{"users":[{"id":48,"username":"rapid7_bot","name":"Rapid7 Bot","avatar_template":"/user_avatar/discuss.rapid7.com/rapid7_bot/{size}/70_2.png","admin":true,"moderator":true,"trust_level":1},{"id":28963,"username":"Jsizzle223","name":"jkrato","avatar_template":"/letter_avatar_proxy/v4/letter/j/cdc98d/{size}.png","trust_level":1},{"id":2201,"username":"remco_de_kievit","name":"Remco de Kievit","avatar_template":"/user_avatar/discuss.rapid7.com/remco_de_kievit/{size}/2824_2.png","trust_level":1},{"id":50511,"username":"skadish","name":"skadish","avatar_template":"/letter_avatar_proxy/v4/letter/s/a87d85/{size}.png","trust_level":1},{"id":50987,"username":"mcampbell4","name":"mcampbell","avatar_template":"/letter_avatar_proxy/v4/letter/m/4bbf92/{size}.png","trust_level":1},{"id":31526,"username":"ilevinson","name":"ilevinson","avatar_template":"/letter_avatar_proxy/v4/letter/i/e9bcb4/{size}.png","trust_level":1},{"id":19142,"username":"ric","name":"rcrawford","avatar_template":"/letter_avatar_proxy/v4/letter/r/c77e96/{size}.png","trust_level":1},{"id":11318,"username":"mmur_gt4e","name":"Mike","avatar_template":"/user_avatar/discuss.rapid7.com/mmur_gt4e/{size}/1985_2.png","trust_level":2},{"id":51868,"username":"cs1","name":"cs","avatar_template":"/letter_avatar_proxy/v4/letter/c/b19c9b/{size}.png","trust_level":1},{"id":718,"username":"david_smith1","name":"David Smith","avatar_template":"/letter_avatar_proxy/v4/letter/d/cdc98d/{size}.png","trust_level":2},{"id":36758,"username":"testuser","name":"testuser","avatar_template":"/letter_avatar_proxy/v4/letter/t/e495f1/{size}.png","trust_level":2},{"id":37893,"username":"jde_reviere","name":"jde reviere","avatar_template":"/letter_avatar_proxy/v4/letter/j/a9a28c/{size}.png","trust_level":1},{"id":11786,"username":"njennewein1","name":"njennewein","avatar_template":"/letter_avatar_proxy/v4/letter/n/d9b06d/{size}.png","trust_level":1},{"id":69,"username":"david_smith","name":"David Smith","avatar_template":"/letter_avatar_proxy/v4/letter/d/a3d4f5/{size}.png","trust_level":2},{"id":16296,"username":"dome","name":"Dome","avatar_template":"/letter_avatar_proxy/v4/letter/d/85f322/{size}.png","trust_level":2},{"id":42361,"username":"mshubaly","name":"mshubaly","avatar_template":"/letter_avatar_proxy/v4/letter/m/d2c977/{size}.png","trust_level":1},{"id":23576,"username":"mblough","name":"mblough","avatar_template":"/letter_avatar_proxy/v4/letter/m/779978/{size}.png","trust_level":2},{"id":37421,"username":"vdomenech","name":"vdomenech","avatar_template":"/letter_avatar_proxy/v4/letter/v/ecb155/{size}.png","trust_level":1},{"id":1275,"username":"scot_perkins","name":"Scot Perkins","avatar_template":"/letter_avatar_proxy/v4/letter/s/ecccb3/{size}.png","trust_level":2},{"id":4532,"username":"arthur_mcfarlane","name":"Arthur McFarlane","avatar_template":"/letter_avatar_proxy/v4/letter/a/ba8739/{size}.png","trust_level":1},{"id":17286,"username":"banderson","name":"banderson","avatar_template":"/user_avatar/discuss.rapid7.com/banderson/{size}/1932_2.png","trust_level":1},{"id":2109,"username":"bimodh_jo_mathew","name":"Bimodh Jo Mathew","avatar_template":"/letter_avatar_proxy/v4/letter/b/dfb087/{size}.png","trust_level":1},{"id":31191,"username":"ojetawo","name":"ojetawo","avatar_template":"/letter_avatar_proxy/v4/letter/o/9e8a1a/{size}.png","trust_level":1},{"id":37267,"username":"alima","name":"alima","avatar_template":"/letter_avatar_proxy/v4/letter/a/2acd7d/{size}.png","trust_level":1},{"id":34959,"username":"bdj","name":"bjohnson","avatar_template":"/user_avatar/discuss.rapid7.com/bdj/{size}/2539_2.png","trust_level":1},{"id":34750,"username":"jspychalski","name":"jspychalski","avatar_template":"/letter_avatar_proxy/v4/letter/j/aeb1de/{size}.png","trust_level":1},{"id":1427,"username":"Eric-Wilson","name":"Eric Wilson","avatar_template":"/user_avatar/discuss.rapid7.com/eric-wilson/{size}/2531_2.png","admin":true,"moderator":true,"trust_level":4},{"id":3914,"username":"ross_palmer","name":"Ross Palmer","avatar_template":"/letter_avatar_proxy/v4/letter/r/edb3f5/{size}.png","trust_level":1},{"id":27561,"username":"nysambart","name":"nysambart","avatar_template":"/letter_avatar_proxy/v4/letter/n/71e660/{size}.png","trust_level":1},{"id":21671,"username":"ajain","name":"ajain","avatar_template":"/letter_avatar_proxy/v4/letter/a/77aa72/{size}.png","trust_level":1},{"id":4671,"username":"alex_sanders","name":"Alex