InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

InsightIDR Integration

Instructions for Integration Between InsightIDR & InsightCloudSec

The integration with Rapid7's InsightIDR provides InsightCloudSec with the ability to export cloud event data to InsightIDR for historical logging, analysis, and further investigation. To learn more check out the InsightIDR documentation.

Configuration in InsightIDR

As part of the InsightCloudSec integration, there are a few configuration steps you must complete in InsightIDR before you can send data.

These steps assume you have deployed and configured a Collector following the steps found here & that you have registered your Collector with your instance of InsightIDR based on those instructions.

InsightIDR Add Data SourceInsightIDR Add Data Source

InsightIDR Add Data Source

1. Once you have your Collector in InsightIDR, you will need to create a new data source.

  • This data source should be of type “Custom Logs,” as seen below.
  • This allows the integration to send structured logs to IDR via the Collector.

Note: You will need to configure the Collector to listen on a network port and then select UDP as the profile, as shown below, and take note of the port you select. You will need the port information when you configure the integration inside InsightCloudSec.

InsightIDR Add Event SourceInsightIDR Add Event Source

InsightIDR Add Event Source

2. Click "Save" when you have completed the "Add Event Source" details.

Configuration in InsightCloudSec

Refer to the steps below to set up the integration within InsightCloudSec

1. Navigate to "Administration --> Integrations" and locate the "InsightIDR" tile.

Insight IDR Integration - Landing PageInsight IDR Integration - Landing Page

Insight IDR Integration - Landing Page

2. Click on "Edit" on the "InsightIDR" tile.

3. Provide the Collector IP ("Collector IP") and the UDP port ("Port") the Collector is listening on.

  • Note: You will need to ensure that all firewall, security groups, etc., rules are in place within the cloud/network location where the Collector is hosted. This allows communication between the InsightCloudSec instance and the Collector.

4. Optionally, select the "Send Product API Activity" checkbox to enable InsightCloudSec to send API activity to your InsightIDR instance, e.g., Compliance Report generation, custom Insight creation, etc.

5. Click "Save" to submit and save the integration settings.

Creating a Bot Using Your InsightIDR Integration

InsightCloudSec includes Bot actions that include an action that exports a pre-formatted data block that includes Bot Name, filter information, and resource information.

From within the Bots form, during Step 4 you will be allowed to select "Actions". Search for "IDR" to locate the Bot action titled "InsightIDR Event." Using this Bot action allows the default InsightIDR parser to handle data from InsightCloudSec without additional InsightIDR configuration.

At the time of writing the Actions specific to InsightIDR include:

  • Insight IDR Custom Event: Log a custom event into an InsightIDR collector
  • Insight IDR Event: Log a pre-canned event into an InsightIDR Collector (mentioned above)
BotFactory Actions for InsightIDRBotFactory Actions for InsightIDR

BotFactory Actions for InsightIDR

📘

DivvyCloud vs. InsightCloudSec

Note that backend components may still include the former product name (DivvyCloud vs. InsightCloudSec) but capabilities are unchanged.

An example of the "Insight IDR Event" Bot action output is shown below.

Bot Action Sample OutputBot Action Sample Output

Bot Action Sample Output

Configuration of InsightCloudSec Data in InsightIDR

Once you have your Collector and event sources configured, you should be able to trigger the Bot(s) to see logs flowing into the Collector.

From your InsightIDR installation, click into the Collectors and then choose “View raw log data,” as shown below.

InsightIDR View Raw LogsInsightIDR View Raw Logs

InsightIDR View Raw Logs

For more information on configuration in InsightIDR, refer to the documentation found here.

Log Analysis

After verifying the logs are flowing into InsightIDR, you can start to build out the dashboard using elements of the log files as search parameters.

  • The image below provides some simple examples.
  • You can also expand and drill into the logs for additional analysis.
InsightIDR Dashboard ExampleInsightIDR Dashboard Example

InsightIDR Dashboard Example

Updated about a month ago

InsightIDR Integration


Instructions for Integration Between InsightIDR & InsightCloudSec

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.