Last updated at Tue, 22 Nov 2022 15:19:54 GMT
By Matt Heidet
Matt is a Senior Information Security Engineer at a Regional Financial Institution. He is a Customer and Guest Blogger for Rapid7
Have you ever groaned when divvying up incidents from a pen-test amongst an overworked team? Or maybe you’ve struggled to present how you adhere to multiple compliance frameworks to your board. As a Senior Information Security Engineer at a Regional Finance Institute, I’m all too familiar with the daily grind – too many threats, not nearly enough time. Fortunately, Rapid7’s InsightIDR has helped me and my team unify our data, verify the nature of threats, and uphold a security posture that we’re confident in.
InsightIDR has lots of features that have enabled my organization to identify and respond more easily to threats. In this blog post, I’m going to share some insight into my favorite – InsightIDR’s Log Search function.
Back to the Beginning: Why We Chose Rapid7
Choosing InsightIDR was a no-brainer for us. We tried two other products, but as soon as we finished the proof-of-concept with Rapid7, we went straight to purchase. There was no point in even testing the others, as InsightIDR provided us with the visibility and context necessary to keep our environment secure
If you already have InsightVM, Rapid7’s vulnerability management solution, it’s a pretty smooth transition to InsightIDR. As existing InsightVM users, we already had the Rapid7 Insight Agent deployed on our endpoints, which provided us with real-time endpoint monitoring for vulnerabilities. When we added InsightIDR to our environment, we were automatically covered on those same endpoints, without any need to set up anything additional.
We were able to get up and running and integrate with a number of Azure Event Hubs out of the gate (a centralized service from which to collect Azure data and logs). Only a few other tools would provide that same capability – but they wouldn’t fit into our existing environment the way that Rapid7 did.
Getting Started with Log Search
When we first started using InsightIDR, my team wanted to bring in as much data to InsightIDR as we could to get a clear picture of what was happening in our environment. We knew we needed holistic visibility, but weren’t 100% on what we should be alerting on or necessarily looking for. Luckily, InsightIDR’s Log Search intuitively organized all of our data and helped us get a view of everything in one place, narrowing our focus and enabling us to really focus on high priority data.
InsightIDR removed the complexity of traditional Log Search. If you’re not sure where to start, just start with a simple search – a host name, a kind of attack, or an event. Then, based on your results, you can create a more advanced search by filtering, iterating, or narrowing down your simple searches. From there, you can start creating reports. Your reports can tell you (and you can then customize) how you should be watching an endpoint, how you should be alerted, and more.
Let’s Talk Outcomes
Now it’s time to do something with all this data! We were able to compare data from those sources to the email alerts that we got from Microsoft on Azure and easily generate a report based on the email events we were seeing from Microsoft. From there, we were able to generate custom detections.
One reason this was all so straightforward is that Rapid7’s powerful search language, Log Entry Query Language (LEQL – which allows you to construct queries that can extract the hidden insights within your logs), is easy to pick up. Even if you’re not a programmer or engineer, the structure and syntax of the language are accessible.
Once you get the first couple workflows ironed out, it’s easy to extrapolate to other ones. Once my team focused on this task we were able to come up with 45 custom detections over just three days!
Where Do I Go From Here?
Detections are your bread and butter, of course. But once you’re oriented to the dashboard, the language, and the basics of a workflow, the sky’s the limit. You can then customize your reports to your heart’s desire. My team currently has about 22 reports coming in daily, summarizing almost 100 custom detections that all stem from log search.
Rapid7’s alerting and reporting is hands down the best I’ve ever worked with. But it’s not just about volume – it’s also about versatility. We’re able to monitor all of our Cloud services – including Amazon, Azure, and Google – with ease. In the past, when using managed security providers, this wasn’t nearly as straightforward. We’re looking at InsightIDR’s pre-built Attacker Behavior Analytics (ABA) and User Behavior Analytics (UBA) detections with regularity, using a mix of both custom and pre-built “cards” (a visually appealing representation of data) in our InsightIDR dashboard.
Furthermore, it’s not just that you have options. The pre-built detections that InsightIDR ships out of the box boasts plenty of efficacy, resulting in unprecedented efficiency. The ability to have all of the data you need in one place – the equivalent of a “single pane of glass” – just can’t be overstated.