{"id":19363,"date":"2022-06-09T01:05:00","date_gmt":"2022-06-09T01:05:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19363"},"modified":"2022-06-14T19:18:55","modified_gmt":"2022-06-14T19:18:55","slug":"rapid7-insightidr-review","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/","title":{"rendered":"Testing &#038; Evaluating SIEM Systems: A Review of Rapid7 InsightIDR"},"content":{"rendered":"\r\n<p>As companies continue to get breached by the hour, IT and security teams are constantly scrambling their defenses in hopes of eradicating attackers from their networks. The (sort of) good news is that security software and hardware vendors are overflowing with product and service offerings designed to help you. Many of them even promise to keep the bad guys and gals out of your systems 24 hours a day, 7 days a week!<\/p>\r\n\r\n\r\n\r\n<p>So all you have to do is get out your credit card, install one of these products and get a good night\u2019s sleep, right? Unfortunately, during the penetration tests we do for clients around the country, we find time and time again that these expensive security solutions have considerable blind spots. Many fail to fully detect even the most basic attacks. And security products also need to be <a href=\"https:\/\/www.esecurityplanet.com\/endpoint\/how-to-tune-edr\/\">fine-tuned<\/a> for your environment; default settings will not cover all concerns specific to your environment.<\/p>\r\n\r\n\r\n\r\n<p>In this article, we will show you how to run some of these &#8220;hacker low-hanging fruit&#8221; attacks to test the effectiveness of your organization\u2019s security services. For the sake of having a real commercial tool to conduct these attacks against, we chose a security solution called InsightIDR from Rapid7 to install in our lab environment.<\/p>\r\n\r\n\r\n\r\n<p>InsightIDR has <a href=\"https:\/\/www.esecurityplanet.com\/products\/siem-tools\/\">SIEM<\/a> at its foundation and scales out to essentially be an <a href=\"https:\/\/www.esecurityplanet.com\/products\/xdr-security-solutions\/\">XDR solution<\/a> covering <a href=\"https:\/\/www.esecurityplanet.com\/products\/edr-solutions\/\">endpoints<\/a>, <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-network-monitoring-tools\/\">network traffic analysis<\/a>, <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-user-and-entity-behavior-analytics-ueba-tools\/\">UEBA<\/a>, <a href=\"https:\/\/www.esecurityplanet.com\/networks\/best-incident-response-tools-services\/\">incident response<\/a> and more. In our testing we found a number of issues that are common in SIEM systems. The good news is vendors are responsive to these issues \u2013 they&#8217;d rather hear them from &#8220;white hat&#8221; folks and customers than the bad guys \u2013 and we&#8217;ve been in touch with Rapid7 throughout our work. We found Rapid7 to be responsive and straightforward to deal with &#8211; a good sign for user support, and critically important in cybersecurity. Rapid7 is working on a number of fixes to our findings \u2013 some of which were known issues the company was already aware of \u2013 so we&#8217;ll update this article in a few months to reflect completion of that work. We&#8217;ve also included Rapid7\u2019s comments in a number of places.<\/p>\r\n\r\n\r\n\r\n<p>This is, to our knowledge, one of the few times that test results have been published on a cybersecurity product of this magnitude, so our goal is largely educational. We encourage you to use this article as a guide to conduct your own in-house testing of security solutions. We&#8217;ve focused on a number of detectable &#8220;warning shots&#8221; that can happen during an attack (or a <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing\/\">pentest<\/a>) that will let you know that bad things are brewing behind the scenes. If one or more of these attacks are not detected, challenge your vendors to write a signature for them. The result will be a stronger product for their entire user base.<\/p>\r\n\r\n\r\n\r\n<p>We also created a separate <a href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-siem-tutorial\/\"><strong>Guide to Getting Started with Rapid7 InsightIDR<\/strong><\/a> to reflect our impressions on the product&#8217;s ease of use and functionality. We found the product easy to install and configure in just a few hours, and immediately started receiving notifications about key security events. Our focus in this article is on common attacks we conduct during penetration tests, and how Rapid7\u2019s InsightIDR system responded.