Rapid7 InsightIDR Reviews

Centralized SIEM / Intrusion Detection System.

The focus on users/endpoints gives us so much more understanding of the events going on across the network, allowing us to step back from looking at logs only to see the actual behavior patterns instead.

The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue.

The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in.

We have rarely encountered any issues with stability. The primary source of stability issues has been the couple times where there have been lost log messages online. While that's unavoidable, it's definitely not desirable if I happen to have an incident at that time.

We haven't had any issues with scalability yet. (We'll keep trying).

Technical support for InsightIDR has been fantastic. We've used Rapid7 for over a year now, and, while support calls happen, it's rarely over something simple that's just not working. Normally we call because of something heavily situational, and the techs have always figured it out.

A private ELK stack was used originally. We moved off of it as we wanted to ensure that we were focusing on the security of the company, and not writing log parsing rules all day.

The initial setup was pretty straightforward, but it takes a little bit of a mental leap to understand how it all works together. What's key to remember is that it is user and endpoint centric, and not account centric. That means that, over time, it will start associating user.a on host1 to user.a on host2 and treating them as the same. It could be a little confusing for some companies if they don't use standardized permissions or don't use administrative-only accounts, but for most current user-access mechanisms, it shouldn't lead to any abnormal results.

Licensing is by endpoint and amount of retention time (at least ours is). Default retention was one year, but we are able to push the retention further if needed. There's also a provide-your-own-S3 option for longer retention if you don't want to pay for the additional retention years in your Rapid7 agreement.

AlienVault, LogRhythm, Qualys.

Have a plan going forward (Syslog exports, agent-based collection, etc.) and ensure WMI is available if using Windows Servers. It was very easy to set up, but troubleshooting can be "fun" if an endpoint doesn't connect correctly. Don't be shy of support requests. They'd rather you be "that person" that keeps getting support, rather than being the one that ran into an issue and stopped using the product.

Rapid7's reporting is more robust than Tenable's. 

Tenable Nessus is easier to deal with. It's more efficient and accurate. InsightIDR is heavier than Tenable in terms of performance and scanning. Rapid7 would be much easier to use if it had a network connector like Tenable. Tenable's connector allows continuous monitoring over the B caps.

I worked with InsightIDR for about two years, but I switched to Tenable Nessus around two months ago.

Rapid7's customer support is awful. They didn't respond at all. Tenable's support is always available. I didn't have to visit the customer every time they wanted to perform a scan.

InsightIDR is easy to install, but the components inside are a bit complicated. Tenable was much easier.

I rate Rapid7 InsightIDR seven out of 10. 

We're using Rapid7 as our SIEM. I'm the head of infrastructure and we are customers of Rapid7.

There are numerous valuable features in this solution. Since it's cloud-based, the configuration is very simple, the collector will automatically sync to the cloud platform. The UEB, the User, Entity, and Behavioral Analytics, has helped us a lot. If there's a slight change in user behavior such as login patterns, my SOX is now able to detect it immediately.

I'd like to be able to get the compliance report within the solution which is currently not possible. For example, the P-Series was around 77001 compliance report of your SIEM solution. That option is unfortunately not available. 

I've been using this solution for about 10 months. 

The solution is stable. 

Given that this is a cloud solution there are no limits to scalability. The company is constantly evaluating and evolving and that's reflected in the product.

We have two levels of support. They have a local presence and help us a lot although response times could be improved. The community is also very powerful, and the documentation is commendable.

The initial setup was very easy, it took us only 24 hours to set up around 1000 assets. Implementation was carried out in-house.

Licensing costs are based on a subscription model. The solution is very cost-effective because they are not charging based on the EPS but on the number of assets.

The solution suits any size company, whether small, medium, or enterprise, it's a very good fit for all devices. The only drawback, for now, is the intel feeds which don't support any TAXII or STIX feeds so they need to be done manually. 

I rate the solution eight out of 10. 

• Security incident
• Event management

InsightIDR has allowed us to find potential security issues that we did not know existed, and get remediation quickly.

• User behavioral analytics allows us to pinpoint abnormal or suspicious behavior among millions of events every day. 
• Log search allows us to dive deep into aggregated logs and query all event types at once.

Threat Intelligence: It would be useful to import threat intelligence in YARA format along with known incorrect email addresses.

During the entire duration of use, there have been no issues noted with stability.

The log aggregation and storage provided by InsightIDR has shown no issues with scalability; aggregating over one hundred millions events daily. The only constriction point in deployment is the collectors as they are required for agentless logging. However, keeping with the documentation provided for deployment, it handles the load appropriately if the documentation is adhered to.

Among the best! Their support responds promptly. They fully resolve issues before closing tickets.

We did not use a previous solution.

The initial setup is quite straightforward and can be accomplished from their Quick Start Guide. As the platform is quite adaptable, it can continue to be expanded to add many different log types, which you may find to be a continuous process.

Accurately predict your licensing counts as this is a subscription based product.

We evaluated FireEye Helix, LogRhythm, Splunk, and IBM QRadar.

The product is a shift in paradigm being cloud-based with cloud storage. Be prepared to set up several virtual collector servers within your network, if you have a large network.

We are distributors and sell this product to our customers. I'm a security consultant. 

The features for user behavior analytics and the rules for attack review are valuable. I also like the honeypot feature. It's easy to integrate and collect data from other solutions. 

