings
53
Event Sources settings
55
Credential settings
56
Applica Appl ication tion setting settings s
58
Incident modifications
59
Assett settings Asse
60
Honey Users
60
Export Data
61
Static Stat ic IP ranges
62
Unmanaged IP ranges
63
Network Zones
64
Nettwork Policies Ne
66
Tagged Domains
68
Unknown IP addresses
70
Runnin Runni ng agents
70
General troubleshooting tips
71
Supported Event Sources
73
Event Eve nt Source Source Categories
73
Supported Event Sources
74
Troubleshooting Endpoint Monitoring
79
3
Revis Rev ision ion his histor tory y Date
Rev i s i on
May 10 1 0, 2 20 016
Created
August 29, 2016
Published Published to Community Community
Revision history
4
Gett Ge ttin ing g sta tart rted ed wit with h In Ins sigh ightI tIDR DR Protec Prot ectin ting g yo your ur da data ta with Ins Insigh ightIDR tIDR InsightIDR Insi ghtIDR monito monitors rs authenti authenticati cation on activity activity and provides provides cus customi tomizab zable le incide incidents nts to monitor monitor ac acce cess ss to sens sensiti itive ve syste systems ms an and d en envi viron ronme ments nts de deeme emed d impo importan rtantt from a secu security rity or busin busines ess s pers perspe pect ctiv ive. e. Rules Rules ca can n be tail tailore ored d to white white-- or blac blackl klis istt us users ers or us user er group groups s an and d to moni monito torr ac acce cess ss to in indi divi vidu dual al as asse sets ts or ent entire ire ne network twork ranges ranges.. This This he help lps s bu busi sines nesse ses s id ident entify ify un unaut autho horiz rized ed ac acce cess ss from ex extern ternal al and/or and/or intern internal al threats threats.. Furthe Furthermo rmore, re, these these contro controls ls he help lp enforc enforce e both both internal inte rnal and external external policy policy compli complianc ance. e.
Protec Prot ectin ting g yo your ur us users ers with Ins Insigh ightIDR tIDR In Insi sigh ghtID tIDR R is is a se secu curi rity ty tool tool that that begi begins ns and and ends ends with with th the e us user er in mind mind.. It fo focu cuse ses s on us user er ac acco count unts s that that are the most most comm common on targets targets for soph sophis istic ticate ated d att attac acks ks,, while while most most tools tools focus focus on assets, ass ets, executa executable bles, s, or packet packet signatu signatures. res. InsightI InsightIDR DR automati automatical cally ly analyz analyzes es and correlates correlates user user ac acco count unts s with as asse sets, ts, ne network twork ac activ tivity ity,, and da data ta from other other secu securit rity y tools tools in your your enviro environm nment ent,, lo look okin ing g for irregul irregular ar be behav havio iorr and known known indi indica cators tors of comp compromi romise se.. Activ Activity ity tha thatt may be in indi dica cati tive ve of a breac breach h ge gener nerate ates s an inci inciden dent, t, which which conta contain ins s not only only us user er da data, ta, but al also so the aforem aforemen entio tioned ned asse assett data data so th that at,, in the the even eventt of a breac breach, h, se secu curi rity ty team teams s ha have ve a more more co comp mple lete te pi pict cture ure of no nott justt what was involv jus involved, ed, but who was responsi responsible ble,, when the event event happened happened,, and where the in intrud truder er is he heade aded d next. next.
Gettin Get ting g he help lp The Insig InsightI htIDR DR techn technic ical al supp support ort tea team m is av avai aila labl ble e to he help lp you you with an any y questi questions ons you you may may ha have ve.. For as assi sista stanc nce, e, vi visi sitt the Rapid7 Rapid7 Support Support pag page, e, www.rapid7.com/support www.rapid7.com/support,, or send send an ee-ma maiil reques req uestt to
[email protected].
[email protected].
Getting started with InsightIDR
5
Rapid7 Rapid 7 supp support ort page
For ad addi diti tiona onall in inform formati ation, on, go to Securi Security ty Street, Street, the Rapid7 Rapid7 onlin online e co commu mmuni nity ty Web si site te,, wher where e yo you u will will find find In Insi sigh ghtI tIDR DR users users and and othe others rs who are inte interes reste ted d in da data ta se secu curi rity ty.. The The site site al also so ho host sts s docum doc ument entati ation on,, bl blogs ogs,, and us user er comm comment ents s rel relate ated d to Insig InsightI htIDR DR and other other secu security rity produ products cts..
InsightIDR InsightI DR community community
Getting help
6
Gainin Gai ning g vis visibi ibility lity int into o us user er ac activ tivity ity InsightI Insig htIDR DR al allo lows ws you you to ga gain in contro controll of the vast vast amount amount of us user er ac activ tivity ity da data ta av avai aila labl ble e from devi device ces s th that at mana manage ge yo your ur netwo network. rk. Track Track the the netwo network rk resou resource rces s yo your ur us user ers s ar are e workin working g on on,, th the e devi device ces s th they ey are usin using, g, and and even even the the cl clou oud d se serv rvic ices es they they are visi visiti ting ng.. If yo you u ha have ve co conc ncern erns s ab abou outt a web si site te,, Web se serv rvic ice, e, or mobi mobile le devi device ce,, yo you u ca can n tell tell at a glan glance ce which which ac acco coun unts ts are us usin ing g it it.. The quali quality ty of in inform formati ation on av avai aila labl ble e in Insig InsightI htIDR DR is de determ termin ined ed by the confi configu gurati ration on of your your data data sources sourc es (see Plan Plannin ning g your your Collector Collector deploy deployment ment o on pag age e 9 an and d see User Attri Attribut butio ion n Event Event Sources on Sources on page page 13). 13).
InsightIDR InsightI DR overview overview
Collectors Collec tors ag aggre gregat gate e and transm transmit it data data from from Event Event Source Sources s to Insig InsightI htIDR DR whi w hich ch run runs s an anal alyti ytics cs and po popu pula lates tes vi views ews in the Web appli applica catio tion. n. Eve Event nt sourc sources es provi provide de lo log g da data ta from de devi vice ces s that that acce access ss yo your ur co corpo rporat rate e netwo network rk from from anywh anywhere ere in the the world world.. In order order to ob obtai tain n ac acce cess ss to thi this s log log data, data, the Insig InsightI htIDR DR Collec Collector tor requi requires res do domai main n admin adminis istrat trator or crede cre denti ntial als s that that ha have ve permis permissi sion on to read read the Activ Active e Directory Directory an and d Windo Windows ws Endpoi Endpoint nt lo log g fi file les. s. The Insig InsightI htIDR DR Colle Collecto ctorr is ho hoste sted d on-pre on-premi mise se in the custo customer mer's 's env enviro ironm nment ent,, an and d creden credentia tials ls are neve neverr re read adab able le anywh anywhere ere outs outsid ide e the the Colle Collect ctor or on th the e co corpo rporat rate e ne netwo twork. rk. The The lo log g file files s ar are e pass passed ed th thro roug ugh h a filt filter er befo before re the the data data is trans transmi mitt tted ed to en ensu sure re th that at on only ly th the e most most ne nece cess ssary ary in inform formati ation on is upload uploaded ed to the ha harde rdened ned Insig InsightI htIDR DR ba back cken end d for an anal alys ysis is..
Gaining visibility into user activity
7
To prepa prepare re yo your ur netwo network rk to work work with with Insi Insigh ghtI tIDR, DR, iden identi tify fy a se serve rverr or virtu virtual al mach machin ine e where where yo you u willl deplo wil deploy y your your Colle Collecto ctor, r, and then then iden identif tify y the Event Event Source Sources s that that will will provi provide de us user er ac acti tivi vity ty data data from your your ne network twork..
Gaining visibility into user activity
8
Pla lanni nning ng your Col Collec lecto torr de deplo ploy yment Th The e Colle Collect ctor or is a mach machin ine e on yo your ur netwo network rk runni running ng Rapid Rapid7 7 so soft ftware ware th that at ei eith ther er po poll lls s da data ta or recei rec eive ves s da data ta that that is pushed pushed from Eve Event nt Source Sources s and makes makes it av avai aila labl ble e for Insig InsightI htIDR DR analy analysi sis. s. An Event Source represents represents a single single device device that sends sends logs logs to the Collector. Collector. For exampl example, e, if you have have th thre ree e firewa firewall lls, s, yo you u will will have have one one Even Eventt Sou Sourc rce e fo forr ea each ch firewa firewall ll in th the e Colle Collect ctor. or. The The Collec Coll ector tor is the on on-pre -premi mise se compo componen nentt of Ins Insig ightI htIDR. DR. The Collec Collector tor is respon responsi sibl ble e for gat gathe herin ring g endpo endpoin intt da data. ta. Note that that it is oft oftent entim imes es more more eff effic icie ient nt to deplo deploy y multip multiple le Collec Collector tors s throug throughou houtt an en envi viron ronmen mentt rather rather than than break break firewall firewall rul rules es or overl overloa oad d a si sing ngle le Colle Collect ctor. or. Treat Treat yo your ur Colle Collect ctor ors s as yo you u wou would ld an any y ot othe herr hi high ghly ly va valu luab able le as asse sett – crede cre denti ntial als s for the vario various us Event Event Source Sources s you you confi configu gure re are stored stored on thi this s devic device. e. A Collector Collector can be install installed ed on a network server server or virtual virtual machine machine that meets meets the following following requirements: l
Operati Operating ng syste system: m: Linux Linux 64 64-bi -bitt or Windo Windows ws 64 64-bi -bitt
l
Mi Mini nimu mum m Hard Hardwa ware re:: 4 GB RAM an and d 60 GB disk disk spa pace ce
l
2 CPUs recom recommen mende ded d
l
CPU: 1 CPU per per 16,0 16,000 00 endp endpoi oint nts s sc scan anne ned d by the the Endpo Endpoin intt Scan Scan
l
Mi Mini nimu mum m network network ba bandwi ndwidth dth:: 100 Mbps Mbps network network (recomm (recommend ended ed), ), 1000Mb 1000Mbps ps (strong (strongly ly recommended)
Th There ere ca can n only only be one one Colle Collect ctor or inst instal alle led d per per mach machin ine e on yo your ur ne netwo twork. rk. Rapid Rapid7 7 stron strongl gly y recom rec ommen mends ds that that the machi machine ne (phys (physic ical al or vi virtua rtual) l) is de dedi dica cated ted to runni running ng the Colle Collecto ctor. r.
Planning your Col Planning Collector lector deploy deployment ment
9
Collect Coll ectors, ors, founda foundatio tionalsources nalsources,, and additio additional nal sources sources
Begin by confi Begin configu gurin ring g multi multipl ple e Event Event Source Sources s on a si singl ngle e Collec Collector. tor. La Later, ter, you you can can add Colle Collecto ctors rs as need needed ed.. Fo Forr exam exampl ple, e, yo you u may may need need to dist distri ribu bute te the the ba band ndwid width th ac acro ross ss yo your ur ne netwo twork rk if yo you u have hav e very very hi high gh lo logg ggin ing g leve levels ls or if your your network network is ge geogr ograph aphic ical ally ly di disp spers ersed ed.. To pl plan an your your Collec Collector tor de depl ploy oyme ment, nt, have have the fol follo lowing wing in inform formati ation on av avai aila labl ble e for each each serve serverr or vi virtua rtuall machi machine ne where you you will will insta install ll the Collec Collector: tor: l
display display name
l
network locatio location n
l
serv server er host host name name and and IP addre address ss
You must must have have admi admini nist strat rator or righ rights ts to inst instal alll a se serv rvic ice e on th the e se serve rver. r. The fol follo lowin wing g proce process ss pairs pairs the Collec Collector tor inst instal alle led d in your your net network work to Amazo Amazon n Web Servic Services es (AWS), (AWS ), where where th the e Insi Insigh ghtI tIDR DR se serve rvers rs are host hosted ed.. Note Note th that at no cr cred eden enti tial als s are store stored d in AWS, and and ra raw w lo logs gs are st stri ripp pped ed by the the Colle Collect ctor or in yo your ur envi environ ronme ment nt so th that at no se sens nsit itiv ive e da data ta (i (i.e .e., ., PII, PII, medic med ical al record records, s, etc.) etc.) is stored stored by Rapid7 Rapid7..
