Hello everyone, i’m looking at this page How the Insight Agent Works | Insight Agent Documentation but I want more details about event codes, process, etc that are collected from the agent installed on the machines. In the web page you could see the list at high level, I need more deeper details. Anyone could help me?
these are the event codes the agent pulls
https://docs.rapid7.com/insightidr/insight-agent/#monitored-event-codes
Notably on endpoints we pull 7045,1102, 4624, 4625, 4648, 4720
and on DCs we pull 1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769
if the setting is enabled.
Also we pull the Windows Defender codes listed.
We collect all process starts on windows and MacOS and Linux.
1 Like
Optionally you can configure FIM and FAAM
https://docs.rapid7.com/insightidr/file-integrity-monitoring/
https://docs.rapid7.com/insightidr/file-access-activity-monitoring/
and lastly you can configure the logging.json on endpoints (not available on DCs) to pull all Windows System, Security and Application events
https://docs.rapid7.com/insightidr/configure-the-insight-agent-to-send-logs/
David
3 Likes
Thank you very much!
Hi Everyone,
i had this same question as i need to collect event id 4732 from server for when a user is added to a local group on the server and not on the DC. is there a way to do so?