I would like to initiate a conversation surrounding the functionality of the Insight Agent in the context of XDR. As a user of InsightIDR, I have found its integration with InsightConnect to be relatively effective. Although the overall functionality of IDR is moderate, we have appreciated the SOAR capabilities. However, the purpose of the Insight Agent remains unclear to us.
In situations where an organization is not operating within the Microsoft domain or utilizing Microsoft products, the Insight Agent appears to offer limited functionality. For instance, when the agent is installed on Linux servers within the same network as the “network sensor” (a less effective version of Suricata), the platform struggles to resolve IP addresses to hostnames without a proper DHCP event source and local DNS configuration. It seems logical for the agent to provide the hostname and correlate this information with the InsightIDR platform, but this is not the case.
Furthermore, when attempting to query endpoint information from InsightIDR (such as network connections or installed services), the search is limited to Windows assets with the Insight Agent installed. The detection rules for Linux and MacOS are also limited, as they cannot detect even basic malicious activities. Approximately 90% of the rules are tailored to Windows, a significant drawback when relying solely on the Insight Agent.
The Insight Agent also lacks the ability to perform “manual” tasks on the endpoint, and its osquery functionality is limited to MDR only. Rapid7 has a tool called “Velociraptor,” which raises the question of why its functionality is not incorporated into the Insight Agent. Other vendors, such as LimaCharlie, have implemented similar features effectively.
Lastly, even when the Insight Agent does provide some functionality, it often fails to perform as expected. Thus, we would like to understand why the focus is primarily on Windows and whether there are plans to introduce a more robust EDR agent that can execute basic tasks.
I look forward to hearing your thoughts and experiences with the Insight Agent and hope to gain further understanding and insights on this topic.
From my point of view, the query endpoint information feature within IDR has definitely some room for improvement. After a long back and forth with the support, I figured out that it’s not even possible to collect files using this feature. For me, this is one of the most basic functions and prevents us from automating even more of our analysis tasks (ex: collect file via Query Endpoint → Submitting the file to a malware sandbox). As things stand, we have to collect the file manually or use another tool for that. Additionally, some artifacts which can be collected by Query Endpoint are missing some useful filter options. For example: “Current Services/Scheduled Tasks”: I don’t have the option to filter by date.
Another very useful feature would be starting a live response session on the target system in order to perform live triage analysis. Also the missing support for Linux assets when it comes to query endpoint information is not very ideal. I hope that the query endpoint feature will be completely replaced by new functions which utilize Velociraptor under the hood.
You’re absolutely right! When we analyze the gaps in Insight Agent’s capabilities using the RE&CT Enterprise Matrix (https://atc-project.github.io/react-navigator/), we can see that it falls short in areas like File, Process, and Configuration. To address these gaps, we would need to incorporate additional tools, making Insight Agent not as comprehensive as a fully functional EDR solution.
While it’s true that many leading EDR solutions can be quite expensive, there are alternatives like Elastic EDR that offer basic functionality for free. Unfortunately, Insight Agent lacks even these essential features. It would have been ideal to close these gaps using a single “umbrella solution,” but this seems unfeasible since Insight Agent primarily functions as a log agent.
@eavetisyan@312312 thanks to you both for the thoughtful and well-articulated feedback here. Some of this is quite timely as we are just beginning to rollout early access to Velociraptor (hosted on the Insight Platform) for IDR Ultimate customers. The agent-side will be delivered via a new Insight Agent version - aka an upgrade and not a re-deploy. This initial version will not be a fully integrated experience, but it will give you most of the functionality/power of the open source version of Velociraptor. I say “most” only because some of the OSS server-side functions had to be removed for security reasons since Rapid7 will now be hosting the server-side infrastructure. Longer-term we do not intend to restrict some of these more basic capabilities capabilities to IDR Ultimate customers (e.g. replacing/improving the existing “query endpoints” feature as suggested above), but we do not have timelines for those future items at this point unfortunately.
While providing access to Velociraptor functionality does not fully solve each item discussed above (and certainly not the integrated experience we will continue to strive for), the intention is to greatly improve capabilities for the endpoint interrogation / live querying / investigation use cases. It is also not restricted to Windows, so these use cases will be supported on Linux and Mac as well.
On the question of why a customer should deploy the Insight Agent today, it does provide significant visibility to our Detection Engine. It’s certainly true that the detection content is more robust for Windows, and sadly I think that’s true for most EDRs. Regardless, it’s an area all of us in this space recognize as lagging and an area for improvement. Outside of collected data to power detections, there are additional use cases that we detail out here. The value of each certainly varies customer to customer, and environment to environment.
I really do appreciate this discussion, and if either of you are interested I would love to continue the conversation here or in a scheduled meeting. If you would like to schedule a meeting, just let me know and I can start coordinating with your respective CSMs.
It’s encouraging to learn that Velociraptor will be integrated into Insight Agent, but our concerns regarding its overall detection capabilities and lack of correlation with SIEM are valid. For example, Rapid7 suggests deploying a dedicated honeypot to detect basic Nmap scans since the sensor is not capable of doing so, and the Agent does not offer HIDS functionality.
It is indeed a matter of curiosity why Rapid7 has not allocated more resources to developing the Agent, considering the numerous issues it faces, while smaller companies with fewer resources have managed to address similar challenges.
Second question. the acquisition of Minerva Labs is expected to enhance the Agent’s capabilities in ransomware protection. Could you provide more detailed information about the specific features or improvements that will be introduced to the Insight Agent following the integration of Minerva Labs’ technology? What can we expect in terms of ransomware protection capabilities?
I’d like to initiate a discussion here for everyone using the Insight Agent to share their experiences, feedback, and any challenges they’ve encountered. This way, we can collectively explore potential solutions and strategies to enhance functionality by possibly integrating the Insight Agent with other EDRs.
@eavetisyan I certainly didn’t mean to imply that your concerns were not valid, I was just trying to address as many points as I could from the initial posts here. Apologies if that that’s how it came across.
I can confirm that we’re actively working to integrate the Minerva technology into the Insight Agent (similar to the work with Velociraptor, it will not require customers to deploy anything additional). The initial customer base we are bringing this out to is our managed customers, but all customers will ultimately benefit from this integration. The exciting part about this integration is the increased visibility and capability it will provide for our customers.
Unfortunately at this time I cannot go into more detail about the specific Minerva features we’re including in the initial versions of this integration… but a lot of that detail will be published in the coming months.