Planning your Collector deployment
10
1. Config Configure ure fir firewal ewall/we l/web b proxy proxy rul rules es to allo allow w the Colle Collecto ctorr to reach reach https://data.insight.rapid7.comand https://data.insight.rapid7.com and https://s3.amazonaws.com https://s3.amazonaws.com.. If you have a fire firewa walll or web proxy proxy that that restri restricts cts outgo outgoin ing g conn connec ectio tions ns,, you you need need to grant grant permis permissi sion on for the Collec Collector tor to be able able to co conn nnec ectt to the the back backen end d se serv rvers ers.. Custo Custome mers rs de depl ploy oyed ed in ou ourr Frank Frankfu furt, rt, Germa Germany ny https://eu.da u.data.insight.rapid7. ta.insight.rapid7.com com and https://s3.euin inst stan ance ce need need to be able able to rea reach ch https://e central-1.amazonaws.com.. central-1.amazonaws.com 2. All Al l Coll Co tors rs must must be ab ablle to reac reach h ou outt to po port rt 443 44 3 to to:: https://endpoint.ingress.rapid7.com (US) (US ) ollec recto https://eu.endpoint.ingress.rapid7.com (EMEA). 3. Disabl Disable e the lo loca call firewal firewalll (if possi possibl ble). e). and d lo log g in with with yo your ur In Insi sigh ghtI tIDR DR 4. From From yo your ur desk deskto top, p, navi naviga gate te to https://insight.rapid7.com an crede cre denti ntial als s (if you you do no nott ha have ve creden credentia tials ls,, conta contact ct a Rapid7 Rapid7 Sales Sales Represe Representa ntativ tive). e). https://insight.rapid7.com //insight.rapid7.com.. 5. Downlo Download ad th the e Coll Collector ector inst instal alle lerr from https: 6. Copy Copy it to th the e mach machin ine e runni running ng Insi Insigh ghtI tIDR. DR. 7. Follo Follow w the in insta stalla llation tion wizard. wizard. Activate e Collector Collector,, name the the Colle Collect ctor, or, past paste e th the e Age Agent nt Ke Key y , an and d clic click k Activate Activate.. 8. Click Activat 9. All All Colle Collect ctors ors must must be co conf nfig igure ured d wit with h a full fully y qual qualif ifie ied d do doma main in na name me (e (e.g .g.. idrcollector23.myorg.com). idrcollector23.myo rg.com). 10. 10. All All endp endpoi oint nts s need need to be able able to co comm mmun unic icat ate e back back to th the e Col Colle lect ctor or via via Colle Collect ctor or po ports rts:: 5508 l
l
6608
l
range range 20,0 20,000 00 - 30,0 30,000 00
11. Overl Overlapp appin ing g endpo endpoin intt moni monitori toring ng range ranges s are not al allo lowed. wed. IP ad addre dress sses es or IP range ranges s defin defined ed on Colle Collect ctor or A sh shou ould ld not not be dupl duplic icat ated ed on Col Colle lect ctor or B. If th this is ex exis ists ts,, it shou should ld be up upda date ted d befo before re th the e migra migrati tion on or thos those e rang ranges es have have to be manu manual ally ly up upda date ted d af afte terr th the e migra migrati tion on.. 12. Coll Each Eacector h Collec Coll ector tor can caenwill onl only y supp suepport one set setfor of ea endpo end int moni mo nitori toring ng creden crenitori dentia tials lscreden pe perrdentia Collec Coll ector tor. Collec tor in inst stanc ance wil l have hav toort beon setup seetup each chpoin set se ttof endpo end poin intt moni mo toring ng cre tials ls. . .A
Planning your Collector deployment
11
Identi Ide ntify fying ing Eve vent nt So Sour urc ces Collect Colle ctor ors s co comm mmun unic icat ate e with with yo your ur netwo network rk se serv rvers ers and and ga gath ther er da data ta from from yo your ur se serve rverr lo logs gs to produc pro duce e a dashbo dashboard ard of us user er ac acti tivi vity ty da data ta for your your secu securit rity y an anal alys ysts. ts. To ensu ensure re co comp mple lete te co cove verag rage, e, take take an inve invent ntory ory of yo your ur ne netwo twork rk se serve rvers rs an and d da data ta lo logs gs th that at yo you u willl confi wil configur gure e as Event Event Source Sources. s. Vie w
Ev e n t So u r c e s
User detail details s
Asset details IP ad addr dress ess histor history y Locations Services Incidents Threats
Microsoft Active Director Directory, y, LDAP server logs, Rapid Rapid7 7 Metaspl Metasploit, oit, Virus Virus scanne scanner, r, VPN, and Endp Endpoint oint Mon Monitor itor Micr Microso osoft ft Active Dire Director ctory y secur security ity log logs s an and d the DHCP server server logs, logs, Nexp Nexpose ose,, and Endpoint Monitor Micro Microsoft soft Active Active Dir Direct ector ory y secu securi rity ty logs, logs, DHCP server server logs logs
VPN server server logs, logs, Cloud Cloud ser services vices for exampl example, e, Cloud Cloud ser services vices (e.g. (e.g. AWS, Box.com), and and Microso Microsoft ft ActiveSync
DNS ser server ver logs, logs, fire firewall wall,, Web proxy, proxy, Clou Cloud d service service - Box.co Box.com, m, Okta, Okta,
Salesforce, an Salesforce, and d the Microsoft Microsoft ActiveSync server servers s Microsoft Active Director Directory y security logs, DHCP server logs, end endpoin pointt monitor, monitor, VPN servers servers (IP ad addre dress ss rang ranges), es), DNS serve serverr logs, Firewall, Firewall, an and d the Web pro proxy xy D NS server logs, Firewall, and the Web proxy
Important: Be su Important: sure re to iden identi tify fy all all of the the se serv rvers ers that that track track us user er ac acti tivi vity ty on yo your ur ne netwo twork rk an and d as assi sign gn them the m to a Colle Collecto ctor. r. Ot Other herwis wise, e, the Insig InsightI htIDR DR da dash shboa board rd may be in inco comp mple lete, te, an and d you you will will no nott have have acce access ss to th the e data data yo you u need need to ke keep ep yo your ur netwo network, rk, an and d yo your ur co comp mpan any' y's s as asse sets ts,, sa safe fe.. Set up al alll of yo your ur User User Attri Attribu buti tion on Even Eventt Sourc Sources es befo before re yo you u se sett up an any y ot othe hers rs.. In Insi sigh ghtI tIDR DR provi pro vide des s step-b step-by-s y-step tep as assi sista stanc nce e as you you set set up your your da data ta sourc sources es..
Identifying Event Sources
12
User Us er Att ttri ribut bution ion Event Sour ourc ces InsightI Insig htIDR DR requi requires res log log data data from three three ty types pes of ev even entt sourc sources es to prope properly rly att attrib ribute ute al alll of your your organi org aniza zatio tion’s n’s ev event ents s to the us users ers invo involv lved. ed. You also also ne need ed to provi provide de the IP ad addre dress ss ran ranges ges issued iss ued by your your VPN applian appliances ces.. Note: To meas measure ure yo your ur progre progress ss,, yo you u need need to pro provi vide de th the e to tota tall nu numb mber er of se serv rvers ers of ea each ch type type th that at yo you u will will add add to Insi Insigh ghtI tIDR DR from from yo your ur netwo network rk.. The User Attribu Attributio tion n ev even entt sours sourses es to confi configu gure re are: are: l
l
l
LDAP – LDAP – Tracks Tracks user user inf informati ormation on essenti essential al to link link accoun accountt activit activity y with real users users and identif identify y privile priv ileged ged and service service account accounts. s. DHCP – DHCP – Tracks Tracks IP addresse addresses s over over time. time. DHCP logs logs are required required for asset-to-IP asset-to-IP correlatio correlation. n. Domain Authen Authentication tication – – Tracks Tracks all user user logons logons includ including ing both succes successful sful and failed failed logons logons.. Require Requ ired d for eff effec ecti tive ve us use e of Insig InsightI htIDR DR ingre ingress ss an anal alyti ytics cs.. A dom domai ain n ad admi mini nistr strato atorr ac acco coun untt is requi req uired red fo forr each each se serv rver. er. Th Thes ese e logs logs are st store ored d in th the e co cont ntex extt of th the e Micro Microso soft ft Acti Active ve Directory.
User Attribution Event Sources
13
Configur Conf iguring ing LDA LDAP P 1. Click Click Dat Data a Collection Collection fro from m the the InsightIDR menu.
Click Clic k Data Collection Collection
2. Click Click Ad from m the the Se Add d Event Event Sour Source ce fro Setu tup p Event Event Sour Source ce menu.
Set Setup up EventSourc EventSource e dropd dropdown own menu menu
LDAP.. 3. The The Add Event Source page displ page displays. ays. Click LDAP
Configuring LDAP
14
Click Clic k LDAP
Windows ows Collector Collector fro from m the the Collector dropd dropdown own menu. menu. 4. Selec Selectt Wind
Selectt Windows Collec Selec Collector tor
5. Selec Selectt Micro Microsof softt Active Active Directo Directory ry LDAP LDAP fro from m the the Even Eventt Source Source dropd dropdown own menu. menu.
Sel Select ect Micros Microsoft oft LDAP
box if yo you u want want to disp displa lay y only only U.S. time time zo zone nes. s. 6. Chec Check k th the e Timezone box
Timezone Timez one chec check k box
dropdown own menu. menu. 7. Sel Selec ectt th the e ti time me zone one from from the the Timezone dropd
Configuring LDAP
14
Configuring LDAP
Timezone Timez one menu
8. Ente Enterr th the e serv server er na name me in the the Server field. 9. Ente Enterr th the e us user er do doma maiin in the the Use Userr Domai Domain n field. Refresh resh Rate Rate field. 10 10.. Ente Enterr th the e re refr fres esh h rate rate (in (in hour hours s) in the the Ref 11. 11. Selec Selectt th the e Credential fro from m the the Credential dropd dropdown own menu. menu.
Credential Credenti al menu
12 12.. The The Username fiel field d automati automatical cally ly populate populates s based based on the selecte selected d credenti credential. al. field d automati automatical cally ly populate populates s based based on the selecte selected d credenti credential. al. 13 13.. The The Type fiel 14. 14. Enter Enter th the e crede credent ntia ial. l. In this this exam exampl ple, e, the the requi required red cr cred eden enti tial al is a pa pass ssword word.. The The fiel field d na name me reflects refle cts the credentia credentiall type. type. 15. 15. Opti Option onal ally ly,, ente enterr the the base base dist distin ingu guis ishe hed d name name (Base (Base DN) in th the e Ba Base se DN field. 16. 16. Opti Option onal ally ly,, ente enterr the the admi admin n gro group up in the the Ad Admin min Group Group field. 17. 17. Click Click th the e SAVE button.
15
Configuring LDAP
LDAP Event Event Sourc Source e fie fields lds
Th The e LDAP LDAP auto automa mati tica call lly y mirro mirrors rs data data acros across s all all LDAP LDAP se serv rvers ers;; th thus us,, ev even en if yo you u ha have ve mult multip iple le LDAP se serve rvers rs,, we only only need need to co conf nfig igure ure one one LDAP LDAP even eventt so sourc urce e (unle (unless ss yo you u ha have ve manu manual ally ly disabl dis abled ed the auto-mirror auto-mirror featu feature). re).
16
Configuring LDAP
Confi Con figur guring ing Acti tiv ve Di Dire rec cto tory ry AD 1. Click Click Dat Data a Collection Collection fro from m the the InsightIDR menu.
Click Clic k Data Collection Collection
from m the the Se 2. Click Click Ad Add d Event Event Sour Source ce fro Setu tup p Event Event Sour Source ce menu.
Set Setup up EventSourc EventSource e dropd dropdown own menu menu
17
Configuring Active Directory (AD)
3. The The Add Event Source page displ page displays. ays. Click Active Directory Directory..
Click Clic k Acti Active ve Directory
4. Selec Selectt Wind Windows ows Collector Collector fro from m the the Collector dropd dropdown own menu. menu.
Selectt Windows Collec Selec Collector tor
Microsof softt Active Active Directo Directory ry Secur Security ity Lo Logs gs fro from m th the e Even Eventt Source Source dropd dropdown own menu. menu. 5. Selec Selectt Micro
Sel Select ect Micros Microsoft oft Activ Active e Directory Directory Sec SecurityLogs urityLogs
box if yo you u want want to disp displa lay y only only U.S. time time zo zone nes. s. 6. Chec Check k th the e Timezone box
Timezone Timez one chec check k box
18
Configuring Active Directory (AD)
7. Sel Selec ectt th the e ti time me zone one from from the the Timezone dropd dropdown own menu. menu.
Timezone Timez one menu
Collection ion Method Method.. 8. Click Click the approp appropria riate te Collect
Collection Collec tion Methods
19
Configuring Active Directory (AD)
Lis Li ste ten n for Syslo log g 1. Selec Selectt th the e Protocol fro from m the the Protocol dropd dropdown own menu. menu.
Selectt Protocol Selec
2. Ente Enterr th the e po port rt nu numb mber er in the the Port field. 3. Cl Cliick th the e SAVE button.
Syslog Sys log fiel fields ds
20
Listen for Syslog
Log Ag Aggr gregat egator or 1. Selec Selectt th the e Lo Log g Aggrega Aggregator tor fro from m the the Log Aggreg Aggregato atorr dropd dropdown own menu. menu.
Selectt Aggregator Selec
from m the the Protocol dropd dropdown own menu. menu. 2. Selec Selectt th the e Protocol fro
Selectt Protocol Selec
3. Ente Enterr th the e po port rt nu numb mber er in the the Port field.
21
Log Aggregator
4. Cl Cliick th the e SAVE button.
Log Aggregator fiel fields ds
22
Log Aggregator
WMI 1. Ente Enterr th the e serv server er na name me in the the Server field. 2. Ente Enterr th the e us user er do doma maiin in the the Use Userr Domai Domain n field. from m the the Credential dropd dropdown own menu. menu. 3. Selec Selectt th the e Credential fro
Credential Credenti al menu
4. The The Username fiel field d automati automatical cally ly populate populates s based based on the selecte selected d credenti credential. al. 5. Enter Enter th the e crede credent ntia ial. l. In this this exam exampl ple, e, the the requi required red cr cred eden enti tial al is a pa pass ssword word.. The The fiel field d na name me reflects refle cts the credentia credentiall type. type. 6. Cl Cliick th the e SAVE button.