Sanders","avatar_template":"/letter_avatar_proxy/v4/letter/a/3ab097/{size}.png","trust_level":1},{"id":42365,"username":"mthomas5","name":"mthomas","avatar_template":"/letter_avatar_proxy/v4/letter/m/c89c15/{size}.png","trust_level":1},{"id":5734,"username":"nnbinette","name":"nnbinette","avatar_template":"/letter_avatar_proxy/v4/letter/n/51bf81/{size}.png","trust_level":1},{"id":9059,"username":"ahammond_admin","name":"ahammond admin","avatar_template":"/letter_avatar_proxy/v4/letter/a/439d5e/{size}.png","trust_level":1},{"id":13140,"username":"sgroeneveld","name":"sgroeneveld","avatar_template":"/letter_avatar_proxy/v4/letter/s/a8b319/{size}.png","trust_level":2},{"id":33684,"username":"esoteric","name":"shaun","avatar_template":"/letter_avatar_proxy/v4/letter/e/a4c791/{size}.png","trust_level":1},{"id":5629,"username":"DanM","name":"dmuller","avatar_template":"/user_avatar/discuss.rapid7.com/danm/{size}/847_2.png","trust_level":1},{"id":35637,"username":"bfraley","name":"bfraley","avatar_template":"/letter_avatar_proxy/v4/letter/b/5f8ce5/{size}.png","trust_level":1},{"id":31304,"username":"christopher_kane1","name":"Christopher Kane","avatar_template":"/letter_avatar_proxy/v4/letter/c/a88e4f/{size}.png","trust_level":1},{"id":3954,"username":"David_Williams","name":"","avatar_template":"/letter_avatar_proxy/v4/letter/d/90ced4/{size}.png","trust_level":1},{"id":17408,"username":"antmar904","name":"antmar904","avatar_template":"/letter_avatar_proxy/v4/letter/a/d2c977/{size}.png","trust_level":2},{"id":32581,"username":"bknoff1","name":"bknoff","avatar_template":"/letter_avatar_proxy/v4/letter/b/f0a364/{size}.png","trust_level":1},{"id":3772,"username":"RHolzer","name":"Robert Holzer","avatar_template":"/user_avatar/discuss.rapid7.com/rholzer/{size}/2199_2.png","trust_level":2},{"id":13625,"username":"hgough","name":"hgough","avatar_template":"/letter_avatar_proxy/v4/letter/h/41988e/{size}.png","trust_level":1},{"id":4944,"username":"hp_first","name":"HP FIRST","avatar_template":"/letter_avatar_proxy/v4/letter/h/258eb7/{size}.png","trust_level":1},{"id":24881,"username":"cyberpunk","name":"","avatar_template":"/letter_avatar_proxy/v4/letter/c/eada6e/{size}.png","trust_level":2},{"id":22301,"username":"aalves1","name":"aalves","avatar_template":"/letter_avatar_proxy/v4/letter/a/82dd89/{size}.png","trust_level":1}],"primary_groups":[],"flair_groups":[],"topic_list":{"can_create_topic":false,"more_topics_url":"/c/insightidr/event-sources/21?page=1","per_page":30,"top_tags":["InsightIDR","active_directory_ldap","checkpoint_ngfw","InsightConnect","InsightOps","microsoft_atp","microsoft_sccm","powershell","smtp","syslog_forwarder","syslog_listener"],"topics":[{"fancy_title":"About the Event Sources category","id":1102,"title":"About the Event Sources category","slug":"about-the-event-sources-category","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":null,"created_at":"2020-06-05T22:04:42.994Z","last_posted_at":"2020-06-05T22:04:43.004Z","bumped":true,"bumped_at":"2020-06-05T22:05:00.723Z","archetype":"regular","unseen":false,"pinned":true,"unpinned":null,"excerpt":"All about InsightIDR event source management and configuration.","visible":true,"closed":true,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":402,"like_count":0,"has_summary":false,"last_poster_username":"rapid7_bot","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":48,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Snowflake - No IDR EventSource?","id":57240,"title":"Snowflake - No IDR EventSource?","slug":"snowflake-no-idr-eventsource","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":null,"created_at":"2026-05-22T15:20:13.933Z","last_posted_at":"2026-05-22T15:20:14.021Z","bumped":true,"bumped_at":"2026-05-22T15:20:14.021Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Is there really no event source for snowflake logs? \nThe only extesion I have found is for Attack Surface. \nI would think log collection would be the priority integration.","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":52,"like_count":2,"has_summary":false,"last_poster_username":"Jsizzle223","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":28963,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Something change in the security","id":57105,"title":"Something change in the