Rapid7 InsightIDR Reviews

We're using Rapid7 as our SIEM. I'm the head of infrastructure and we are customers of Rapid7.

There are numerous valuable features in this solution. Since it's cloud-based, the configuration is very simple, the collector will automatically sync to the cloud platform. The UEB, the User, Entity, and Behavioral Analytics, has helped us a lot. If there's a slight change in user behavior such as login patterns, my SOX is now able to detect it immediately.

I'd like to be able to get the compliance report within the solution which is currently not possible. For example, the P-Series was around 77001 compliance report of your SIEM solution. That option is unfortunately not available. 

I've been using this solution for about 10 months. 

The solution is stable. 

Given that this is a cloud solution there are no limits to scalability. The company is constantly evaluating and evolving and that's reflected in the product.

We have two levels of support. They have a local presence and help us a lot although response times could be improved. The community is also very powerful, and the documentation is commendable.

The initial setup was very easy, it took us only 24 hours to set up around 1000 assets. Implementation was carried out in-house.

Licensing costs are based on a subscription model. The solution is very cost-effective because they are not charging based on the EPS but on the number of assets.

The solution suits any size company, whether small, medium, or enterprise, it's a very good fit for all devices. The only drawback, for now, is the intel feeds which don't support any TAXII or STIX feeds so they need to be done manually. 

I rate the solution eight out of 10. 

The solution lacks an AI-driven capability. While other competitors emphasize AI as the most important feature.

I have been using Rapid7 InsightIDR as a distributor for seven years.

The product's stability is high. I rate the solution’s stability an eight out of ten.

Due to its cloud-based nature and numerous agents, its scalability is high. This, combined with its on-premise environment, ensures rapid performance. It can handle several thousand. It is best suited for large-scale businesses.

Support is slow. I'm not satisfied with the support so far.

Neutral

Due to the product's complexity, the initial setup can be challenging. Additionally, setting up the product and training the customer can be quite demanding. Deploying the appliance or sensor on-premises can take up to twelve months.

The product pricing is very cheap.

InsightIDR automates everything through InsightConnect in a seven-day cycle.

The product has improved significantly since its inception. However, based on feedback I've received from other products in the market, aside from InsightIDR.

It improved because several sensors are deployed within the on-premise environment. It can be very efficient if the customer implements and operates it effectively. 

If you combine it with InsightIDR, then it may become more compact. Maybe IBM was a bit larger. So, having MDR is the main key point for this product.

Overall, I rate the solution a four out of ten.

We use this solution to develop our business and we also provide it to some of our customers. The primary use case is for security information and event management, monitoring and acting on any event. 

The solution is very intuitive, it's easy to set up, is absolutely stable, and has a lot of integration with other security products.

I'd like to see a mobile application included and some feature related to the generality of segregation for internal users that access the application.

This solution is absolutely stable. 

This solution is scalable. 

The technical support is very good and respond quickly when there is a problem.

The initial setup is reasonably straightforward, it takes a few hours. We've deployed it for 10 different clients and we have several engineers and eight certified technical staff that carry out implementation. 

You can scale the license as needed. It's really easy to update and upgrade.

We use this solution for monitoring intrusion detection and prevention.

The most valuable feature is monitoring.

The dashboard is an area that could be simplified.  For management, it should be clear and the files should be there.

I have only recently started using this solution. It's been a couple of months.

I believe that we are using th latest version.

It is very stable.

It's a scalable solution. We have more than 1,000 users and we plan to continue using it.

We have not had the need to contact technical support.

Previously, we were using another solution. We changed because the price was completely suitable.

The initial setup was straightforward. It was simple.

We have a team of four to deploy and maintain this solution.

It is a reasonably priced solution.

I am not able to recommend this solution at this time. I don't know it well enough yet. Similarly, it is difficult to say at this time what needs to be improved. We need more time to explore.

I would rate this solution a seven out of ten, only because I have recently started using it.

We primarily use the solution for a combination of log management as well as threat detection.

The ease of use of the solution is excellent.

The individual setup is great. You can set it up and get it going in a short amount of time.

They have one agent for Insight where, basically, we can also install agents on Linux and Windows Servers as well as the endpoints. This agent provides for more capabilities in terms of threat detection. Normally, SIEM is more centered around log management and data mining. It's nice to have this extra layer. 

If you look at the agent part, the Insight agent, which is an optional component of InsightIDR, that agent also helps us to detect more threats, due to the fact that the endpoints are also vulnerable to a lot of security breaches. 

If you were on other solutions, you would notice that they use agents from third-party, from open-source, from a native OS, or from other tools. Here, however, it is an agent from Rapid7 itself. This adds to the solution's overall capabilities.

Earlier they didn't have a network flow capture product, so they were not able to capture the network flows. We were able to capture the logs but not the network flows. Now, they have acquired a company called NetFort, and now they are also using the capture network flows. This was one of the shortcomings of the product which they have now rectified after acquisition of the company.

Cloud risk assessment is one area where I think they need a lot of improvement.

The solution should have a CIS Benchmark in terms of, I would say, config change detection.

I've been using the solution for about one year.

Since it is on cloud, so we need to just provision the collectors, which is like a sensor that captures logs on-premise and sends it to their cloud, the metadata. We are able to scale more. The scalability is high. There is no issue related to redundancy or high availability. Since it is on cloud, it is taken care of from their data center.

The solution is more suited towards larger enterprises, and not really ideal for smaller companies.

The technical support is good. They follow and adhere to their SLA terms. Based on the customer's needs, they can go with a higher level of support. Based on their standard support, they adhere to whatever is their SLA terms are and they are typically good enough. There's no complaints of any lag in service. They do a good job.