WMI fields fields
AD Domai D omain n Controllers Controllers do not mirror data – repeat repeat step steps s for each DC in your your environm environment. ent.
23
WMI
Configur Conf iguring ing DHCP Microsof Micro softt DHCP 1. On yo your ur DHCP se serve rver, r, crea create te a new new fold folder er for for DHCP lo logs gs – we recom recomme mend nd pl plac acin ing g th this is fo fold lder er on the root root C dri drive ve (C:\dhc (C:\dhcpl plog ogs). s). 2. Once Once the fol folde derr is create created, d, right-c right-cli lick ck the fol folder, der, sele select ct Properties-->Sharing-->Advanced Sharing-->Sh Sha ring-->Share are this folder-->Permiss folder-->Permissions-->Add ions-->Add… … and provi provide de the crede credenti ntial als s that that will will have hav e ac acce cess ss to thi this s file file (read-o (read-onl nly y ac acce cess ss is adequa adequate). te). 3. Once Once th the e fo fold lder er is ready ready,, laun launch ch the the DHCP co cons nsol ole e an and d ri righ ght-c t-cli lick ck IPv4 in th the e le left ft pa pane ne,, th then en Properties.. click Properties 4. Unde Underr th the e Adva tab, b, ch chan ange ge the the Audi Auditt log log file file pa path th de dest stin inat atio ion n fo fold lder er to th the e ne new w fo fold lder er yo you u Advanced nced ta justt set up (C:\dhcplog jus (C:\dhcplogs). s). 5. Resta Restart rt th the e DHCP se serv rver er to appl apply y ch chan ange ges. s. 6. From th the e lef eftt pa pane nell of the the Home Home pag page, e, cli click ck Dat Data a Collection Collection.. ADD D EVEN EVENT T SOURCE SOURCE fro from m the the SE SETU TUP P EVEN EVENT T SOU SOURCE RCE dropd dropdown own menu. menu. 7. Selec Selectt AD
Set Setup up EventSourc EventSource e dropd dropdown own menu menu
8. The The Add Event Source scre Source screen en dis displa plays. ys. Click DHCP DHCP..
Cli ClickDHCP ckDHCP
24
Configuring DHCP
9. Selec Selectt Wind Windows ows Collector Collector fro from m the the Collector dropd dropdown own menu. menu.
Collect Coll ector or dropdown menu
10. Selec Selectt Micro Microsof softt DHCP fro from m the the Even Eventt Source Source dropd dropdown own menu. menu.
DHCP EventSourc EventSource e men menu u
Watch ch Directory Directory und under er the Collect Collection ion Method Method.. 11. 11. Click Click th the e Wat
Cli ClickWatch ckWatch Directory Directory
25
Configuring DHCP
12. 12. Enter Enter th the e FQDN FQDN of the the DHCP se serve rverr and and the the file file pa path th to th the e fo fold lder er (C:\dh (C:\dhcp cplo logs gs). ).
Watch Folder sett settings ings
Fo Forr more more in info forma rmati tion on,, refe referr to the the Pre Prepa pari ring ng Mi Micr cros osof oftt DHCP an and d DNS fo forr th the e In Insi sigh ghtt Pl Plat atfo form rm Collector document. Other Oth er no nonn-Micro Microsof softt DHCP source sources s 1. Ens Ensure ure th the e DHCP host host is logg loggin ing g all all DHCP acti activi vity ty.. 2. Confi Configu gure re DHCP so sourc urce e to se send nd logs logs to yo your ur Colle Collect ctor or by sp spec ecif ifyi ying ng it as a sysl syslog og se serv rver. er. 3. Use Use the the Liste ten n f or or Syslo Syslog g Collec Collectio tion n Metho Method d to inges ingestt lo logs gs ov ove er a prede predeterm termin ined ed port. port.
26
Configuring DHCP
Data Dat a Col Collec lecti tion on met ethod hods s The fol follo lowin wing g paragr paragraph aphs s descri describe be the most most commo common n da data ta coll collec ectio tion n metho methods ds.. In some some case cases, s, yo you u provi provide de th the e di direc recto tory ry or file file loca locati tion on where where the the Colle Collect ctor or ca can n ac acce cess ss th the e se serv rver er lo logs gs.. You ca can n sp spec ecif ify y a lo loca call fo fold lder er path path or a Wind Windows ows UNC (Univ (Univer ersa sall Namin Naming g Conve Convent ntio ion) n) pa path th to a ho host sted ed network drive. drive. Important: Only Important: Only th thos ose e log log entri entries es that that are adde added d to the the file file af afte terr th the e Even Eventt Sourc Source e is co conn nnec ecte ted d to a Collec Collector tor are upload uploaded ed to Insig InsightI htIDR. DR. Watch Wat ch directo directory ry Th The e watch watch di dire rect ctory ory is the the netwo network rk loca locati tion on of a watch watch di direc recto tory ry where where lo log g file files s are co copi pied ed.. This This meth me thod od moni monito tors rs a sp spec ecif ifie ied d direc directo tory ry on a loca locall or remot remote e ho host st an and d up uplo load ads s file files s ad adde ded d to th the e di direc recto tory ry,, at 30-se 30-seco cond nd sc scan an inte interva rvals ls.. Use this this meth method od fo forr lo log g file files s th that at roll roll ov over er to ne new w file files, s, fo forr ex examp ample le,, Mi Micro croso soft ft DHCP an and d IIS (Intern (Internet et Inf Inform ormati ation on Servic Services es)) lo log g fi file les. s. Tail Ta il file Th This is is th the e netwo network rk loca locati tion on of a tail tail file file where where log log data data is store stored. d. This This meth method od watch watches es a sp spec ecif ific ic file file writte written n to di disk sk usin using g the the equi equiva vale lent nt of the the UNIX tail tail co comm mman and, d, at 20 20-s -sec econ ond d sc scan an in inte terv rval als. s. Use th this is meth method od for for log log file files s that that are wri writte tten n co cont ntin inuo uous usly ly to a sing single le file file,, fo forr ex exam ampl ple, e, Wind Windows ows DNS lo log g file files. s. Li List ste en for for Syslo Syslog g Th The e TCP or UDP port port where where sy sysl slog og even events ts are bein being g fo forwar rwarde ded. d. Many Many ne netwo twork rk ap appl plia ianc nces es ca can n be confi configur gured ed to deliv deliver er au audi ditt logs logs ov over er sysl syslog og to a serve server. r. These These appli applian ance ces s shou should ld be confi configur gured ed to send send th thei eirr log ogs s to a un uniq ique ue po port rt on the the Col Collect lector or wher where e an Even Eventt Sour Source ce ha has s be been en set set up in Insig Ins ightI htIDR DR to in inges gestt the logs logs.. Colle Collecto ctors rs ac acce cept pt sysl syslog og messa message ges s ov over er UDP or TCP. SIEM In so some me depl deploy oyme ment nts, s, a SIEM SIEM may may alre alread ady y co coll llec ectt data data.. You ca can n co conf nfig igure ure yo your ur SIEM SIEM to se send nd lo logs gs to the Colle Collecto ctorr by sele select ctin ing g the ap approp propria riate te SIEM un unde derr Lo Log g Agg Aggreg regato atorr when configu configuring ring the Event Event Source Source in Insig InsightI htIDR. DR. Hone Ho ney y Pot Pot A Honey Pot is a virtual virtual server server that you can deploy deploy on your network from InsightI InsightIDR. DR. The Honey Pot pr prov ovid ides es a si simp mple le way to dete detect ct atta attack ckers ers from from atte attemp mpti ting ng to sc scan an yo your ur ne netwo twork rk.. For For more more Insight sightIDR IDR on online line in inform formati ation, on, pl pleas ease e refer refer to the Honey Honey Pot docum document entati ation on lo loca cated ted in the In community.. community Endpo End point int Monitor Monitor
27
Data Collection methods
The Endpo Endpoin intt Moni Monitor tor is a unique unique Event Event Source Source in the Insig InsightI htIDR DR Coll Collec ector tor in infras frastruc tructure ture in that that it ac acts ts as a scann scanner er to query query en endpo dpoin ints ts ac acros ross s the ne network twork. . The Endpo Endpoin intt Monito Monitorr techno technolo logy gy in inges gests ts thi this s in inform formati ation on into into Insig InsightI htIDR DR without without requi requirin ring g an ag agent ent to be in insta stall lled ed on the endpoi endpoints nts thems the msel elve ves. s. For more more inform informati ation, on, plea please se refer refer to the End Endpo point int Mon Monitor itoring ing in In Insight sightIDR IDR document docu mentatio ation n located located in the InsightIDR o online nline communi community ty..
28
Data Collection methods
Configur Conf iguring ing Ev Event ent Sour ourc ces Perform Perfo rm the fol follo lowing wing st steps eps to confi configu gure re Event Event Source Sources: s: 1. Cl Cliick th the e Dat Data a Collection Collection link link from the Insig InsightI htIDR DR menu. menu. Add d Event Event Sour Sources ces fro from m the the Se Setu tup p Event Event Source Source dropd dropdown own menu. menu. 2. Click Click Ad
Cli ClickAdd ckAdd Event Event Sourc Sources es
3. The The Add Event Source pag Source page e disp displa lays ys.. Click Click the approp appropria riate te Event Event Source Source..
Add Event Source page
29
Configuring Event Sources
3. Choos Choose e th the e Collector that that the the Even Eventt Sourc Source e will will be in inst stal alle led d in in.. For For th this is ex exam ampl ple, e, it is th the e Active Activ e Directory. Directory.
Add Active Active Directory Event Source page
4. Click Click Wind Windows ows Collector Collector fro from m the the Collector dropd dropdown own menu. menu.
Collect Coll ector or dropdown menu
Microsof softt Active Active Directo Directory ry Secur Security ity Lo Logs gs fro from m th the e Even Eventt Source Source dropd dropdown own menu. menu. 5. Click Click Micro
Event Eve nt source source dropdown menu
30
Configuring Event Sources
6. Chec Check k th the e Timezone box box if yo you u want want to disp displa lay y only only U.S. time time zo zone nes. s.
Timezone Timez one chec check k box
time zo zon ne fro from m the the Timezone dropd dropdown own menu. menu. 7. Selec Selectt th the e time
Timezone Timez one menu
8. Click Click the approp appropria riate te Collec Collectio tion n Metho Method.Ad d.Addi ditio tiona nall in inform formati ation on may ne need ed to be entere entered d ba base sed d on the Collec Collectio tion n Metho Method d chos chosen en..
Collect Coll ectionMethod ionMethod buttons buttons
9. Cl Cliick th the e Save button. Pleas Ple ase e revie review w the ap approp propria riate te do docu cumen mentat tatio ion n for setti setting ng up additi additiona onall data data sourc sources es..
31
Configuring Event Sources
Note: If your your net network work confi configur gurati ation on incl include udes s resou resource rces s tha thatt you you can can ac acce cess ss with the same same us user er name nam e an and d password password,, you you can can reuse reuse those those cre crede denti ntial als s ac acros ross s multip multiple le da data ta sourc sources es in Insig InsightI htIDR. DR. Th This is way, way, yo you u only only need need to provi provide de the the crede credent ntia ials ls once once.. When al When alll of your your data data sourc sources es are confi configu gured red an and d runni running ng succ succes essfu sfull lly, y, the Insig InsightI htIDR DR views views are popul pop ulate ated d with your your comp company any da data. ta. Note: As a security security measure, measure, InsightI InsightIDR DR logs off automati automatical cally ly after 15 minutes minutes of inacti inactivit vity. y. When Whe n yo you u next next lo log g on afte afterr bein being g logg logged ed off off auto automa mati tica call lly, y, yo you u return return to th the e pa page ge yo you u la last st visi visite ted. d.
32
Configuring Event Sources
Copy Co pyin ing g Even entt Sou ourrces to a Co Coll llec ecttor Th There ere may may be time times s when when yo you u want want to use use an exis exisit itin ing g Colle Collect ctor or as th the e start startin ing g po poin intt fo forr an anot othe herr Colle Col lect ctor or.. Th The e exis existi ting ng Colle Collect ctor or has has many many of the the Even Eventt Sourc Sources es th that at yo you u ne need ed;; yo you u ju just st need need to make mak e a few modif modific icati ation ons s for your your new Collec Collector. tor. Perfo Per form rm th the e fo foll llowi owing ng st step eps s to co copy py Even Eventt Sou Sourc rces es from from on one e Colle Collect ctor or to an anot othe herr Colle Collect ctor. or. Data a Collection Collection from the InsightIDR InsightIDR menu. menu. 1. Click Click Dat 2. Click Click Man Manag age e Collectors Collectors fro from m the the Se Setu tup p Collector Collector dropd dropdown own menu. menu.
Click Clic k Manage Collec Collectors tors
3. The The Collectors page displays. displays. Collectors page
Data Collector Collector page
33
Copying Event Sources to a Collector
4. Cl Cliick th the e Co Copy py event event source sources s li link nk for for the the Colle Collect ctor or th that at yo you u wan wantt to co copy py..