security","slug":"something-change-in-the-security","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":"//forum-uploads-hub-prod-1-us-east-1-rapid7-com.s3.dualstack.us-east-1.amazonaws.com/original/2X/a/a1a5d3cff478c9937832b8ca5f8ea87aab9c557a.jpeg","created_at":"2026-03-10T12:33:02.089Z","last_posted_at":"2026-03-10T12:33:02.174Z","bumped":true,"bumped_at":"2026-03-10T12:33:02.174Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":61,"like_count":0,"has_summary":false,"last_poster_username":"remco_de_kievit","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":2201,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Agents on Cloud PCs","id":57052,"title":"Agents on Cloud PCs","slug":"agents-on-cloud-pcs","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":null,"created_at":"2026-01-27T20:34:32.040Z","last_posted_at":"2026-01-27T20:34:32.119Z","bumped":true,"bumped_at":"2026-01-27T20:34:32.119Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I’m curious to know whether people are deploying Insight agents to Windows 365 Cloud PCs.  Cloud PCs can be deleted, and depending on their purpose, they could be “powered off” for long periods of time.  How much complex…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":40,"like_count":0,"has_summary":false,"last_poster_username":"skadish","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":50511,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Bitdefender Connector","id":57028,"title":"Bitdefender Connector","slug":"bitdefender-connector","posts_count":2,"reply_count":0,"highest_post_number":2,"image_url":null,"created_at":"2025-12-30T18:07:11.555Z","last_posted_at":"2026-01-05T08:08:14.293Z","bumped":true,"bumped_at":"2026-01-05T08:08:14.293Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Has anyone had to setup the Bitdefender node.js connector on an ubuntu server. It seems the rapid7 folks do not understand how to do this as well as the Bitdefender folks alike.","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":73,"like_count":1,"has_summary":false,"last_poster_username":"ilevinson","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":50987,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":31526,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Rapid7 and Cloudflare","id":56310,"title":"Rapid7 and Cloudflare","slug":"rapid7-and-cloudflare","posts_count":2,"reply_count":0,"highest_post_number":2,"image_url":null,"created_at":"2025-11-11T09:06:30.212Z","last_posted_at":"2025-12-26T13:20:17.833Z","bumped":true,"bumped_at":"2025-12-26T13:20:17.833Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I’m curious to know if anyone has any experience with ingesting Cloudflare log push jobs without using S3 buckets? \nWe’re currently in the process of setting up the following: \n\nCloudFlare Log push Job sends GZIP files t…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":129,"like_count":0,"has_summary":false,"last_poster_username":"mmur_gt4e","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":19142,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":11318,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Query Multiple Logs","id":56655,"title":"Query Multiple Logs","slug":"query-multiple-logs","posts_count":4,"reply_count":2,"highest_post_number":4,"image_url":"//forum-uploads-hub-prod-1-us-east-1-rapid7-com.s3.dualstack.us-east-1.amazonaws.com/optimized/2X/8/88686465020f5c2fc2d20ad1c4ca4c7e6e8ddeee_2_1024x648.png","created_at":"2025-11-24T13:23:50.991Z","last_posted_at":"2025-11-25T15:18:35.823Z","bumped":true,"bumped_at":"2025-11-25T15:18:35.823Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Hi Team, \nI'm using the below API to get Audit events. \nPOST -> https://us.rest.logs.insight.rapid7.com/query/logs \nPayload: \n{ \n"logs": [ \n"deed3b3c-8647-4974-86ed-dffa758dc478", \n"d49da53f-0802-4155-a29a-c28b6f00fae7", …","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":140,"like_count":2,"has_summary":false,"last_poster_username":"david_smith1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":51868,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":718,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Should Microsoft Defender and Identity Protection logs be collected via Microsoft Security (Graph API) instead of Event Hub?","id":55899,"title":"Should Microsoft Defender and Identity Protection logs be collected via Microsoft Security (Graph API) instead of Event Hub?","slug":"should-microsoft-defender-and-identity-protection-logs-be-collected-via-microsoft-security-graph-api-instead-of-event-hub","posts_count":4,"reply_count":0,"highest_post_number":4,"image_url":null,"created_at":"2025-10-27T11:01:38.697Z","last_posted_at":"2025-10-30T12:18:59.110Z","bumped":true,"bumped_at":"2025-10-30T12:18:59.110Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"We’re