Insight Agent - data collected

Hello everyone, i’m looking at this page How the Insight Agent Works | Insight Agent Documentation but I want more details about event codes, process, etc that are collected from the agent installed on the machines. In the web page you could see the list at high level, I need more deeper details. Anyone could help me?

Hi @valentina_ceoletta

these are the event codes the agent pulls

https://docs.rapid7.com/insightidr/insight-agent/#monitored-event-codes

Notably on endpoints we pull 7045,1102, 4624, 4625, 4648, 4720

and on DCs we pull 1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769

if the setting is enabled.

Also we pull the Windows Defender codes listed.

We collect all process starts on windows and MacOS and Linux.

1 Like

Optionally you can configure FIM and FAAM

https://docs.rapid7.com/insightidr/file-integrity-monitoring/

https://docs.rapid7.com/insightidr/file-access-activity-monitoring/

and lastly you can configure the logging.json on endpoints (not available on DCs) to pull all Windows System, Security and Application events

https://docs.rapid7.com/insightidr/configure-the-insight-agent-to-send-logs/

David

3 Likes

Thank you very much!