Copy eventsourceslink
5. The The Co Copy py event event source sources s dialog displays. displays.
Copy eventsourcesdialog eventsourcesdialog
Targe rgett Collector Collector (th (the e Col Colle lect ctor or yo you u want want to co copy py th the e Even Eventt Sourc Sources es to to)) from from th the e 6. Selec Selectt th the e Ta Ta Targe rgett Collector Collector dropd dropdown own menu. menu.
Sel Select ect Target Coll Collect ector or
34
Copying Event Sources to a Collector
7. Cl Cliick th the e Save button.
35
Copying Event Sources to a Collector
Dele De leti ting ng a Co Coll llec ecttor If yo you u enco encoun unte terr a probl problem em and and need need to dele delete te a Colle Collect ctor or from from th the e Colle Collect ctors ors li list st,, yo you u must must al also so unin uninst stal alll it from from th the e se serv rver er or vi virtu rtual al mach machin ine e where where it is in inst stal alle led. d. To de dele lete te a Colle Collecto ctor: r: Data a Collection Collection link link in the Insig InsightI htIDR DR menu. menu. 1. Cl Cliick th the e Dat 2. Click Click Man Manag age e Collectors Collectors fro from m the the Se Setu tup p Collector Collector dropd dropdown own menu. menu.
CollectManage Coll ectManage Coll Collecto ectors rs
3. The The Collectors Collectors page page displays. displays.
Data Collect Collectors ors page
button on of the the Colle Collect ctor or that that yo you u wan wantt to de dele lete te.. 4. Cl Cliick th the e Delete butt
36
Deleting a Collector
Delete Delet e button button for Coll Collect ector or
5. The The Dele Delete te Collector Collector confi confirma rmatio tion n dial dialog og disp displa lays ys.. Enter Enter the na name me of the Collec Collector tor to confi confirm rm the deletio deletion. n.
UNDERSTAND, AND, DELET DELETE E THIS THIS COLLE COLLECTO CTOR R button. 6. Cl Cliick th the e I UNDERST Th The e Colle Collect ctor or and and all all Even Eventt Sou Sourc rces es assi assign gned ed to it are remov removed ed from from th the e Colle Collect ctors ors li list st.. Data Data from fro m th the e Even Eventt Sourc Sources es will will no long longer er be inge ingest sted ed in Insi Insigh ghtI tIDR. DR. Note: To ensu ensure re prope properr opera operati tion on,, yo you u must must unin uninst stal alll th the e Colle Collect ctor or from from th the e se serv rver er where where it is installed. 7. Go to th the e se serv rver er where where the the Colle Collect ctor or is inst instal alle led d and and un unin inst stal alll it it::
37
Deleting a Collector
l
In Wind Windows ows,, open open the the Start Start Menu Menu,, loca locate te the the Insi Insigh ghtt Pl Plat atfo form rm fo fold lder er,, an and d th then en clic click k th the e Uninstall button.
Tip: If yo you u ca cann nnot ot find find the the Unins Uninsta tall ll sh short ortcu cut, t, run the the unin uninst stal all. l.ex exe e file file from from th the e InsightIDR\.i Insi ghtIDR\.insta nstall4 ll4jj subdirec subdirectory tory of the destina destination tion direc directory tory where you install installed ed the Collector. Collector. l
In In Li Linu nux, x, run the unins uninstal talll scrip scriptt from the .insta .install ll4j 4j subdi subdirec rectory tory of the destin destinati ation on di direc rectory tory where you you in insta stall lled ed the Colle Collecto ctor. r.
When th When the e Unins Uninsta tall ller er fini finish shes es,, the the Col Colle lect ctor or has has been been rem remov oved ed from from th the e se serve rver. r. If yo you u la late terr deci decide de to reins reinsta tall ll and and reac reacti tiva vate te the the Colle Collect ctor or on the the sa same me mach machin ine, e, yo you u ca can n do so so..
38
Deleting a Collector
Data Dat a Coll Collec ectio tion n The Data Collec Collectio tion n pa page ge disp displa lays ys Colle Collecto ctor, r, Event Event Source Source,, and Honey Honey Pot in inform formati ation on..
Data Collect Collection ion page
Additional Addition al options options all allow ow you to set up Event Sources, Sources, Collectors Collectors,, and Data Exporters. Exporters. Refer to Endpoint int Moni Monitorin toring g Gui Guide de to learn learn how how to se sett up Even Eventt Sourc Sources es an and d Colle Collect ctors ors.. the Endpo
Data Dat a Col Collec lectio tion n Metri Metrics cs The top of the page page disp displa lays ys Data Collec Collectio tion n Metric Metrics: s: Colle Collecto ctors, rs, Event Event Source Sources, s, an and d Honeyp Honeypots ots..
Data Collect Collection ion Metri Metrics cs
Collector Collect or Metrics Metrics Clicking the Collector metri Clicking metric c displa displays ys the Collector Collector pa page ge.. The The le left ft side side of th the e pa page ge al allo lows ws you you to vi view ew Collec Collectors tors by their their state: state:
39
Data Collection
l
All
l
Registering
l
Generating Generating Keys
l
Healthy
l
l
Warning Warning,, and Error
Click a st Click stat ate e to di disp spla lay y Colle Collect ctors ors matc matchi hing ng that that st stat ate. e. The The midd middle le of th the e pa page ge di disp spla lays ys informati info rmation on about about the selecte selected d collec collectors. tors.
Collectors Collec tors page
40
Data Collection Metrics
Event Eve nt Sour Sources ces Metrics Metrics Clicking the Even Clicking Eventt Source Sources s metri metric c displa displays ys the Even Eventt Sources Sources pag page. e. This This pa page ge di disp spla lays ys Event Event Source Sou rces s an and d Collec Collector tor inform informati ation on.. Use the left left pa panel nel to view view Eve Event nt Source Sources s and Collec Collectors tors by type.
Event Eve nt Sources Sources page
41
Data Collection Metrics
Hone Ho ney y Pots Pots Metr Metrics ics Clicking the Honeypots metri Clicking metric c displa displays ys the Hone Honey y Pots Pots pa page ge.. Use th the e le left ft pa pane nell to se sele lect ct Honey Honey Pots Pot s by a sp spec ecif ific ic st stat ate. e.
Honey Hone y Potspage Potspage
Setti Se tting ng an In Intru trude derr Tra Trap p Th The e Set In Intru trude derr Trap Trap menu menu allo allows ws yo you u to: to: l
Manage Honeypots Honeypots
l
Downloa Download d a Honeyp Honeypot, ot, and
l
Activ Activate ate a Honeyp Honeypot ot
42
Setting an Intruder Trap
Honey Hon ey Pot Pots s Honey Pots Honey Pots are fa fake ke asse assets ts that that produ produce ce an aler alertt any any time time a us user er at atte temp mpts ts to co conn nnec ectt to th the e devi device ce.. Once nce at atta tack ckers ers find find an init initia iall foot footho hold ld in a netwo network rk,, th thei eirr ne next xt step step is typi typica call lly y a ne netwo twork rk sc scan an to id iden enti tify fy al alll the the othe otherr asse assets ts in the the netwo network. rk. Deploymen Dep loymentt guide guide 1. On the the Collectors Collectors pag page e in Insig Insight ht Platfo Platform, rm, cl clic ick k Down Downloa load d Colle Collector ctor an and d sele select ct the Honeypot OVA .
Download col collector lector
2. Downlo Download ad th the e Honey Honey Pot. Pot. 3. In yo your ur VMware VMware envi environ ronme ment nt,, crea create te a new new VM from from th the e OVA. OVA. 4. Powe Powerr on th the e VM. VM. You You wi will ll see the the fol followi lowing ng prom prompt pt::
Poweri Pow ering ng theVM
43
Honey Pots
5. Provi Provide de a name name that that fits fits yo your ur netwo network rk nami naming ng co conv nven enti tion on an and d make makes s th the e mach machin ine e lo look ok important. 6. You will will be pr prom ompt pted ed to ackn acknowl owled edge ge the the mach machin ine’ e’s s IP ad addre dress ss.. Conti Continu nue e un unti till yo you u se see: e:
Acknowledge Ack nowledge machine'sIP address
7. Take Take no note te of the Agent Agent key key (xxxx (xxxxxx xxxx xx-xx -xxxx xx-xx -xxxx xx-xx -xxxx xxxx xxxx xxxx xxxx xx)) tha thatt is di disp spla laye yed d Enter a 8. On the the Collectors page e in the Insig InsightI htIDR DR web interf interfac ace, e, clic click k Activat Collectors pag Activate e Collector Collector.. Ent na name me fo forr th the e Hone Honey y po pott an and d en ente terr the the Acc Acces ess s Key Key to pa pair ir th the e Hone Honey y Pot Pot OVA to your your InsightIDR instance. instance. 9. Once pa paire ired d succ succes essf sful ully ly,, you you rec recei eive ve au autom tomate ated d al alerts erts to an any y conn connec ectio tion n att attemp empts ts to the Honey Hone y Pot; run a st stand andard ard disc discov overy ery scan, scan, a vuln vulnera erabi bili lity ty scan scan,, throw throw some some ex expl ploi oits, ts, or at atte temp mptt to brute brute force force the the Honey Honey Pot to trigg trigger er an in inci cide dent nt!! Thes These e are al alll co comm mmon on te tech chni niqu ques es durin dur ing g the recon reconna nais issa sanc nce e and enumer enumerati ation on phase phase of the att attac acke ker’s r’s kill kill chai chain. n.
Honey Hon ey Use Users rs A Honey User is a dummy dummy user user that is not associ associated ated with a real person person within within the organiza organization tion,, and therefo therefore re shou should ld never never be ac acce cess ssed. ed. Attack Attackers ers freque frequentl ntly y att attem empt pt to authe authenti ntica cate te to as many many us user er ac acco coun unts ts as po poss ssib ible le du durin ring g the reconn reconnai aiss ssan ance ce ph phas ase e of an att attac ack; k; thi this s he help lps s ex expan pand d their their footpri foo tprint nt and ga gain in ac acce cess ss to more more as asse sets ts and pri privi vile lege ges s without without trippi tripping ng an any y tra tradi ditio tional nal al alarm arms. s. Honey Hon ey users users,, howev however, er, are a uniq unique ue way to dete detect ct this this ac acti tivi vity ty;; an anyt ytim ime e so some meon one e at atte temp mpts ts to lo log g in to a honey honey us user er ac acco coun unt, t, Ins Insig ightI htIDR DR genera generates tes a Honey Honey User Authen Authentic ticati ation on in inci cide dent, nt, which which sh shows ows when when an at atte temp mptt occu occurre rred d and and which which asse assett was ta targe rgete ted. d.
Dis Displa playi ying ng informati information on about a HoneyU ser
44
Honey Users
Dis Displa playi ying ng informati information on about a homeyuser
Crea Cre ating ting a Hone Honey y User User 1. Create Create a new new user user in Acti Active ve Direc Directo tory ry with with a beli believ evab able le na name me,, bu butt do don’ n’tt gi give ve an anyo yone ne ac acce cess ss to th the e acco accoun unt. t. Th This is wil willl be yo your ur new new Honey Honey User. User. 2. Give Give th the e Honey Honey User User every every appe appeara aranc nce e of a norma normall empl employ oyee ee of th the e co comp mpan any! y! This This in incl clud udes es things thin gs lik like e a complex complex passph passphrase, rase, organiza organization tional al mapping mappings, s, permissi permissions ons,, or whatever whatever else else may ma y tri trick ck an atta attack cker er into into beli believ evin ing g the the user user is an ac actu tual al empl employ oyee ee.. 3. Rememb Remember er that that ho honey ney us users ers may ha have ve multi multipl ple e ac acco coun unts! ts! In fact, fact, multi multipl ple e ac acco coun unts ts can can in incr crea ease se th the e li like keli liho hood od that that an atta attack cker er will will targe targett th the e us user, er, as it se seem ems s more more au auth then enti tic c an and d provi pro vide des s additi additiona onall chan chance ces s for rea reach chin ing g an ad admi mini nistr strati ative ve rol role e (or so the att attac acke kerr thi think nks). s). 4. Log Log in to yo your ur acco accoun untt in Insi Insigh ghtID tIDR. R. Sele Select ct Se Sett ttin ing gs ---> > Hon Honey Use Users rs an and d en ente terr th the e ne newly wly cr crea eate ted d Hone Honey y User User’s ’s na name me in the the sear searc ch ba bar. r. Sele Select ct th the e na name me to mark mark th the e user user as a Hone Honey y User.
45
Honey Users
A honey user
Bestt Pract Bes Practice ices s If your your organi organiza zati tion on us uses es a namin naming g conv conven entio tion n for as asse sets ts and/or and/or us users ers,, confi configu gure re these these in intrud truder er traps tra ps to matc match h al alll nami naming ng co conv nven enti tion ons; s; do not not name name yo your ur Honey Honey Pot Pot honeypot , or your your ho hone ney y user Jo John hn Doe . If an atta attack cker er is smart smart enou enough gh to get get past past pe perim rimet eter er de defe fens nses es,, th then en he he’s ’s smar smartt enoug eno ugh h to av avoi oid d ob obvi vious ously ly fake fake as asse sets ts and us users ers.. We al also so recomm recommend end deplo deployi ying ng both both Honey Honey Pots and honey honey us users ers throug throughou houtt the en envi viron ronmen mentt with wit h an adde added d emph emphas asis is on crit critic ical al netwo network rk se segm gmen ents ts or su subn bnet ets. s. In th the e ev even entt of a breac breach, h, ha havi ving ng tiers tiers of in intru trude derr traps traps ca can n help help is isol olat ate e the the pre preci cise se loca locati tion on of an in intru trude derr or mali malici ciou ous s in insi side derr in th the e network net work,, he help lpin ing g Incid Inciden entt Respon Response se tea teams ms lock lock down us users ers and as asse sets ts qu quic ickl kly y to conta contain in the incident.