currently forwarding Azure AD Identity Protection logs (Risk Detections / Risky Users) to InsightIDR via Azure Event Hub. \nThe data is successfully received, but all of these logs appear as Unparsed Logs . there ar…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":189,"like_count":0,"has_summary":false,"last_poster_username":"jde_reviere","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":36758,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":11318,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":37893,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"vmWare vCenter & ESXi - Log Filter","id":14015,"title":"vmWare vCenter & ESXi - Log Filter","slug":"vmware-vcenter-esxi-log-filter","posts_count":5,"reply_count":1,"highest_post_number":5,"image_url":null,"created_at":"2022-07-28T11:52:23.360Z","last_posted_at":"2025-07-23T00:12:27.372Z","bumped":true,"bumped_at":"2025-07-23T00:12:27.372Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Hi all, \nwe collect the VMware vCenter & ESXi LOGs with InsightIDR. We have seen that we get too much “useless” data from vmWare via syslog. \nIs there a way to filter vmware logs and send only necessary logs via syslog t…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":2252,"like_count":3,"has_summary":false,"last_poster_username":"david_smith1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":true,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":11786,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster, Accepted Answer","user_id":69,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":16296,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":718,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Viewing 10","id":50637,"title":"Viewing 10","slug":"viewing-10","posts_count":4,"reply_count":2,"highest_post_number":4,"image_url":null,"created_at":"2025-04-28T16:55:09.966Z","last_posted_at":"2025-05-23T13:16:31.950Z","bumped":true,"bumped_at":"2025-05-23T13:16:31.950Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"When searching data collection event sources it only shows 10 at a time. There must be a way to set that to something more relevant like a 100?","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":81,"like_count":0,"has_summary":false,"last_poster_username":"mblough","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":42361,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":23576,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Azure Honeypots","id":51425,"title":"Azure Honeypots","slug":"azure-honeypots","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":null,"created_at":"2025-05-21T19:40:57.799Z","last_posted_at":"2025-05-21T19:40:57.862Z","bumped":true,"bumped_at":"2025-05-21T19:40:57.862Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I was able to convert the .ova to .vhd and then convert that to a fixed disk. Created an image, then created a vm however that is as far as I get. \nThe booting VM needs me to enter in a hostname but the serial console ne…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":112,"like_count":0,"has_summary":false,"last_poster_username":"mshubaly","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":42361,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Azure EventHub (event source) only picking up User Changes and some limited Administration","id":42707,"title":"Azure EventHub (event source) only picking up User Changes and some limited Administration","slug":"azure-eventhub-event-source-only-picking-up-user-changes-and-some-limited-administration","posts_count":4,"reply_count":2,"highest_post_number":4,"image_url":null,"created_at":"2024-09-20T17:15:30.279Z","last_posted_at":"2025-04-29T20:09:25.208Z","bumped":true,"bumped_at":"2025-04-29T20:09:25.208Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I am having an issue where we setup an EventHub to pass information to InsightIDR but are getting a limited set of data. Meaning I only see things like ADSync and some user changes like user added to groups and users pas…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":143,"like_count":0,"has_summary":false,"last_poster_username":"david_smith","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":37421,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":1275,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":4532,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":69,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"AWS WAF Logs","id":25572,"title":"AWS WAF Logs","slug":"aws-waf-logs","posts_count":5,"reply_count":1,"highest_post_number":5,"image_url":null,"created_at":"2023-07-25T15:39:46.020Z","last_posted_at":"2025-04-23T13:46:06.785Z","bumped":true,"bumped_at":"2025-04-23T13:46:06.785Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I am curious if anybody is ingesting AWS WAF logs into InsightIDR?  