<\/p>\r\n\r\n\r\n\r\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 ez-toc-wrap-left counter-flat ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66d6d4e14811a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66d6d4e14811a\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#Testing-InsightIDRs-ability-to-detect-attacks\" title=\"Testing InsightIDR&#8217;s ability to detect attacks\">Testing InsightIDR&#8217;s ability to detect attacks<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#Pentesting-Your-Environment-for-%E2%80%98Warning-Shot-Detection\" title=\"Pentesting Your Environment for &#8216;Warning Shot&#8217; Detection\">Pentesting Your Environment for &#8216;Warning Shot&#8217; Detection<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#Explore-Other-Top-SIEM-Solutions\" title=\"Explore Other Top SIEM Solutions\">Explore Other Top SIEM Solutions<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Testing-InsightIDRs-ability-to-detect-attacks\"><\/span>Testing InsightIDR&#8217;s ability to detect attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><a href=\"#ad\">Active Directory enumeration<\/a><\/li>\r\n<li><a href=\"#password\">Password spraying<\/a><\/li>\r\n<li><a href=\"#kerberoast\">Kerberoasting<\/a><\/li>\r\n<li><a href=\"#asrep\">AS-REP Roasting<\/a><\/li>\r\n<li><a href=\"#network\">Network traffic poisoning<\/a><\/li>\r\n<li><a href=\"#hash\">Dumping hashes from domain controllers<\/a><\/li>\r\n<li><a href=\"#pth\">Pass the hash (PTH) attacks<\/a><\/li>\r\n<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Once the agent was installed on all systems in our test environment, we were ready to simulate actions an attacker or <a href=\"https:\/\/www.esecurityplanet.com\/threats\/ransomware-protection\/\">ransomware<\/a> operator would perform to see what type of security threats are detected. (Note: many of the attacks below are taken from <a href=\"https:\/\/ebook.7minsec.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Light Pentest LITE: eBook Edition<\/a>, which is designed to be a practical, step-by-step playbook for internal network penetration testing.)<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"ad\"><\/a>Active Directory enumeration<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>One of the first things we do in a penetration test is try to learn more about the client\u2019s <a href=\"https:\/\/www.esecurityplanet.com\/products\/active-directory-security-tools\/\">Active Directory<\/a> environment. Active Directory configurations, especially those that have been in production for a number of years, are often rife with attack paths that are difficult to see unless you take a deeper look under the hood.<\/p>\r\n\r\n\r\n\r\n<p>One such tool we use for Active Directory enumeration is <a href=\"https:\/\/github.com\/BloodHoundAD\/SharpHound\" target=\"_blank\" rel=\"noreferrer noopener\">SharpHound<\/a>, which vacuums up information about all the objects in the directory and how they relate to each other from a security standpoint. SharpHound has many different configuration settings you can tweak to make the data collection stealthier, but we usually just run it \u201cwide open\u201d like so:<\/p>\r\n\r\n\r\n\r\n<p><strong>sharphound.exe -d pwn.town -c all<\/strong><\/p>\r\n\r\n\r\n\r\n<p>The <em>-d pwn.town<\/em> specifies our domain, and <em>-c all<\/em> tells SharpHound to collect all data about the Active Directory environment.<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22250\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/sharphound-pentest-1024x403.png\" alt=\"sharphound pentest\" width=\"1024\" height=\"403\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest-1024x403.png 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest-300x118.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest-768x302.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest-150x59.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest-696x274.png 696w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest-1068x420.png 1068w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/sharphound-pentest.png 1279w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>InsightIDR did not detect SharpHound being run. This is not surprising, however, as we have yet to see a security solution detect it.<\/p>\r\n\r\n\r\n\r\n<p>The good news is InsightIDR will soon be able to detect this attack. Rapid7 told us, &#8220;We are working on a detection for Active Directory enumeration using SharpHound that we think is possible using Windows log events. This will likely be available by the end of the year.