Manag Man aging ing Hon Honey ey Pot Pots s Perfo Per form rm th the e fo foll llowi owing ng st step eps s to mana manage ge a Honey Honey Pot. Pot. Manage e Honeypot Honeypots s fro from m the the Set In Intru trude derr Trap Trap dropd dropdown own menu. menu. 1. Click Click Manag 2. The The Hon Honey ey Pots Pots pag page e disp displa lays ys.. The left left si side de disp displa lays ys optio options ns to: View View al alll Honey Honey Pots l
l
View V iew registeri registering ng Honey Pots
l
Generati Generating ng keys keys
l
Healthy Healthy warning, warning, and
l
View Honey Honey Pots with errors. errors.
3. Th The e midd middle le of the the page page disp displa lays ys info informa rmati tion on abou aboutt th the e Honey Honey Pots Pots..
46
Best Practices
Honey Hone y Potspage Potspage
Setup Set up Dat Data a Ex Expo porter rter The Set Setup up Data Data Exporte Exporterr dro dropd pdown own menu menu provi provide des s op optio tions ns to: l
Add Data Exporte Exporterr
l
Manage Manage Exporters Exporters
Perfo Per form rm th the e fo foll llowi owing ng st step eps s to add add a Data Data Expo Exporte rter. r. 1. Cl Cliick Add Add Data Data Expo Export rter er from from the the Se Setu tup p Data Data Expor Exportt menu.
SetupData Ex Exporter porter me menu nu
47
Setup Data Exporter
2. The The Ad Add d Data Data Expor Exporte terr dialog displays. displays. 3. Click Click Collector fro from m the the Collector dropdown. Data a Exporte Exporterr fro from m the the Dat Data a Exporte Exporterr dropd dropdown own menu. menu. 4. Click Click Dat 5. Opti Option onal ally ly,, ente enterr a disp displa lay y name name in the the Disp Displa lay y Name Name field. 6. Cl Cliick th the e Save button.
Add Data Export dialog dialog
Managin Mana ging g Exp Exporters orters Perform Perfo rm the fol follo lowing wing st steps eps to manag manage e Exporte Exporters. rs.
48
Managing Exporters
1. Click Click Manag Manage e Exporters Exporters fro from m the the Set Setup up Data Data Exporte Exporters rs dropd dropdown own menu. menu. 2. The The Data Exporte Exporters rs pa page ge disp displa lays ys.. Th The e left left si side de of th the e pa page ge li list sts s Expo Exporte rters rs by type type an and d stat state. e. Product All l
l
l
Collector All l
l
State All l
l
Running
l
Warning
l
Error
l
Stopped
3. Click Click a type type or st stat ate e to disp displa lay y more more info informa rmati tion on abou aboutt th that at Expo Exporte rter. r. 4. The The mi midd ddle le of the pa page ge disp displa lays ys inform informati ation on ab abou outt the sele selecte cted d Exporte Exporters. rs.
Data Exporters Exporters page
49
Managing Exporters
Settings The Settings Settings pag page e allo allows ws you you to confi configu gure re Ins Insig ightI htIDR DR to meet meet your your ne need eds. s. The fol follo lowing wing table table li list sts s and and expl explai ains ns the the ty type pes s of se sett ttin ings gs that that yo you u ca can n defi define ne.. Setti ng
Defi ni ti on
In Inci cide dent nt Sett Settin ings gs
Inci Incide dent nt Setti Setting ngs s desi design gnat ate e th the e type types s of in inci cide dent nts s th that at In Insi sigh ghtID tIDR R tra track cks. s.
User Settings Settings
User User Sett Settiing ngs s allo allow w you you to ass assig ign n a rol role to a user user.. You You can can al also so ad add d ne new w us users ers and de dele lete te us users ers.. Even Eventt Sourc Sources es Setti Setting ngs s allo allows ws yo you u to sp spec ecif ify y th the e IP ad addre dress sses es fo forr ea each ch event eve nt source. source.
Event Eve nt Source Source Settin Settings gs Credential Credent ial Settings Settings Applica Appl icatio tion n Settings Settings
Crede Credenti ntial al Settin Settings gs allo allow w you you to add new crede credenti ntial als s for Insig InsightI htIDR DR to monitor.
App Appli lica catio tion n Settin Settings gs allo allow w you you to add ap appl plic icati ation ons s for Insig InsightI htIDR DR to monitor.
Incid Inc iden entt Modi Modific ficati ations ons
Incid Incident ent Modifi Modifica catio tions ns list lists s ex exce cepti ptions ons for in inci cide dents nts..
Assett Settings Asse Settings
Asset Settings Asset Settings allows allows you to design designate ate which assets assets are restricted restricted base based d on a Nexpo Nexpose se crit critic ical alit ity y se sett ttin ing. g. Note: Note: You You ne need ed Nexpo Nexpose se to us use e this functionality. functionality.
Hon Ho ney Use Users
View,mar w,mark, or delete users as Hon Honey Use Users.
Export Exp ort Data
Export Export Data allo allows ws you you to ex expor portt ac acco coun unt, t, as asse set, t, and mobi mobile le devic device e inform informati ation on from Insig InsightI htIDR DR into into a CSV file. file. Static Stati c IP Range Ranges s are asse assets ts th that at do no nott recei receive ve IP ad addre dress sses es via via DHCP. Most Mo st co comm mmon only ly,, thes these e are se serv rvers ers an and d an any y ot othe herr as asse sets ts who ha have ve a statica stat ically lly assign assigned ed IP.
Static Sta tic IP Ranges Ranges
Unmanag Unma naged ed IP Ranges Ranges
Network Network Zones Zones allo allow w the logi logica call la labe beli ling ng of di diffe fferen rentt syste systems ms or busin bus ines ess s groups groups based based on IP ranges ranges..
Network Netwo rk Zones Zones
Network Polic Network Policie ies s allo allow w you you to create create al alerts erts ba base sed d on rul rules es,, for ex exam ampl ple, e, the the fina financ nce e netwo network rk zo zone ne ca can n on only ly be ac acce cess ssed ed by th thos ose e in th the e fina financ nce e group gro up wit withi hin n the the Acti Active ve Direc Directo tory ry.. This This is dr driv iven en from from Networ Network k Zone Zones s and Active Active Directo Directory ry group group membe membersh rship ip..
Network Policie Policies s
Tagged Tagg ed Domains Domains
Unman Unmanag aged ed IP Range Ranges s are range ranges s th that at are ou outs tsid ide e th the e mana manage ged d corporate corpo rate network network..
Unknown Unk nown IP Addres Addresse ses s
Ta Tagg gged ed Dom Domai ains ns are own owned ed or ig igno nored red by an organ organiz izat atio ion. n. This This is us used ed for the Spear Spear Phi Phish shin ing g URL de detec tectio tion n in inci ciden dent. t. Insi Insigh ghtID tIDR R track tracks s all all IP addre address sses es it recei receive ves s from from DHCP an and d VPN assi assign gnme ment nts, s, but but so some meti time mes s lo logs gs co come me in with with IPs th that at ha have ve ne neve verr be been en seen seen befo before re by any any of the the DHCP or VPN even eventt sour source ces. s. Thes These e IP IPs s ar are e reporte rep orted d as Unkn Unknown own IP Addres Addresse ses s iin or orde derr to he help lp you you see see if you you mi migh ghtt be miss missin ing g a DHCP or VPN eve event nt so sourc urce e in yo your ur en envi viron ronme ment nt so some mewhe where re that that yo you u sh shou ould ld ho hook ok up to a Col Colle lect ctor. or.
50
Settings
Setti ng Running Runni ng Agents Agents
Defi ni ti on
Displ Display ays s a li list st of runn runnin ing g agen agents ts.. The The ho host stna name me an and d la last st se seen en time time are displayed.
Inciden Inci dentt set settings tings Incident Incid ent setti setting ngs s de desi signa gnate te the types types of inci incide dents nts that that Insig InsightI htIDR DR trac tracks ks.. To di disa sabl ble e the tracki tracking ng of an in inci ciden dent, t, un unch chec eck k that that inci incide dent’ nt’s s chec checkb kbox ox;; to en enab able le an in inci cide dent, nt, chec check k that that in inci cide dent's nt's checkbox.
Enabling Enabli ng incident incident tracking tracking
Some Som e in inci ciden dentt types types allo allow w you you to desig designat nate e infor informat matio ion n by by:: l
specific specific user user type
Inci Incident dent by user type
l
ti time me period period
Inci Incident dent by time time period
l
priority
Inci Incident dent by priori priority ty
l
Ingress Ingress type
51
Incident Incide nt settings
Inci Incident dent by Ingres Ingress s type type
Userr se Use settin ttings gs User se User sett ttin ings gs al allo low w yo you u to assi assign gn a role role to a user. user. You You ca can n al also so ad add d ne new w us users ers an and d de dele lete te us users ers.. The fol follo lowin wing g table table ex expl plai ains ns the diffe different rent us user er ty types pes an and d as asso soci ciate ated d functi function onal ality ity.. Setti ng
Func ti onal i ty
Admin Admi n
Can perform all Insight Insight Platform Platform func function tionali ality ty
In Inve vest stiiga gato torr
Can Can vi view ew inci incide dent nts s and and st star artt inv nves esti tiga gati tion ons s
Rea Re ad only
Can Can only view information
Add Ad din ing g a use serr To add add a user, user, perfo perform rm the the foll followi owing ng st step eps. s. ADD D USER USER but button ton.. The Cre Creat ate e User dialog displays. displays. 1. Cl Cliick th the e AD
Add user button
2. Enter Enter th the e user’ user’s s e-mai e-maill addre address ss in the the Email field. 3. Ente Enterr th the e us user er’s ’s fi firs rstt na name me in the the Fir First st Name Name field. 4. Ente Enterr th the e us user er’s ’s last last na name me in the the La Last st Name Name field.
52
User settings
5. Selec Selectt th the e user’ user’s s role role from from the the Role dropd dropdown own menu. menu.
Setting Sett ing role drop-down
6. Ente Enterr your your pa pass sswo word rd in the the Password field. 7. Re-ent Re-enter er yo your ur pass password word in the the Con Confirm firm Password Password field. 8. Cl Cliick th the e Create button.
Add user dialog
Cha Ch ang ngin ing g a use ser’s r’s ro role le To ch chan ange ge th the e user’ user’s s role, role, se sele lect ct the the appro appropri priat ate e role role fro from m th the e Role dro dropd pdown own list list fo forr th that at us user. er.
Change user rol role e
53
User settings
Dele De letin ting g a use serr To de dele lete te a us user er,, cl cliick the the
on the the righ rightt-s sight ight of the the ro row w of th the e user user to de dele lete te..
