Using Fortanix Data Security Manager with Rapid7 InsightIDR

Prev Next

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Rapid7 insightIDR.

2.0 Rapid7 insightIDR Collector Installation and Deployment

NOTE

Customers who have deployed Rapid7 InsightIDR likely already have a Syslog Collector configured. In that case, you can skip to Step 2 of Section 2.4: Configure Event Source.

2.1 Download Collector

Perform the following steps to download the collector agent:

  1. Click the DATA COLLECTION tab in the Rapid 7 insightIDR user interface (UI) left panel.

    data_collection.png

    Figure 1: Data collection

  2. On the Data Collection Management UI, click Setup Collector on the top-right menu and select Download Collector. 

    download_collector.png

    Figure 2: Download collector

  3. Download either the Windows or Linux version that is appropriate for your environment. 

    download_collector2.png

    Figure 3: Download Windows or Linux version

  4. The collector must be installed on a host with internet access so that Fortanix DSM can access it. When the installation is complete, create a copy of the Activation Key (Windows) / Agent Key (Linux).

    copy_collector.png

    Figure 4: Copy collector agent

2.2 Install the Collector

Perform the following steps to install and activate the collector:

  1. On the Data Collection Management UI, click Setup Collector on the top-right menu.

  2. Select Activate Collector and paste in the key obtained from Step 4 of Section 2.1: Download Collector.

    Activate_collector.png

    Figure 5: Activate collector

    activate_collector2.png

    Figure 6: Activation key

2.3 Add an Event Source

Perform the following steps to add an event source to the collector:

  1. On the Data Collection Management UI, click Setup Event Source and select Add Event Source from the drop down menu. 

    Add_event_source.png

    Figure 7: Add event source

  2. At the bottom of the Add Event Source page, under Raw Data, select Custom Logs.

    custom_logs.png

    Figure 8: Custom logs

2.4 Configure Event Source

Perform the following steps to configure the event source for log collection:

  1. To configure the Event Source

    1. Enter the Collector, Event Source Type, Event Source Name, Timezone.

    2. Select Listen on Network Port.

      listen_to_network_port.png

      Figure 9: Listen on network port

  2. Enter the following:

    • Port Number

    • Protocol

    NOTE

    A single collector can be used for multiple sources. So please use a unique port number for each source.

    port_and_protocol.png

    Figure 10: Entering port number and protocol

  3. If TCP is the selected port, you can encrypt the connection using TLS. Select the check box Encrypted.

  4. Select Download Certificate and then click Save.

    TCP.png

    Figure 11 : Download certificate

3.0 Sending Audit Logs to Syslog

Perform the following steps to configure logging events to the Syslog:

  1. In the Custom Log Management Integrations section, click ADD INTEGRATION for Syslog.

  2. On the Syslog Log Management Integration form, do the following:

    • Host: Enter the hostname or IP address of your Syslog server where the Rapid7 Collector is installed in Step 4 of Section 2.1: Download Collector.

      • Enable TLS: Select this check box to communicate with the Syslog server over a secure connection using TLS.

      • Host validation: Select the Validate host check box to ensure that the Syslog server hostname mentioned above matches the hostname specified in the server certificate. To skip hostname verification, clear the Validate host check box.

      • Validate certificate: You can connect to the Syslog server over a non-secure connection or a secure TLS connection. Depending on the type of TLS certificate that the Syslog server is using:

        • If you are using a certificate signed by a well-known public CA, select Global Root CAs.

        • If your organization uses a self-signed certificate issued by an internal Certificate Authority (CA), select Custom CA Certificate. Click UPLOAD A FILE to upload your CA certificate downloaded in Step 4 of Section 2.4: Configure Event Source. When Fortanix DSM, acting as a client, connects to the Syslog server and receives the server’s certificate, it validates the certificate using the uploaded custom CA certificate.

    • Port (TCP): The default port for the Syslog server is 514 or use the port as in Step 2 of Section 2.4: Configure Event Source. If you are using a different port, update the port number accordingly.

    • Facility: When you log an event in Syslog, you can choose to log it in different facilities. Use this setting to filter logs by a specific facility, such as User, Local0, Local1, and others that are well-defined in the Syslog protocol. For example, configure Fortanix DSM to use the Local0 facility to easily filter logs from a specific appliance.

  3. Click SAVE to update the Syslog integration.

    Figure 12: Configure syslog server

  4. Go back to the Rapid7 insightIDR UI.

  5. On the top-left menu click EVENT SOURCES to confirm the Collector is capturing events.

    Event_Sources.png

    Figure 13: Event sources