icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Rapid7 InsightIDR for Splunk
SHA256 checksum (rapid7-insightidr-for-splunk_10.tgz) 3822d847872f15d4ea933785de349e4e7342b1ee037b80491d3bae9ae3ee46d1
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Rapid7 InsightIDR for Splunk

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Rapid7’s IT security data and analytics solutions collect, contextualize and analyze the security data you need to fight an increasingly deceptive and pervasive adversary. The Rapid7 InsightIDR for Splunk app enables security operations professionals to detect, investigate, and respond to security threats more quickly and effectively. It integrates Rapid7 InsightIDR with Splunk to provide vulnerability management and incident detection data.

Rapid7 InsightIDR for Splunk

http://www.rapid7.com

Using this Application:

Setup:

Please see Splunk's official documentation for the initial installation of the add-on.

After installation, you should be prompted to set up the application. The configuration screen may also be accessed by clicking the "Configuration" link within the app's navigation bar or by selecting the 'Set up' action for the add-on within the App Management screen.

On this screen, enter the hostname or IP address of each of your InsightIDR collectors (e.g. collector.mynetwork.com).

Any change to these initial details can performed from the "Configuration" screen (accessible from the dashboard under the 'Rapid7 InsightIDR for Splunk' application).

Module details:

Log Advancers:

The term 'log advancer' used within the app refers to what is essentially a port forwarder. The log advancers solely forward data from Splunk to a remote server on a specific port.

Note that the log advancers within the app are distinct from a Splunk Forwarder and do not comply with any of the expectations which come with using a Splunk Forwarder.

Log Advancers Screen:

This screen displays all available log advancers. You have the option to create, edit or delete log advancers based on the data source.

To enable a log forwarder for a data source, click the corresponding "Enable" link. This will bring you to the "Configure a Log Advancer" screen (which is detailed below).

When a log advancer has been configured, clicking the "Edit" button will bring you back to this page so details may be amended. Alternatively, clicking the "Delete" button will remove the associated settings for that data source.

Please note that if you make any changes to the log advancers, you must restart the Splunk server for them to take effect.

Log Advancer Configuration Screen:

This screen allows you to select data to send to InsightIDR, as well as where to send it.

Data source - Host, source, or sourcetype.

  • Host - The name of the machine from which the data originates.
  • Source - The source of data from the machine (such as tcp:1234 or /var/log/firewall.log)
  • Sourcetype - The sourcetype with which Splunk has tagged the data.

Regex - Optional - Regular expression for further data filtering. Only if the regex matches the whole payload will the data be forwarded.

Collector - The host (presumably of one of your collectors) to which data will be sent. Make sure the selected collector has the corresponding event source set up to receive these events. The dropdown is filled with the collectors specified on the "Configuration" screen.

Protocol - The protocol to use when sending the data.

Port - The port on the collector machine to which data will be sent.

Note: This application must be installed on the Splunk node indexing the data that you want to forward to InsightIDR. Further to this it is preferable that the raw data should be passed to InsightIDR i.e. the untransformed data from the socket rather than the transformed data with a sourcetype.

Receivers Screen:

Under the Receivers section, there is an entry for each port on which Splunk is listening for data.

To create a new receiver, enter the collector, protocol and port and click the "Create" button.

To delete a receiver, click the corresponding "Delete" link.

Note that only a single receiver may have the same combination of collector, protocol and port.

Also, in order to have multiple receivers listen to the same protocol and port combination, they must each have a unique collector specified. It is not possible to have a receiver without a collector and a receiver with a collector for the same protocol and port combination.

  • Collector - Optional - If selected, only data coming from the specified host will be handled by this receiver. The dropdown is filled with the collectors specified on the "Configuration" screen.
  • Protocol - The protocol to use to listen for events.
  • Port - The port on which to listen.
  • Sourcetype - The sourcetype Splunk will apply to the data matching this receiver.

Debugging:

Two log files are available to help debug issues contained within <splunk_home>/var/log/splunk/:

  • splunkd.log - Splunk general log
  • rapid7idr.log - Log for the Rapid7 Technology Add-on

Also, each page logs to the web console. Please refer to the documentation for your browser of choice for details regarding how to capture the log.

Please contact support@rapid7.com for help, including all relevant files.

Changelog:

1.0 // Initial release.

Release Notes

Version 1.0
July 6, 2017

1.0 // Initial release.

34
Installs
329
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.