I'd like to see a better ability to customize the check within the console. Rules can be customized better if the integration is improved. They now have integration with CrowdStrike so maybe they could have some kind of integration with Microsoft.

I've been using this solution for a year. 

The solution is stable.

This is a cloud-based product so it's scalable.

The technical support could be improved. We've had times when our requests get stuck with the engineering team and we sometimes don't get a response. That's a problem for us. 

Neutral

All Rapid7 solutions are easy to deploy because if you have any one of the products, the integrations between these products become easier because they have a lot of the important things within a single port. You get a single platform to visualize a lot of different kinds of data.

The pricing is very competitive because the licensing model that we use is based on endpoints which is different from most other solutions.

This solution is suited to all sizes of organizations. We generally deal with small and medium-sized companies.  

I rate this solution eight out of 10. 

The following are our main use cases for InsightIDR:

• Log correlation and searching, as well as alerting;
• IDR Vulnerability management;
• IVM;
• Incident response;
• Breach detection.

The tool has improved my organization by:

• Building a security alerting program;
• IDR-driven improved patching;
• Implementing IVM.

The alerting to drive investigations and remediation has been its most valuable feature. Plus the ability to quickly search multiple logs makes investigations easier. Log correlation and alerting are also helpful.

It gives us one place to have everything easily accessible and the ability to alert (including customisation of alerts).

Customised alert recipients need to be added to allow better first-line action and quicker response. Configurable honeypots would be a welcome addition.

While we have encountered stability issues, these are resource intensive systems so additional hardware solved this problem.

There have been no scalability issues. It's easy to add servers.

The technical support can be considered competent. However, they can be slow to discover solutions to tricky problems.

We did not previously use a different solution.

Very simple. Spin up a couple of servers, create all the log connectors and you are up and running. The setup was complete within days and we had alerts being generated straight away.

We did the installation without any technical help. The configuration was performed by non-technical staff.

The pricing and licensing are competitive. Licensing is simple and straightforward.

We did not evaluate any other solution in the market.

You should use it to drive change within your IT from a security point of view. Run a PoC and see exactly what it can do for you. The simple setup means it will be running in no time and you will get meaningful alerts straight away.

It is used to maintain our security posture by monitoring inside our network for behavior likely to be conducive with elements of the kill chain.

I was an early adopter of the product. I have seen it get better over time, making use of the data and methodologies used by the industry standard and Rapid7 Metasploit community.

We were able to identify criminals attempting to login from China and put a stop on their IP locations.

• Intelligent alerting to avoid the common problem of alert fatigue associated with traditional SIEMs.
• Great coverage of all systems within our network from endpoint to firewall.
• Integration with threat modeling from the Metasploit and InsightIDR repositories.
• Enables the use of honey pots, honey users, and honey files to monitor for suspicious patterns.

It gives all the advantages of a SIEM. However, using clever AI, it looks for patterns of behavior rather than just flooding me with all the alerts.

Although the solution has been improving continually in the time I have been using it, there could be areas of improvement. 

The one thing that springs to mind is easier API integration with ITSMs. We are evaluating a new ITSM and I would like to have InsightIDR create a ticket when an attack is identified, and the ticket would be closed in InsightIDR when the ITSM resolution is completed. This would take out the "single point of failure" we currently have, if the email recipient is somehow absent, in recording the risk appetite for the incident and the actions taken to mitigate or not.

None at all. Even as an early adopter, there were no significant issues with stability. Due to the continual improvement, I do not recall the last issue that I had with the system.

We are only a small PLC with 300 staff over six sites and two continents, so scalability has never been a major concern. However, the InsightIDR system looks to be scalable, if required.

Technical support is excellent both technically, timely, and professional throughout any incident or enhancement request.

This was our first look at a security as a single entity. After creating a threat register, we were able to mitigate over two-thirds of the threats with this one product.

It is very simple. It is a case of requesting a trial from Rapid7, then connecting the relevant logging devices, such as our AD servers or DNS servers to it and sitting back. 

Obviously, there is more to it than that, but that is the principle.

I am sure that there are cheaper products out there, but none that meet so many of our needs whilst maintaining stability and usability.

At the time, there was no other product that came close to InsightIDR feature set coupled with Rapid7's world leading security position producing other products, such as Metasploit and Nexpose (InsiteVR), which we also use.

Use it. The setup is minimal, but the payback is phenomenal.

Rapid7 InsightIDR is a cloud-based solution. Customers don't have to provision storage either internally or externally, and everything is already factored into the cost of the solution. So that takes out the headache.

The solution is very scalable in terms of the licensing model. It's not licensed based on the number of EPS as in a traditional SIEM solution. It's licensed based on the number of assets, and I believe the customers have more control over their assets than their EPS.

The solution's XDR agents cannot compete with the XDR solutions out there yet. It has to be a stand-alone XDR solution, and I know they are working on that. They have to ensure that it has the full capabilities of an XDR solution.

I have been working with Rapid7 InsightIDR for about two years.

Rapid7 InsightIDR is a stable solution.

Rapid7 InsightIDR's technical support is great and very responsive. Of course, their support depends on the SLAs.

Positive

Rapid7 InsightIDR can be up or running in a matter of hours or minutes. It takes about a week or two to deploy the solution for an enterprise account with full integration of an IT use case.

Rapid7 InsightIDR's pricing is reasonable.

Overall, I rate Rapid7 InsightIDR a nine out of ten.