&#8221;<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"password\"><\/a>Password spraying<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Early in a penetration test, we want to see if we can get access to other Active Directory user accounts. A popular and semi-stealthy way to do this is via password spraying, where we attempt to log into each account <em>one time<\/em> with a password we know people are bound to use. From our experience, we know that people absolutely love to use season + year combinations. So we downloaded <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\" target=\"_blank\" rel=\"noreferrer noopener\">Rubeus<\/a> and attempted to log into each user account using the following syntax:<\/p>\r\n\r\n\r\n\r\n<p><strong>rubeus.exe spray \/password:Spring2022! \/outfile:pwned.txt<\/strong><\/p>\r\n\r\n\r\n\r\n<p>The <em>spray<\/em> flag tells Rubeus we are doing a password spray, the <em>\/password:Spring2022! <\/em>specifies the password we want to spray with, and <em>\/outfile:pwned.txt <\/em>saves and valid credentials to a text file called <em>pwned.txt<\/em>.<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22251\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/rubeus-pentest-1024x779.png\" alt=\"rubeus pentest\" width=\"1024\" height=\"779\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest-1024x779.png 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest-300x228.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest-768x584.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest-150x114.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest-696x529.png 696w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest-1068x812.png 1068w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-pentest.png 1086w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>InsightIDR did not detect our password spray attempts. What we find is that security solutions are very good about notifying you when an account gets locked out, but in this case we are only attempting to log into each account one time, so the accounts stay active.<\/p>\r\n\r\n\r\n\r\n<p>Rapid7 told us a honeypot we didn&#8217;t configure would have helped. The company&#8217;s response: &#8220;For password spraying we have 2 detections, the first is the honey user that you didn&#8217;t configure during the test and the second is a brute force detection that looks for a burst of failed authentications from a single host. Our threshold is at least 100 different users (our smallest customers have ~500 users). We are reevaluating that threshold.&#8221;<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"kerberoast\"><\/a>Kerberoasting<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Kerberoasting is one of our favorite attacks. The technical explanation of it can get a bit dense, so we recommend checking out <a href=\"https:\/\/www.blackhillsinfosec.com\/a-toast-to-kerberoast\/\" target=\"_blank\" rel=\"noreferrer noopener\">this article from Black Hills Information Security<\/a> for a deeper dive. However, when we talk about Kerberoasting, it is usually in a room full of managers and executives who just want a plain English explanation of what the attack is, and why they should care. So we will say something like this:<\/p>\r\n\r\n\r\n\r\n<p>&#8220;Essentially, <em>any<\/em> Active Directory account can say &#8216;Hey Active Directory, could you please give me the hashes for any service accounts associated with things like IIS and SQL, for example?&#8217; And the Active Directory environment happily answers, &#8216;No problem, Bri-guy, HERE YOU GO!'&#8221;<\/p>\r\n\r\n\r\n\r\n<p>This attack makes more sense when you see it in action. To check if an environment is vulnerable to the Kerberoasting attack, we can use Rubeus again with the following syntax:<\/p>\r\n\r\n\r\n\r\n<p><strong>rubeus.exe kerberoast<\/strong><\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22252\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/kerberoast-pentest.png\" alt=\"kerberoast pentest\" width=\"948\" height=\"817\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/kerberoast-pentest.png 948w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/kerberoast-pentest-300x259.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/kerberoast-pentest-768x662.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/kerberoast-pentest-150x129.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/kerberoast-pentest-696x600.png 696w\" sizes=\"(max-width: 948px) 100vw, 948px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>As we can see here, the <em>Ray <\/em>user account in our lab is susceptible to Kerberoasting. So what we can do is bring over the account hash into a high-powered password-cracking rig and potentially figure out the plain text password. In production environments, the Kerberoastable accounts we see are frequently part of the Domain Admins group, and the passwords are not rotated frequently. That means if we crack those accounts, we might have complete control of the domain before morning snack time!