Delete Delet e user
Even Ev entt Sou Source rces s se settin ttings gs Event source source categorie categories s includ include: e: order to more more easi easily ly unde unders rsta tand nd th the e ac acti tivi vity ty whi which ch oc occu curs rs in yo your ur User Attribu Attributio tion n - In order enviro env ironme nment, nt, it is high highly ly rec recomm ommend ended ed that that you you confi configu gure re the ev even entt sourc sources es ne nece cess ssary ary to tie ac actio tions ns ba back ck to the us users ers and as asse sets ts invo involv lved ed.. The These se found foundati ationa onall ev even entt sourc sources es are LDAP, DHCP lo logs gs,, and and Acti Active ve Direc Directo tory ry Securi Security ty Logs Logs.. Th Thes ese e so sourc urces es will will no nott on only ly ad add d co cont ntex extt to analy ana lytic tics, s, bu butt al also so make make Search Search easie easier. r. Endpointt Monitoring Endpoin Monitoring - For critic critical al serve servers rs an and d endpo endpoin ints ts belong belongin ing g to remote remote empl employ oyees ees,, it is recom rec ommen mended ded to insta install ll the Rapid7 Rapid7 pe persi rsiste stent nt agent agent to en enab able le real-t real-tim ime e stream streamin ing g of ev event ents s and ensu ensure re yo your ur te team am is not not blin blind d to the the acti activi viti ties es which which occu occurr when when as asse sets ts are of offf th the e ne netwo twork rk.. When a persi When persist sten entt agen agentt is not not desi desired red,, it is recom recomme mend nded ed to us use e th the e Rapid Rapid7 7 Agen Agentl tles ess s Endpo Endpoin intt Scan. Sca n. This This optio option n coll collec ects ts da data ta from your your endpo endpoin ints ts pe perio riodi dica call lly, y, moni monitors tors lo loca call us user er ac activ tivit ity, y, windows wind ows lo logon gon ac activ tivit ity, y, ev even entt log log tamper tamperin ing g an and d en enabl ables es proce process ss ha hash shes es to be id ident entifi ified, ed, analy ana lyze zed d for commo commonal nality ity,, and chec checke ked d again against st VirusTo VirusTotal tal for known known malware. malware. Rapid7 - If yo you u al alrea ready dy own any any of our our threa threatt expo exposu sure re mana manage geme ment nt produ product cts s su such ch as Nexpo Nexpose se and Metas Metaspl ploi oit, t, you you can can ad add d ex expos posure ure knowl knowledg edge e to your your in inci ciden dentt analy analysi sis. s. Security Secur ity Data Data - Insig InsightI htIDR DR is de desi sign gned ed to ea ease se Search Search an and d Analy Analytic tics s ac acros ross s your your en entir tire e enviro env ironme nment. nt. To ensure ensure you you can can perform perform all all neces necessa sary ry in inve vesti stigat gativ ive e steps steps in on one e pl plac ace, e, it is sugge suggeste sted d to no nott on only ly transm transmit it secu security rity logs logs and deplo deploy y agents agents,, but al also so transm transmit it any other other poten pot entia tiall lly y us usefu efull data data for searc searchi hing, ng, such such as custo custom m appli applica catio tion n lo logs gs.. Raw Data Raw Data - Insig InsightI htIDR DR is is de desi signe gned d to ea ease se Search Search and Analy Analyti tics cs ac acros ross s your your entire entire en envi viron ronme ment. nt. To ensu ensure re yo you u ca can n perfo perform rm all all nece necess ssary ary inve invest stig igat ativ ive e step steps s in on one e plac place, e, it is su sugg gges este ted d to no nott only onl y transm transmit it secu securit rity y logs logs an and d de depl ploy oy ag agent ents, s, but also also transm transmit it an any y other other po poten tenti tial ally ly us usefu efull da data ta for searc searchi hing, ng, such such as custo custom m ap appl plic icati ation on logs logs.. Ente En terin ring g a VP VPN N IP ad add dre ress ss ra rang nge e or Loca call IP addre ress ss ra rang nge e To ente enterr a VPN IP addre address ss range range::
54
Event Sources settings
1. Ente Enterr th the e VPN VPN IP ad addr dres ess s rang range e in the the VP VPN N IP Add Address ress Rang Range e field. 2. Cl Cliick th the e Submit button. To ente enterr a Loca Locall IP addr addres ess s rang range: e: 1. Ente Enterr th the e Loca Locall IP ad addr dres ess s rang range e in the the Loca call IP Add Address ress Ran Range field. 2. Cl Cliick th the e Submit button.
Event Eve nt source source sett settings ings
Credentia Crede ntiall sett settings ings Credenti Crede ntial al setti settings ngs allo allows ws you you to add ne new w crede credenti ntial als s for Insig InsightI htIDR DR to monito monitor. r.
55
Credential settings
Credential setti settings ngs
To ad add d a ne new w creden credentia tial, l, perform perform the fol follo lowin wing g steps steps:: CREDENT ENTIA IAL L button. 1. Cl Cliick th the e ADD CRED
Add credential button
2. The The NEW CREDENT displays. CREDENTIA IAL L dialog displays. 3. Enter Enter th the e name name of the the new new cred creden enti tial al in the the Name field. 4. Ente Enterr th the e us user er na name me of the the cr cred eden enti tial al in the the Username field. 5. Selec Selectt th the e crede credent ntia iall ty type pe from from the the Type dropd dropdown own menu. menu.
Credential Credenti al drop-down
6. Ente Enterr th the e pa pas sswor sword d in the the Password field.
56
Credential settings
7. Cl Cliick th the e DEPL DEPLOY OY CREDENTIAL CREDENTIAL button.
New creden credentia tiall dial dialog og
Applica App lication tion set settings tings Application Applicati on setting settings s all allows ows you to add applic applicatio ations ns for Insight Insight Platform Platform to monitor. monitor. To add an applica appl ication tion,, perform perform the following following steps: steps: APPLICATION ION button. 1. Cl Cliick th the e ADD APPLICAT
Add application application button
2. The The New Applicatio Application n dialo dialog g displays. displays. 3. Ente Enterr th the e name name of the the appl applic icat atio ion n in the the Name field. dropdown own menu. menu. 4. Selec Selectt th the e appl applic icat atio ion n ty type pe from from the the Type dropd
Application Appli cation type drop-dow n
5. Cl Cliick th the e CREATE button.
57
Application settings
Add application application dialog dialog
Inciden Inci dentt modif modifica ications tions Incident Incid ent modifi modifica catio tions ns list list ex exce cepti ption ons s for inci inciden dents. ts. The These se are ge gener nerate ated d when you you determ determin ine e to ei eithe therr whitel whitelis istt or blac blackl klis istt an inci incide dent nt when you you cl clos ose e them. them. Incid Incident ents s in incl clude ude:: l
Permitted Permitted Disabled Disabled Authentic Authenticatio ation n to Asset Asset
l
Allo Allowed wed Ingres Ingress s From User User
l
Suspici Suspicious ous Authentic Authenticatio ation n To Asset Asset
l
Allowed Allowed Ingres Ingress s From Lo Loca catio tion n
l
Suspici Suspicious ous Authentic Authenticatio ation n To Asset Asset
l
Honeypot Honeypot Excepti Exception on
l
Permitted Local Local Account Account Authentic Authenticatio ations ns
l
Permitted Impersonation Impersonation
l
Permitte Permitted d Brute Brute Forc Force e
l
Permitt Permitted ed Brute Brute Forc Force e User User
l
Permitt Permitted ed Acces Access s to New Assets Assets
l
Account Account Enabled Enabled White Whitelis listt
Incident setti settings ngs
58
Incident modifications
Asset Ass et set settings tings Asset setting Asset settings s all allows ows you to design designate ate which assets assets are restricted restricted based based on a Nexpose Nexpose critical criticality ity need Nexpos Nexpose e to us use e thi this s functi functiona onali lity. ty. setting. Note Note:: You need To set set the Nexpos Nexpose e critic critical ality ity setti setting ng,, perform perform the fol follo lowin wing g steps steps:: criticalit lity y se sett ttin ing g fr from om Nexp Nexpo ose checkbox. 1. Tic Tick th the e Use critica 2. Selec Selectt th the e criti critica cali lity ty leve levell from from the the Criticality dropd dropdown own button. button. 3. Cl Cliick th the e Submit button.
Set criticali criticality ty
Honey Hon ey Use Users rs Th This is page page al allo lows ws yo you u to mark, mark, unma unmark, rk, and and vi view ew Honey Honey Users Users.. Mark Ma rkin ing g a use serr as a Ho Hon ney Us Use er To mark mark a us user er as a Hone Honey y Us User er,, pe perf rfor orm m the the fol followi lowing ng ste teps ps:: field.. As 1. Ente Enterr the the name of the the user tha that youwant ouwant to mark mark as a Hon Honey Use User in th the e Search field yo you u type type in the the name name,, Insi Insigh ghtI tIDR DR displ display ays s a li list st of us users ers ba base sed d on what what yo you u ha have ve type typed. d.
59
Asset settings
Search Sea rchin ing g for a us user er tomark asa honey honey us users ers
2. Based Based on th the e resul results ts Insi Insigh ghtIDR tIDR displ display ays, s, if the the us user’ er’s s na name me di disp spla lays ys,, se sele lect ct it it.. If no not, t, conti continue nue typin typing g un until til eithe eitherr the na name me disp displa lays ys or until until you you have have typed typed the compl complete ete na name. me. key. y. Th The e name name disp displa lays ys in the the Honey Honey User User li list st.. 3. Pres Press th the e Enter ke In thi this s ex examp ample le,, I sele selecte cted d Carla Carla Hoffman Hoffman..
Honey userslist userslist
Expo Ex port rt Dat Data a Export Data al Export allo lows ws you you to ex expor portt ac acco coun unt, t, as asse set, t, an and d mobi mobile le devic device e in inform formati ation on from Insig InsightI htIDR DR in into to a Comma Comma Separa Separate ted d Val Value ues s (CSV) file file.. Click Click the the CSV bu butt tton on ne next xt to th the e file file th that at you you want want to downl downloa oad. d. You You ca can n open open the the file file in Exce Excell or any any pro progra gram, m, fo forr ex exam ampl ple, e, a te text xt ed edit itor, or, th that at ca can n op open en a CSV fi fille.
Export Exp ort data
60
Export Data
Static Sta tic IP ran range ges s Static Stati c IP ran range ges s are used used to defi define ne asse assets ts that that do not not recei receive ve IP ad addre dress sses es via via DHCP. Most Most co comm mmon only ly,, th thes ese e are se serv rvers ers and and any any othe otherr asse assets ts that that ha have ve a stat static ical ally ly as assi sign gned ed IP. You ca can n add add and and edit edit ra rang nges es.. Add Ad din ing g a St Sta atic IP ra ran nge To add add a Stati Static c IP range range,, perfo perform rm the the foll followi owing ng inst instruc ructi tion ons: s: 1. Cl Cliick th the e AD ADD D IP RANG RANGE E button.
Add IP range button
Zone ne Name Name field. 2. Ente Enterr th the e name name for for the the rang range e in the the Zo 3. Ente Enterr th the e ra rang nge e in the the IP Rang Range e field field.. The format format is xxx.x xxx.xxx xx.x. .x.x/x x/xx x where the valu values es be before fore th the e sla lash sh (/) (/) are are the the st star arti ting ng rang range e an and d the the val value af afte terr th the e slas slash h is th the e la last st en entr try y in th the e ra rang nge. e. For ex examp ample le,, the range range 19 192.1 2.168 68.1. .1.0/2 0/24 4 defin defines es the valu values es 192.16 192.168.1 8.1.0, .0, 19 192.1 2.168 68.1. .1.1, 1, 192.168. 192. 168.1.2, 1.2, to the address address 192.168 192.168.1.24 .1.24.. checkmark.. 4. Cl Cliick th the e checkmark
Add IP range
61
Static IP ranges
Edit Ed itin ing g a St Sta atic IP ra ran nge To edit edit a Stati Static c IP ran range ge,, perfo perform rm the the foll followi owing ng inst instruc ructi tion ons: s: 1. Cli Click onthepen onthepencil icon
to the the rig right of th the e ran range th tha at you wan want to edit.
2. Make Make th the e re requ quir ired ed edit edits. s. 3. Cl Cliick th the e checkmark checkmark..
Edi Editt IPrange
Unmana Unma nage ged d IP ran range ges s Unmana Unma naged ged IP range ranges s are range ranges s that that are ou outsi tside de the manag managed ed corpo corporate rate network network.. Addin Ad ding g an Un Unman manag aged ed IP ra rang nge e To ad add d an Unmana Unmanaged ged IP Range, Range, pe perform rform the fol follo lowing wing in inst struc ructio tions ns:: 1. Cl Cliick th the e AD ADD D IP RANG RANGE E button.
Add IP range button
Zone ne Name Name field. 2. Ente Enterr th the e name name for for the the rang range e in the the Zo 3. Ente Enterr th the e ra rang nge e in the the IP Rang Range e field field.. The format format is xxx.x xxx.xxx xx.x. .x.x/x x/xx x where the valu values es be before fore th the e sla lash sh (/) (/) are are the the st star arti ting ng rang range e an and d the the val value af afte terr th the e slas slash h is th the e la last st en entr try y in th the e ra rang nge. e. For ex examp ample le,, the range range 19 192.1 2.168 68.1. .1.0/2 0/24 4 defin defines es the valu values es 192.16 192.168.1 8.1.0, .0, 19 192.1 2.168 68.1. .1.1, 1, 192.168. 192. 168.1.2, 1.2, to the address address 192.168 192.168.1.24 .1.24.. checkmark.. 4. Cl Cliick th the e checkmark
62
Unmanaged IP ranges
Add IP range
Network Net work Zo Zone nes s Network Zones Network Zones al allo low w the logi logica call labe labeli ling ng of diffe differen rentt syste systems ms or bu busi sines ness s group groups s based based on IP ranges.
Network zone zones s
Add Ad din ing g a Ne Netw two ork Zo Zon ne To ad add d a Network Network Zone, Zone, pe perform rform the fol follo lowin wing g instr instruc uctio tions ns:: ADD D ZONE ZONE button. 1. Cl Cliick th the e AD
Add zone button
2. Ente Enterr th the e name name for for the the rang range e in the the Zo Zone ne Name Name field. 3. Ente Enterr th the e ra rang nge e in the the IP Rang Range e field field.. The format format is xxx.x xxx.xxx xx.x. .x.x/x x/xx x where the valu values es be before fore th the e sla lash sh (/) (/) are are the the st star arti ting ng rang range e an and d the the val value af afte terr th the e slas slash h is th the e la last st en entr try y in th the e ra rang nge. e. For ex examp ample le,, the range range 19 192.1 2.168 68.1. .1.0/2 0/24 4 defin defines es the valu values es 192.16 192.168.1 8.1.0, .0, 19 192.1 2.168 68.1. .1.1, 1, 192.168. 192. 168.1.2, 1.2, to the address address 192.168 192.168.1.24 .1.24.. checkmark.. 4. Cl Cliick th the e checkmark
63
Network Zones
Add IP range
64
Network Zones
Edit Ed itin ing g a Ne Netw two ork Zo Zon ne To ed edit it a Network Network Zone, Zone, pe perform rform the fol follo lowing wing instru instructi ction ons: s: 1. Cli Click onthepen onthepencil icon
to the the rig right of th the e ran range th tha at you wan want to edit.