If so; how are you ingesting them and how successful has it been?","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":1061,"like_count":0,"has_summary":false,"last_poster_username":"ojetawo","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":17286,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":2109,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":69,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":31191,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Ingesting Purview Information Protection Scanner Logs","id":48035,"title":"Ingesting Purview Information Protection Scanner Logs","slug":"ingesting-purview-information-protection-scanner-logs","posts_count":2,"reply_count":0,"highest_post_number":2,"image_url":null,"created_at":"2025-02-13T11:48:18.477Z","last_posted_at":"2025-03-25T09:58:34.440Z","bumped":true,"bumped_at":"2025-03-25T09:58:34.440Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Does anyone have any experience with ingesting these types of events? \nThe events from the scans are written to the Unified Audit Log, however I don’t think these currently fall under the event types that IDR can parse f…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":278,"like_count":3,"has_summary":false,"last_poster_username":"mmur_gt4e","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":19142,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":11318,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Rapid7 Event Sources","id":48254,"title":"Rapid7 Event Sources","slug":"rapid7-event-sources","posts_count":3,"reply_count":1,"highest_post_number":3,"image_url":null,"created_at":"2025-02-19T03:57:38.721Z","last_posted_at":"2025-02-26T06:10:49.336Z","bumped":true,"bumped_at":"2025-02-26T06:10:49.336Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Some of my Rapid7 event sources are giving me the inactivity notice after I moved them to a second data collector. I have deleted them from the first data collector and only kept 1 in the second data collector. Does anyo…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":160,"like_count":0,"has_summary":false,"last_poster_username":"bdj","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":37267,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":718,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":34959,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Office 365 Management Instructions","id":48453,"title":"Office 365 Management Instructions","slug":"office-365-management-instructions","posts_count":4,"reply_count":0,"highest_post_number":4,"image_url":null,"created_at":"2025-02-24T20:33:29.990Z","last_posted_at":"2025-02-24T21:16:44.305Z","bumped":true,"bumped_at":"2025-02-24T21:16:44.305Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"These are the worst instructions ever and I expect better from Rapid7. \nRapid7 Extensions - Office 365 Management \nThis post was created under frustration, apologies for the hostility","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":219,"like_count":0,"has_summary":false,"last_poster_username":"Eric-Wilson","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":34750,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":1427,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Watch Directory Troubleshooting","id":19095,"title":"Watch Directory Troubleshooting","slug":"watch-directory-troubleshooting","posts_count":4,"reply_count":1,"highest_post_number":4,"image_url":null,"created_at":"2023-01-26T12:06:49.171Z","last_posted_at":"2025-02-19T04:00:51.887Z","bumped":true,"bumped_at":"2025-02-19T04:00:51.887Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Hi all, \nSetting up a new Watch Directory source, but its not pulling through events. \nI have configured the network path (eg, \\xxxx\\yy\\z) and set the appropriate credentials. \nThere is no error