I am trying to figure out if there is a way to find all devices that have a local admin account with a specific name. We are using InsightIDR, and InsightVM. I’ve been reading over the documentation, searching the log entries for the local admin username I’m looking for, and I’ve checked to see if anything in VM will show me that. So far my search has turned up nothing, even though I know that there are at least some devices with this specific user. Any insights as to whether this feature exists in Rapid 7? Thanks for any advice you may have.
If you have the license that includes velociraptor, you should be able to query all your devices with that. Something like this VQL command might work:
select * from users() where Name =~ 'administrator'
In IDR, it does look like each asset has a list of local users, but I’m not sure how to query the entire org for a specific username within the GUI. If you have good scripting skills, you may be able to get this using the API; some docs here.