Access Endpoint Detection & Response Capabilities
InsightIDR comes with endpoint detection and behavior analytics capabilities to find attacks that other tools miss. The Insight Agent and Endpoint Scan collects data streaming from your Windows, Linux, and Mac endpoints, allowing InsightIDR to map lateral movement and remote authentication to the assets and users behind them.
Once you've explored this page, let's drill further into the User Statistics that are automatically collected within InsightIDR.
Once InsightIDR begins to process the event logs from each endpoint, it determines if any accounts are shared by multiple users. If an account logged in on a source asset is used to impersonate another account (sometimes with an escalation of privilege) on the same asset or remotely, the two accounts will be identified as “linked accounts.”
This is very useful to confirm that user accounts and administrator accounts for the same person are used appropriately.
If multiple source accounts are seen authenticating to the same destination account, it is determined that this destination account is, therefore, shared by the two users who own the source accounts. The list generated on this page is ordered by the total number of users seen authenticating with each “shared account.”
Prioritize Running Processes Across All Endpoints
Through a combination of Insight Agent and Endpoint Scan, InsightIDR identifies all running processes across your endpoints. These process hashes are automatically checked against the wisdom of 50+ virus scanners. This helps serve as defense in depth, to detect known-bad your AV may miss.