showing, it just shows “R…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":812,"like_count":0,"has_summary":false,"last_poster_username":"alima","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":3914,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":37267,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"CrowdStrike FDR v2 Support","id":34311,"title":"CrowdStrike FDR v2 Support","slug":"crowdstrike-fdr-v2-support","posts_count":3,"reply_count":0,"highest_post_number":3,"image_url":null,"created_at":"2024-03-07T15:16:24.459Z","last_posted_at":"2025-02-07T14:07:50.771Z","bumped":true,"bumped_at":"2025-02-07T14:07:50.771Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Does anyone know if Rapid7 IDR can (or will be able to) connect to Crowdstrike FDR v2?","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":305,"like_count":0,"has_summary":false,"last_poster_username":"ajain","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":27561,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":21671,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Collect event logs from remote computers","id":47789,"title":"Collect event logs from remote computers","slug":"collect-event-logs-from-remote-computers","posts_count":2,"reply_count":0,"highest_post_number":2,"image_url":null,"created_at":"2025-02-06T21:40:51.360Z","last_posted_at":"2025-02-06T23:08:34.427Z","bumped":true,"bumped_at":"2025-02-06T23:08:34.427Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"What is everyone doing to ingest additional windows event logs that the Agent doesn’t pull in from remote assets? Most of our workforce is remote, and you don’t have constant line-of-sight to a log server, etc. \nCurrentl…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":126,"like_count":0,"has_summary":false,"last_poster_username":"david_smith1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":true,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":4671,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster, Accepted Answer","user_id":718,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Dns log clean up on domain controllers","id":46872,"title":"Dns log clean up on domain controllers","slug":"dns-log-clean-up-on-domain-controllers","posts_count":2,"reply_count":0,"highest_post_number":2,"image_url":null,"created_at":"2025-01-15T13:33:02.696Z","last_posted_at":"2025-01-21T13:26:30.486Z","bumped":true,"bumped_at":"2025-01-21T13:26:30.486Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Hi All, \nI’m seeking advice on managing DNS logs on domain controllers where DNS is configured directly. Specifically, how are you handling DNS log cleanup? According to Rapid7 documentation, the log folder should be on …","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":251,"like_count":0,"has_summary":false,"last_poster_username":"nnbinette","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":42365,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":5734,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Windows Application & Services Logs?","id":43043,"title":"Windows Application & Services Logs?","slug":"windows-application-services-logs","posts_count":10,"reply_count":4,"highest_post_number":11,"image_url":null,"created_at":"2024-09-30T14:37:39.646Z","last_posted_at":"2025-01-10T18:45:48.361Z","bumped":true,"bumped_at":"2025-01-10T18:45:48.361Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Has anyone successfully been able to get Windows Applications and Services Logs into IDR?  We are trying to get logs that are visible in Event Viewer at Applications and Services Logs > Microsoft > Windows > DriverFramew…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":500,"like_count":1,"has_summary":false,"last_poster_username":"david_smith1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":9059,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":4671,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":42361,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":718,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Defender for Endpoint Integration","id":44950,"title":"Defender for Endpoint Integration","slug":"defender-for-endpoint-integration","posts_count":3,"reply_count":1,"highest_post_number":3,"image_url":null,"created_at":"2024-11-14T15:24:06.219Z","last_posted_at":"2024-11-15T12:41:30.111Z","bumped":true,"bumped_at":"2024-11-15T12:41:30.111Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Does