I've used other products such as QRadar and other SIEM solutions and I find this solution is much more simplified and user-friendly. Their DNA is also really in security, which they can feed quite effectively into their SIEM. They understand security far better than other OEMs.

The initial setup is not complex. It's straightforward. Deployment takes less than two weeks. It is based on the customer's environment, however, on average, you can assume it will take one to two weeks. You only need about two to three people to handle the deployment.

We're an integrator for Rapid7. We handle deployments for our customers.

If you look at any other SIEM solution, the license is based on events per second or EPS based licensing. Here, the licensing is the number of assets, and the number of days the log would be retained on their cloud. That is one of the huge differences between this solution and the competition.

We are solution partners.

The solution has a console with everything on the cloud, however, only the centers, the log collectors, are on-premise. This solution is actually cloud-based.

People who want a solution, a very simplified and easy to start, and then they want to start immediately on a solution with fewer complications, so those would be the right customers. You can say SME, mid and large actually, but I think mid and large enterprises would be the right fitment.

I would recommend the solution. Rapid7's professional services, including their planning, architecture, deployment, et cetera is up to the mark. I would recommend having a few workdays, in the initial planning stage, maybe for assessment of the solution and to take some time to understand everything before beginning. New users should reach out to their Rapid7 professional services for the planning portion of the implementation process.

I would rate the solution eight out of ten.

I use it to track events on our infrastructure to help with secure access and detection. We have many firewalls and antivirus DHCP (The Dynamic Host Configuration Protocol) DNS (Domain Name System), logs of Office 365, et cetera. We use this software to monitor and track our traffic and usage by creating logs.  

The most valuable features have to do with ease-of-use. It is easy to check the events, investigate suspicious activities, and do forensic analysis. The web interface is great — very useful and user-friendly.  

The only thing I can think of to improve the product is that the interface for doing investigation needs to be enhanced. For example, we can add notes through the interface, but we can not attach files to the investigation. It would be a useful addition. It would give us more flexibility to resolve more complicated situations. 

I have been using this solution for about six months.  

This solution is stable. Because it is a software as a service product, when any bugs appear, the manufacturer can correct the problems quickly and deploy the solutions immediately. This is better than other solutions on-premises that we would need to install an upgrade to resolve any bugs or other issues.  

Because this is a software as a service solution, the provider manages the scalability. It has never been an issue from our end.  

The setup for the product was straightforward.  

Although we did do the deployments by ourselves, we did it with some support from the provider, but it was easy to deploy.  

On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a nine-out-of-ten. It is very good but it could be better with a few details that would improve the utility of the investigations interface.  

Centralized SIEM / Intrusion Detection System.

The focus on users/endpoints gives us so much more understanding of the events going on across the network, allowing us to step back from looking at logs only to see the actual behavior patterns instead.

The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue.

The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in.

We have rarely encountered any issues with stability. The primary source of stability issues has been the couple times where there have been lost log messages online. While that's unavoidable, it's definitely not desirable if I happen to have an incident at that time.

We haven't had any issues with scalability yet. (We'll keep trying).

Technical support for InsightIDR has been fantastic. We've used Rapid7 for over a year now, and, while support calls happen, it's rarely over something simple that's just not working. Normally we call because of something heavily situational, and the techs have always figured it out.

A private ELK stack was used originally. We moved off of it as we wanted to ensure that we were focusing on the security of the company, and not writing log parsing rules all day.

The initial setup was pretty straightforward, but it takes a little bit of a mental leap to understand how it all works together. What's key to remember is that it is user and endpoint centric, and not account centric. That means that, over time, it will start associating user.a on host1 to user.a on host2 and treating them as the same. It could be a little confusing for some companies if they don't use standardized permissions or don't use administrative-only accounts, but for most current user-access mechanisms, it shouldn't lead to any abnormal results.

Licensing is by endpoint and amount of retention time (at least ours is). Default retention was one year, but we are able to push the retention further if needed. There's also a provide-your-own-S3 option for longer retention if you don't want to pay for the additional retention years in your Rapid7 agreement.

AlienVault, LogRhythm, Qualys.

Have a plan going forward (Syslog exports, agent-based collection, etc.) and ensure WMI is available if using Windows Servers. It was very easy to set up, but troubleshooting can be "fun" if an endpoint doesn't connect correctly. Don't be shy of support requests. They'd rather you be "that person" that keeps getting support, rather than being the one that ran into an issue and stopped using the product.

The following are our main use cases for InsightIDR:

• Log correlation and searching, as well as alerting;
• IDR Vulnerability management;
• IVM;
• Incident response;
• Breach detection.

The tool has improved my organization by:

• Building a security alerting program;
• IDR-driven improved patching;
• Implementing IVM.

The alerting to drive investigations and remediation has been its most valuable feature. Plus the ability to quickly search multiple logs makes investigations easier. Log correlation and alerting are also helpful.

It gives us one place to have everything easily accessible and the ability to alert (including customisation of alerts).

Customised alert recipients need to be added to allow better first-line action and quicker response. Configurable honeypots would be a welcome addition.

While we have encountered stability issues, these are resource intensive systems so additional hardware solved this problem.

There have been no scalability issues. It's easy to add servers.

The technical support can be considered competent. However, they can be slow to discover solutions to tricky problems.

We did not previously use a different solution.

Very simple. Spin up a couple of servers, create all the log connectors and you are up and running. The setup was complete within days and we had alerts being generated straight away.

We did the installation without any technical help. The configuration was performed by non-technical staff.

The pricing and licensing are competitive. Licensing is simple and straightforward.

We did not evaluate any other solution in the market.

You should use it to drive change within your IT from a security point of view. Run a PoC and see exactly what it can do for you. The simple setup means it will be running in no time and you will get meaningful alerts straight away.