2. Make Make th the e re requ quir ired ed edit edits. s. 3. Cl Cliick th the e checkmark checkmark..
Edi Editt IPrange
Network Netwo rk Polic Policies ies Network Polic Network Policie ies s allo allow w you you to cre create ate alerts alerts based based on rul rule e viol violati ations ons.. For ex examp ample le,, the fi finan nance ce netwo network rk zo zone ne ca can n only only be acce access ssed ed by thos those e in the the fina financ nce e group group withi within n th the e Acti Active ve Direc Directo tory. ry. This This is dri drive ven n from Network Network Zones Zones an and d Activ Active e Directory Directory group group member membersh ship ip..
Network polic policies ies
Add Ad din ing g a Ne Netw two ork Po Policy licy To add add a netwo network rk poli policy cy,, perfo perform rm the the foll followi owing ng st step eps: s: 1. Cl Cliick th the e ADD POL POLIC ICY Y bu butto tton. n. The Ne New w Policy Policy dialog displays. displays.
Add policy policy button
Group p Names Names se searc arch h fiel field. d. As yo you u type type in th the e na name me,, th the e se searc arch h 2. Ente Enterr th the e gr grou oup p na name me in the the Grou fiel field d is popu popula late ted d base based d on relat related ed info informa rmati tion on im impo porte rted d from from th the e LDAP. LDAP. If yo you u do don't n't se see e an ex expec pected ted na name, me, chec check k your your LDAP setti settings ngs..
65
Network Policies
Network polici policies es group names
3. Selec Selectt th the e acce access ss poli policy cy from from the the Acce Access ss Policy Policy dropd dropdown own menu. menu.
Access Acc ess policies policies
dropdown own menu. menu. 4. Sel Selec ectt th the e zone zone from from the the Zone dropd
Create polic policy y zone
66
Network Policies
5. Ente Enterr the the name of the the zone in the the Zo Zone ne Name Name field. Note Note:: If yo you u se sele lect ct an ex exis isti ting ng zo zone ne,, th the e Zone Zo ne Name Name and IP Ran Range ges s fiel fields ds be beco come me hidd hidden en sinc since e they they were de defin fined ed when the ex exis istin ting g zo zone ne was defi define ned. d. In this this ca case se,, the the group group name names s an and d ac acce cess ss po poli lici cies es are ad adde ded d to th the e existi exi sting ng zone. zone. 6. Ente Enterr th the e IP rang range( e(s s) in the the IP Ran field.. The format format is xxx. xxx.xx xxx.x x.x.x/ .x/xx xx where the valu values es Range ges s field be befo fore re th the e slash lash (/) (/) are are the the st star arti ting ng rang range e an and d the the valu value e af afte terr th the e sla lash sh is th the e last ast en entr try y in the the range. ran ge. For ex exam ampl ple, e, the range range 192.16 192.168.1 8.1.0/ .0/24 24 defin defines es the valu values es 192.16 192.168.1 8.1.0, .0, 192.16 192.168.1 8.1.1, .1, 192.168. 192. 168.1.2, 1.2, to the address address 192.168 192.168.1.24 .1.24.. 7. Cl Cliick th the e Save button.
Tagged Tag ged Domai Domains ns Ta Tagg gged ed Domai Domains ns are doma domain ins s that that are eith either er owned owned or co cont ntrol rolle led d by yo your ur organ organiz izat atio ion n or doma domain ins s th that at yo you u organ organiz izat atio ion n wishe wishes s to igno ignored red.. Th This is is us used ed fo forr th the e Spea Spearr Phish Phishin ing g URL detec det ectio tion n in inci cide dent. nt. In ou ourr ex examp ample le,, Rapid7 Rapid7 is tagge tagged d as an owned owned do domai main. n. Insig InsightI htIDR DR send sends s al alerts erts when it de detec tects ts att attemp empts ts to spoo spooff thi this s domai domain. n. Referring Referrin g to our ex examp ample le,, Duos Duosec ecuri urity ty.co .com m is tagge tagged d as a domai domain n to ig ignor nore. e. Insig InsightI htIDR DR do does es not send send al alerts erts regard regardin ing g thi this s domai domain. n.
67
Tagged Domains
Tagged domai domains ns
68
Tagged Domains
Tag Ta ggi gin ng a ne new w own wne ed doma main in or a new ig igno nore red d domai main n To ta tag g an owned owned doma domain in or a doma domain in to igno ignore, re, perfo perform rm th the e fo foll llowi owing ng step steps: s: New w Own Owne ed Doma Domain in field. 1. To ta tag g a do doma maiin as owne owned, d, en ente terr the the do doma main in na name me in th the e Ne 2. To ta tag g a do doma maiin to igno ignore re,, ente enterr the the doma domain in na name me in th the e Ne New w Igno Ignore red d Do Domain main field. 3. Click Click the approp appropria riate te Submit button.
Unkno Unk nown wn IP ad addre dress sses es InsightI Insig htIDR DR track tracks s all all IP addres addresse ses s it recei receive ves s from DHCP an and d VPN ass assig ignme nments nts,, bu butt some sometim times es lo logs gs come ome in wi with th IPs IPs that that ha hav ve nev never be been en seen seen be befo fore re by an any y of th the e DHCP or VPN eve event nt so sourc urces es.. Th Thes ese e IPs are rep report orted ed as Unkn Unknown own IP Addres Addresse ses s in in or orde derr to he help lp you see see if you you mi migh ghtt be miss missin ing g a DHCP or VPN event event so sour urce ce in yo your ur envi environ ronme ment nt so some mewhe where re th that at yo you u sh shou ould ld ho hook ok up to a Colle Collect ctor. or. Some Some of thes these e migh mightt be relat related ed to DHCP se serve rvers rs or VPN se serv rvers ers th that at ha have ven’ n’tt been been co conf nfig igure ured, d, so some me migh mightt be st stat atic ic IP ran range ges s and and ot othe hers rs migh mightt be un unma mana nage ged. d. Selec Selectt a range ran ge and sele select ct a resol resoluti ution on op optio tion. n.
Running Runn ing age agents nts Th This is page page di disp spla lays ys a li list st of runni running ng agen agents ts.. Th The e host hostna name me an and d la last st se seen en time time are di disp spla laye yed. d. Use the Se Sear arch ch by ho hostn stname ame box box to sear search ch for for a ho host st..
Running Runni ng agents
69
Unknown IP addresses
Gener Ge neral al tr troubl oubles eshoot hooting ing tip tips s Your Insig Your InsightI htIDR DR pa pages ges are pop popul ulate ated d with us user er ac acti tivi vity ty data data derive derived d from your your ne network twork lo logs gs.. If yo your ur In Insi sigh ghtI tIDR DR page pages s appe appear ar to be inco incomp mple lete te,, yo you u may may ne need ed to ch chec eck k yo your ur da data ta so sourc urces es.. For For more informati information, on, see Iden Identify tifying ing Event Event Sources Sources on on page page 12 12.. Q: I ca can nnot ac acti tiva vate te th the e Colle Collect ctor or.. The The act ctiva ivati tio on ke key y does oes not work. work. A: Firs First, t, make make su sure re yo you u have have the the co corre rrect ct acti activa vati tion on ke key. y. It's It's lo loca cate ted d in th the e Agent AgentKe Key. y.ht html ml file file in th the e Insig Ins ight ht Platfo Platform/a rm/age gent_ nt_ke key y subd subdire irecto ctory ry of the de desti stina natio tion n di direc rectory tory where you you in insta stall lled ed the Collector. If th the e key key is corre correc ct, bu butt st stil illl do does es no nott work work,, it may may ha have ve be been en voi voide ded. d. Thi This can occu occurr if you do no nott acti activa vate te th the e Colle Collect ctor or im imme medi diat atel ely y afte afterr inst instal alli ling ng it or if yo you u ha have ve resta restarte rted d th the e se serv rver er where where th the e Collector Colle ctor is install installed. ed. If th the e acti activa vati tion on ke key y has has been been void voided ed,, yo you u will will need need to un unin inst stal alll th the e Colle Collect ctor or an and d th then en reins reinsta tall ll it: it: To unin uninst stal alll th the e Colle Collect ctor or from from the the se serv rver er where where it is inst instal alle led: d: l
Menu, u, loca locate te the Insig InsightI htIDR DR fol folder der,, an and d then then clic click k Uninstall Uninstall.. In Wind Windows ows,, open open the the Start Men
TIP: If you TIP: you can anno nott fi find nd the the Uninstall shortc shortcut, ut, run the un unin insta stall ll.ex .exe e file file from the Insig Insight ht Platform\.in Platfo rm\.instal stall4j l4jsub subdirec directory tory of the destina destination tion direc directory tory where you install installed ed the Collector. Collector. l
l
l
IIn n Li Linu nux, x, run the the uninstall uninstall scri script pt from the. the.ins install tall4j 4j subdirec subdirectory tory of the destina destination tion directory directory where you you in insta stall lled ed the Colle Collecto ctor. r. When When th the e Unins Uninsta tall ller er fini finish shes es,, the the Col Colle lect ctor or has has been been rem remov oved ed from from th the e se serve rver. r. If yo you u la late terr deci decide de to reins reinsta tall ll and and react reactiv ivat ate e the the Colle Collect ctor or on th the e sa same me mach machin ine, e, yo you u ca can n do so so.. Rein Reinsta stall ll the Colle Collecto ctorr on the serve serverr and then then return return to the Insig InsightI htIDR DR Web appli applica catio tion n im imme medi diat atel ely y and and acti activa vate te the the Col Colle lect ctor. or. Do not not sh shut ut do down wn th the e se serv rver er where where th the e Colle Collect ctor or is in insta stall lled ed until until it ha has s been been ac acti tiva vated ted in Insig Insight ht Platfo Platform. rm.
70
General troubleshooting tips
Q: How How do I in incr cre ease the amou mount of RAM RAM Colle Collect cto or in enviro vironme men nts tha that re req quir ire e a lot lot of RAM? A: If yo your ur Colle Collect ctor or is hand handli ling ng more more than than 100, 100,00 000 0 EPM, EPM, co conf nfig igure ure th the e Colle Collect ctor or to us use e more more avai availa labl ble e memo memory ry from from the the se serve rverr that that it is inst instal alle led d on. on. Pl Plac ace e a file file in th the e sa same me di direc recto tory ry where where you you in insta stall lled ed the Collec Collector tor with the name name collector.vmoptions collector.vmoptions whi which ch conta contain ins s the fol follo lowing wing line line (no spaces): -Xmx#g where wher e "# "#"" is th the e nu numb mber er of GB of memo memory ry the the Coll Collec ecto torr sho houl uld d use. use. For For a 4GB 4GB mac machi hine ne,, you you can can te tell ll th the e Colle Collect ctor or to use use 3GB 3GB of memo memory ry by putti putting ng –Xmx3g –Xmx3g iin th the e fi fille. For For an 8GB 8GB mach machiine ne,, you can can te tell ll th the e Coll Collec ecto torr to take take 6GB 6GB of memo memory ry by sav saving ing a collector.vmoption s file file in th the e Colle Collect ctor or di direc rectory tory with the line line –Xmx6g . Q: I have set set up an Eve Event Sou Source rce using sing syslo syslog data colle collect ctio ion n, but the lo log g data is not showin sho wing g up in In Insigh sightI tIDR. DR. A: If th the e Colle Collect ctor or has has a loca locall firewa firewall ll runn runnin ing, g, that that firewa firewall ll may may be bl bloc ocki king ng th the e po port rt yo you u co conf nfig igure ured d fo forr th the e Even Eventt Sourc Source. e. Check Check yo your ur firewa firewall ll se sett ttin ings gs to make make su sure re th the e de devi vice ce ca can n commu communi nica cate te with the Insig InsightI htIDR DR Colle Collecto ctorr vi via a the confi configur gured ed port. port. If fir firewal ewalll setti setting ngs s seem seem to be correc correct, t, try stoppi stopping ng the curren currentt Event Event Source Source an and d confi configu gurin ring g a Rapid7 Rapid7 Gene Generic ric Syslo Syslog g Event Event Sour So urc ce to li list sten en to the the same same po port rt.. If the the ge gene neri ric c sys syslog log show shows s EPM, EPM, th ther ere e is a pr prob obllem wi with th th the e log format. form at. Contac Contactt supp support ort for furt further her as assi sista stanc nce. e. Q: I have an Eve Event Sou Sourc rce e that InsightIDR InsightIDR does not sup support rt.. Is the there a way way for Insigh sight Platf Pla tfor orm m to monito monitorr th that at source source? ? A: Use th the e Rapid Rapid7 7 Generi eneric c Sysl Syslog og Even Eventt Sourc Source e to uplo upload ad sa samp mple le lo log g file files s th that at are no nott su supp pport orted ed by any any Even Eventt Sourc Source e in Insi Insigh ghtI tIDR. DR. Th The e Devel Develop opme ment nt te team am will will work with with th the e sa samp mple le da data ta to creat cre ate e a new new Eve Event nt Sourc Source e in Insi Insigh ghtI tIDR. DR. When When they they are do done ne,, yo you u will will be no noti tifi fied ed to de dele lete te th the e Rapid Rap id7 7 Gene Generi ric c Sysl Syslog og Even Eventt Sourc Source e and and add add the the new new Even Eventt Sourc Source e to yo your ur Colle Collect ctor. or.