anyone have any experience using the Microsoft Defender ATP event source (Now Defender for Endpoint)? \nWe’re planning to set up an Exploit Guard policy i.e. ASR rules, Controlled Folder Access and Network Protection…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":190,"like_count":0,"has_summary":false,"last_poster_username":"sgroeneveld","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":19142,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":718,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":13140,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"CEF Log Format","id":44385,"title":"CEF Log Format","slug":"cef-log-format","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":null,"created_at":"2024-10-31T04:00:19.598Z","last_posted_at":"2024-10-31T04:00:19.651Z","bumped":true,"bumped_at":"2024-10-31T04:00:19.651Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Hi All, \nI’d like to ingest logs from a palo alto firewall as CEF format to get a nicer representation. Is this possible within InsightIDR? \nI’ve set it up and logs get received by the event source but unable to be viewe…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":76,"like_count":1,"has_summary":false,"last_poster_username":"esoteric","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":33684,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Unicode log files as event source?","id":43968,"title":"Unicode log files as event source?","slug":"unicode-log-files-as-event-source","posts_count":3,"reply_count":1,"highest_post_number":3,"image_url":null,"created_at":"2024-10-22T11:41:45.685Z","last_posted_at":"2024-10-23T12:33:26.717Z","bumped":true,"bumped_at":"2024-10-23T12:33:26.717Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I just set up a “Custom logs” event source to ingest logs from a custom Web app. The app writes log data to files in a non-standard format. It looks like the log files use Unicode (I’m working on confirming that), and th…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":75,"like_count":1,"has_summary":false,"last_poster_username":"DanM","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest","description":"Original Poster, Most Recent Poster","user_id":5629,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":718,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Insight IDR - Custom Detection Rule - Generic Endpoint Acitivity","id":43562,"title":"Insight IDR - Custom Detection Rule - Generic Endpoint Acitivity","slug":"insight-idr-custom-detection-rule-generic-endpoint-acitivity","posts_count":4,"reply_count":2,"highest_post_number":4,"image_url":"//forum-uploads-hub-prod-1-us-east-1-rapid7-com.s3.dualstack.us-east-1.amazonaws.com/original/2X/e/ea1663cd86974c5cab7c9bea4b2617fbf9d7d50e.png","created_at":"2024-10-11T18:54:21.877Z","last_posted_at":"2024-10-14T15:34:32.677Z","bumped":true,"bumped_at":"2024-10-14T15:34:32.677Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Howdy all, \nI have been slowly working my way around the Rapid7 IDR platform. I figured I would take a crack at writing my own detection rules to help alert when a user downloads and installs some PUP/PUA. As my starting…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":230,"like_count":2,"has_summary":false,"last_poster_username":"christopher_kane1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":35637,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":31304,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"vCenter Syslogs to IDR?","id":7050,"title":"vCenter Syslogs to IDR?","slug":"vcenter-syslogs-to-idr","posts_count":3,"reply_count":0,"highest_post_number":3,"image_url":null,"created_at":"2021-09-24T16:09:43.842Z","last_posted_at":"2024-09-23T19:50:51.088Z","bumped":true,"bumped_at":"2024-09-23T19:50:51.088Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I was working on my vCenter management interface and I realized I don’t have syslogs going to anything so I thought I’d see about sending them to my local Insight collector and add an event source in IDR so I could get l…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":866,"like_count":2,"has_summary":false,"last_poster_username":"antmar904","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":3954,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":69,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":17408,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Homegrown application logs","id":40469,"title":"Homegrown application logs","slug":"homegrown-application-logs","posts_count":3,"reply_count":1,"highest_post_number":3,"image_url":null,"created_at":"2024-07-31T16:52:29.384Z","last_posted_at":"2024-09-18T17:07:12.708Z","bumped":true,"bumped_at":"2024-09-18T17:07:12.708Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"We have 3 homegown applications which currently do not produce logs apparently of any kind.  