71
General troubleshooting tips
Suppor Su pported ted Eve vent nt So Sour urc ces Th The e In Insi sigh ghtI tIDR DR te team am is co cont ntin inua uall lly y addi adding ng su supp pport ort for for Even Eventt Source Sources. s. If yo you u ha have ve a de devi vice ce th that at is not list listed ed in the prece precedi ding ng table table,, conta contact ct Techni Technica call Sup Suppo port rt (www.rapid7.com/support www.rapid7.com/support)) with with deta detail ils s abou aboutt th the e devi device ce and and sa samp mple le log log outp output ut.. Use the the Rapid Rapid7 7 Gene Generi ric c Sysl Syslog og Even Eventt Sourc Source e to upload upl oad samp sample le lo log g da data. ta. page ge for the lates latestt inform informati ation. on. Plea Please se refer refer to th the e Settings pa
Categories es Event Source Categori InsightIDRsea seamle mlessly ssly integr integrate ates s log data data from from each each eve event nt source source provid provided ed to de delive liverr additi addition onal al context context around aro und user beh behavior aviors, s, compr compromised omised credentia credentials, ls, and other other pote potentially ntially malicious malicious activity. We strongly strongly recommen reco mmend d that all log sour sources ces that that me meet et suppo supported rted collection methods methods b be e mad made e availa available ble to InsightIDR. User Attribut Attribution ion - In orde orderr to mor more e ea easily sily u und nder erstan stand d the activity which occur occurs s in you yourr enviro environme nment, nt, it is is highly hig hly recomm recommen ende ded d that that y you ou confi configu gure re the event event sources sources nece necessar ssary y to tie actions actions back to the users users and assets involved. These These foundatio foundational nal event sou sources rces ar are e LDAP, DHCP logs, and Active Director Directory y Security Lo Logs. gs. Th These ese sou source rces s will not not only ad add d con context text to an analyti alytics, cs, but also ma make ke Search Search ea easier sier.. Endpoint Endpoi nt Monitoring Monitoring-- Fo Forr critical critical servers servers an and d endp endpoin oints ts belon belongin ging g to remote remote emp employe loyees, es, it is recomm recommen ende ded d to insta installll the Rapid7 Rapid7 pe persiste rsistent nt agen agentt to en enab able le realreal-time time stre stream aming ing of eve events nts an and d ensur ensure e yourr tea you team m is no nott blind blind to the activiti activities es which which occur occur when when asse assets ts ar are e off the the netwo network. rk. When a per persistent sistent ag agent ent is not not desired desired,, it is rrecomme ecommende nded d to use the Rapid7 Rapid7 Agen Agentless tless End Endpoin pointt Scan. This option option collects data from your end endpoin points ts peri periodical odically, ly, monitor monitors s local user user activity, w windo indows ws logon activity, event log log tampe tamperin ring g and ena enables bles process process hash hashes es to be iden identified, tified, a analyzed nalyzed for common commonality, ality, and and checked aga against inst VirusT VirusTotal otal for known malwar malware. e. Rapid7 - If you alread already y own any of o our ur thre threat at e exposur xposure e manage management ment pro products ducts such as Nexp Nexpose ose and Metasplo Meta sploit, it, you can ad add d exp exposu osure re kno knowled wledge ge to you yourr inci incide dent nt a ana nalysis. lysis. Security Securi ty Data - InsightIDR InsightIDR is desi design gned ed to ea ease se Sea Search rch an and d Ana Analytics lytics across across your en entire tire en enviro vironm nmen ent. t. To en ensur sure e you can perfo perform rm all ne necessar cessary y investiga investigative tive step steps s in one one pla place, ce, it is sugge suggested sted to no nott only only transmi transmitt security logs logs and dep deploy loy agents, agents, bu butt also tran transmit smit any oth other er pote potentially ntially useful useful da data ta for sear searching ching,, such as custom appli applicatio cation n log logs. s. Raw Data Data - InsightIDR InsightIDR is desig designe ned d to ea ease se Sea Search rch an and d Analytics Analytics across across your en entire tire enviro environm nmen ent. t. To en ensur sure e you can perfo perform rm all ne necessar cessary y investiga investigative tive step steps s in one one pla place, ce, it is sugge suggested sted to no nott only only transmi transmitt security logs logs and dep deploy loy agents, agents, bu butt also tran transmit smit any oth other er pote potentially ntially useful useful da data ta for sear searching ching,, such as custom appli applicatio cation n log logs. s.
72
Supported Event Sources
Supported ted Event Event Sourc Sources es Suppor User Att Attribu ributio tion n LDAP l
Microsoft Microsoft Active Directory Directory L LDAP DAP
ACTIVE DIRECTO DIRECTORY RY l
Microsoft
DHCP l
Alcatel-Lucent VitalQIP
l
Bluecat
l
Cisco Cisco IOS IOS
l
Cisco Me Mera raki ki
l
Infoblox Trinzic
l
ISC dhcpd dhcpd
l
Microsoft
l
MicroTik
l
Sophos UTM
Endpo End point int Monitor Monitoring ing l
l
Rapid7 Rapid7 Continu Continuous ous En Endpo dpoint int Agent Agent - Windows Rapid7 Rapid7 Agen Agentless tless Endpoint Endpoint Scan - Windo Windows ws
l
Rapid7 Rapid7 Age Agentle ntless ss Endpo Endpoint int S Scan can - Mac Mac
l
Rapid7 Rapid7 Linu Linux x Asset M Moni onitor tor
Rapid7 l
Rapid7 Rapid7 Metasploit Metasploit
l
Rapid7 Rapid7 Nexpo Nexpose se
73
Supported Event Sources
Security Secu rity Dat Data a DNS l
Bluecat Bluecat ISC
l
Infoblox Trinzic
l
ISC Bind9
l
Microsoft
l
MikroTik
l
PowerDNS
IDS/IPS l
Cisco Sourcefire Sourcefire
l
Dell iSensor iSensor
l
Dell SonicWal SonicWalll
l
HP Tipping TippingPoin Pointt
l
McAfee McAfee IDS
l
Metaflo Metaflows ws IDS
l
Security Onion Onion
l
Snort
74
Supported Event Sources
FIREWALL l
Barra Barracuda cuda NG
l
Cisco ASA + V VPN PN
l
Cisco Cisco IOS IOS
l
Cisco Me Mera raki ki
l
Check Point Point
l
Clavister Clavister W20
l
Fortinet Fortigate
l
Juniper Juniper Junos OS
l
Juniper Juniper Netscreen
l
Mcafee
l
Palo Palo Alto Netwo Networks rks a and nd VPN ((also also includ includes es Wil Wildfir dfire e sup suppo port) rt)
l
pfSense
l
SonicWALL
l
Sophos
l
Stonesoft
l
Watchguard Watchguard XTM
ADVANCED MALWARE l
Fire FireEye Eye NX
l
Palo Palo Alto Netwo Networks rks WildFire WildFire
75
Supported Event Sources
VPN l
Barra Barracuda cuda NG
l
Cisco AS ASA A
l
Citrix NetScaler
l
F5 Networks FirePass FirePass
l
Fortinet FortiGate
l
Juniper Juniper SA
l
Microso Microsoft ft IAS (RADIUS)
l
Microso Microsoft ft Network Poli Policy cy Server
l
Micr Microso osoft ft Remo Remote te Web Access
l
MobilityGuard OneG OneGate ate
l
OpenVPN
l
l
SonicWALL VMware VMware Horizon
l
WatchGuard WatchGuard XTM
WEB PROXY l
Bar Barra racud cuda a Web Filter Filter
l
Blue Blue Coa Coatt
l
Cisco IronPo IronPort rt
l
Fortinet FortiGate
l
Inte Intell Se Secur curity ity ((fka fka McAfee) McAfee) Web Rep Repor orter ter
l
McAfee McAfee Web Rep Repor orter ter
l
Sophos Secur Secure e Web Gate Gateway way
l
Squid
l
Trend TrendMicro Micro Control Manag Manager er
l
Watchguard Watchguard XTM
l
WebSense Web Secur Security ity Gate Gateway way
l
Zscalar Zscalar NSS
76
Supported Event Sources
E-MAIL & ACTIVESYNC l
Microsoft Exchange Exc hange Transpor Transportt Agent (Email monitoring)
l
OWA/ActiveSync (Ingress (Ingress moni monitorin toring, g, mobile mobile device attribution attribution))
CLOUD SERVICES l
Microsoft Office 365
l
AWS CloudTrail CloudTrail
l
Box.com
l
Duo Secu Security rity
l
Google Google Apps
l
Okta
l
Salesforce
APPLICATION MONITORING l
Atlassian Atlassian Conflue Confluence nce
l
Microsoft Microsoft SQL Server Server
VIRUS SCANNERS l
Cylance Pro Protect tect
l
Check Po Point int AV
l
F-Secure
l
McAfee McAfee ePO
l
Sophos
l
Symante Symantec c Enduser Enduser Protection Protection
l
TrendMicro TrendMicro OfficeScan
l
Trend TrendMicro Micro Control Manag Manager er
77
Supported Event Sources
DATA EXPORTERS (Send data from Insight Insight Pl Platf atform) orm) l
FireEye FireEye Thr Threat eat Analytics Analytics Platfor Platform m (TAP)
l
HP ArcSight ArcSight and HP ArcSight ArcSight Logger Logger
l
Splunk
SIEMs/LOG AGGREGATORS (Receive data from these platforms into Insight Platform) l
HP ArcSight
l
IBM QRa QRada dar r
l
LogRhythm
l
McAfee McAfee Ente Enterp rprise rise Security Security Ma Mana nage gerr (fka Nitrosecur Nitrosecurity) ity)
l
Splunk
Raw Ra w Da Data ta GENERIC SYSLOG l
Rapid7 Rapid7 Gen Generi eric c Syslog
l
Rapid7 Rapid7 Gen Generi eric c Windows Event L Log og
l
Rap Rapid7 id7 Raw Data
Troubles Troub leshoo hooting ting Endp Endpoint oint Monit Monitoring oring Endpo End point int and and Collector Collector Require Requiremen ments ts:: 1. All All co coll llec ecto tors rs must must be a. Config Configure ured d with a ful fully ly quali qualifie fied d do domai main n name name (e.g. (e.g. id idrco rcoll llec ector2 tor23.m 3.myo yorg.c rg.com om)) b. Able Able to reac reach h out out to ov over er po port rt 44 443 3 to: to: (US) or 1. https://endpoint.ingress.rapid7.com (US) 2. https://eu.endpoint.ingress.rapid7.com (EMEA) 2. Each Each Colle Collect ctor or ca can n co cont ntai ain n no more more than than one one se sett of en endp dpoi oint nt cr cred eden enti tial als. s. Ex. Ex. if yo you u ha have ve two sets of end ndpoi point nt crede credenti ntial als s you you must must hav ave e at leas leastt two Colle Collecto ctors. rs.
78
Troubleshooting Endpoint Monitoring
3. Endpo Endpoin intt creden credentia tials ls shou should ld incl includ ude e the do domai main n in ad addi ditio tion n to the us usern ernam ame. e. Ex. domain\username 4. All All endp endpoi oint nts s need need to be able able to co comm mmun unic icat ate e back back to th the e co coll llec ecto torr via via TCP on co coll llec ecto torr po ports rts:: a. 5508 5508 b. 6608 6608 c. range range 20,0 20,000 00 - 30,0 30,000 00 5. Overl Overlapp appin ing g endpoi endpoint nt mon monit itori oring ng range ranges s are not allo allowed. wed. IP ad addre dress sses es or IP range ranges s defin defined ed on Colle Collect ctor or A sh shou ould ld not not be dupl duplic icat ated ed on Col Colle lect ctor or B. If th this is ex exis ists ts,, it shou should ld be up upda date ted d ASAP. ASAP. When a cu When cust stom omer er does does not not se see e endp endpoi oint nts s return returnin ing g logs logs in th thei eirr sc scan ans s or in thei theirr Conti Continu nuou ous s Agents, Agent s, the first thing thing to do is review review the following following diagram diagram (next page) page) to confirm confirm that all ports are availab avai lable le as expecte expected. d. If the ex extern ternal al firewal firewalll an and d web proxi proxies es are confi configur gured ed correc correctl tly, y, chec check k a sampl sample e endpo endpoin intt for agen agentt lo log g file files. s. Fo Forr the the sc scan an agen agent, t, there there sh shou ould ld be a Rapid Rapid7 7 fo fold lder er in ei eith ther: er: l
C:\Windows\Temp C:\Windows\Temp\, \, or
l
C:\Users\\AppData\Local\Temp\
For the Contin Continuo uous us Agent, Agent, the Rapid7 Rapid7 fol folder der shou should ld be found found in c:\pro c:\progra gram m fi file les(x s(x86 86)\. )\. In Insi side de th the e Rapid Rapid7, 7, fold folder er look look for for the the foll followi owing ng 3 file files s and and se send nd th them em to en engi gine neeri ering ng if av avai aila labl ble e for for review: l
agent.log
l
config.json
l
powershell.log
79
Troubleshooting Endpoint Monitoring
Endpoint Endpoi nt network
80
Troubleshooting Endpoint Monitoring
81