We are being required to have these applications produce logs to feed into R7.  What I do not know as I’ve never dealt with thi…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":90,"like_count":0,"has_summary":false,"last_poster_username":"bknoff1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest","description":"Original Poster, Most Recent Poster","user_id":32581,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":3772,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"DNSFilter event source, or generic alternative","id":40817,"title":"DNSFilter event source, or generic alternative","slug":"dnsfilter-event-source-or-generic-alternative","posts_count":1,"reply_count":0,"highest_post_number":1,"image_url":null,"created_at":"2024-08-08T11:48:58.246Z","last_posted_at":"2024-08-08T11:48:58.301Z","bumped":true,"bumped_at":"2024-08-08T11:48:58.301Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Hi all - is anyone using DNSFilter/s3 with insightIDR? I see a few other topics here about “I’d love this event source” but couldnt see any r7 responses. We had DNS logs via s3 with Umbrella, but have now migrated to DNS…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":80,"like_count":0,"has_summary":false,"last_poster_username":"hgough","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":"latest single","description":"Original Poster, Most Recent Poster","user_id":13625,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Issue with Integration of SQL Database with Rapid7","id":31673,"title":"Issue with Integration of SQL Database with Rapid7","slug":"issue-with-integration-of-sql-database-with-rapid7","posts_count":3,"reply_count":0,"highest_post_number":3,"image_url":null,"created_at":"2024-01-10T10:22:46.240Z","last_posted_at":"2024-08-07T01:20:14.555Z","bumped":true,"bumped_at":"2024-08-07T01:20:14.555Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"I hope this message finds you well. I am reaching out to seek assistance regarding the integration of my SQL database with our platform. Currently, I am encountering challenges in establishing communication between the d…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":[],"tags_descriptions":{},"views":487,"like_count":1,"has_summary":false,"last_poster_username":"aalves1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":false,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":4944,"primary_group_id":null,"flair_group_id":null},{"extras":null,"description":"Frequent Poster","user_id":24881,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster","user_id":22301,"primary_group_id":null,"flair_group_id":null}]},{"fancy_title":"Zix Event Source - API or syslog w/TLS","id":40475,"title":"Zix Event Source - API or syslog w/TLS","slug":"zix-event-source-api-or-syslog-w-tls","posts_count":4,"reply_count":2,"highest_post_number":4,"image_url":"//forum-uploads-hub-prod-1-us-east-1-rapid7-com.s3.dualstack.us-east-1.amazonaws.com/original/2X/5/50b0c7dd36cb4176a38f518b4375b1649ecd5bd6.png","created_at":"2024-07-31T17:24:20.821Z","last_posted_at":"2024-08-01T22:20:47.548Z","bumped":true,"bumped_at":"2024-08-01T22:20:47.548Z","archetype":"regular","unseen":false,"pinned":false,"unpinned":null,"excerpt":"Howdy, \nI was reading through the Rapid7 documentation - it currently does not look like there is any native support for an integration with Zix secure email. According to Zix documentation, Zix supports SIEM integration…","visible":true,"closed":false,"archived":false,"bookmarked":null,"liked":null,"tags":["InsightIDR"],"tags_descriptions":{},"views":145,"like_count":0,"has_summary":false,"last_poster_username":"david_smith1","category_id":21,"pinned_globally":false,"featured_link":null,"has_accepted_answer":true,"can_vote":false,"posters":[{"extras":null,"description":"Original Poster","user_id":35637,"primary_group_id":null,"flair_group_id":null},{"extras":"latest","description":"Most Recent Poster, Accepted Answer","user_id":718,"primary_group_id":null,"flair_group_id":null}]}]}}