<\/p>\r\n\r\n\r\n\r\n<p>InsightIDR did not detect the Kerberoasting attempt. That is not entirely surprising, though, as we have only seen a few security solutions generate an alert for this specific attack. However, solutions such as Blumira have built a detection for it, and even make their code for a Kerberoast honey credential <a href=\"https:\/\/github.com\/Blumira\/Kerberoast-Detection\" target=\"_blank\" rel=\"noreferrer noopener\">available to the public<\/a>.<\/p>\r\n\r\n\r\n\r\n<p>Rapid7 response: &#8220;Several of our customers are concerned about kerbroasting and we are actively working on a detection for this sort of activity that we expect to have live by the end of the summer. Our major concern right now is doing it in a way that limits the false positives.&#8221;<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"asrep\"><\/a>AS-REP Roasting<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Similar to Kerberoasting, AS-REP Roasting is something <em>any<\/em> Active Directory account can do to gain access to account password hashes. There is a very good <a href=\"https:\/\/stealthbits.com\/blog\/cracking-active-directory-passwords-with-as-rep-roasting\/\" target=\"_blank\" rel=\"noreferrer noopener\">article from Stealthbits<\/a> that covers the technical nuts and bolts of this attack. But in a room mixed with tech and non-techie folks, we explain the attack as follows:<\/p>\r\n\r\n\r\n\r\n<p>With the AS-REP Roasting attack, <em>any<\/em> user in Active Directory can basically say, &#8220;Hey Active Directory, if any user accounts are set to not require Kerberos preauthentication, let me have a bit of encrypted data about that user that I can bring offline and crack!&#8221;<\/p>\r\n\r\n\r\n\r\n<p>To find vulnerable users in Active Directory, you can use the following PowerShell command:<\/p>\r\n\r\n\r\n\r\n<p><strong>Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth<\/strong><\/p>\r\n\r\n\r\n\r\n<p>For any users returned from this command, you can open them up in the Active Directory Users and Computers tool and click the <strong>Account<\/strong> tab to see the vulnerable configuration:<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22253\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/as-rep-roasting.png\" alt=\"as-rep roasting\" width=\"624\" height=\"682\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png 624w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting-274x300.png 274w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting-150x164.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting-300x328.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>Since we want to see the vulnerable users <em>and<\/em> their hashes, we will use Rubeus once again:<\/p>\r\n\r\n\r\n\r\n<p><strong>rubeus.exe asreproast<\/strong><\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22254\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/rubeus-reproast.png\" alt=\"rubeus reproast\" width=\"945\" height=\"806\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-reproast.png 945w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-reproast-300x256.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-reproast-768x655.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-reproast-150x128.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/rubeus-reproast-696x594.png 696w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>InsightIDR did not detect the AS-REP Roast attempt. Much like Kerberoasting, we have seen very few security solutions alert on this attack. Again, users can likely expect a detection from Rapid7 in the near future.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"network\"><\/a>Network traffic poisoning<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>If we are unsuccessful in making any progress with password spraying, Kerberoasting and AS-REP Roasting, we will use a variety of tools to poison certain vulnerable network traffic protocols \u2013 such as NBT-NS (NetBIOS Name Service), LLMNR (Link-Local Multicast Name Resolution) and mDNS (multicast DNS).<\/p>\r\n<p>To help visualize this attack, imagine a scenario where user <em>Sally<\/em> opens up Windows Explorer and tries to browse to the <em>PT-APP01 <\/em>server, but she fat-fingers the server name by putting in an extra zero and types <em>\\\\pt-app0<\/em><strong><em>0<\/em><\/strong><em>1<\/em>. In a few moments, she will get a pop-up error saying &#8220;Windows cannot access \\\\pt-app001.&#8221; No big deal, right? Well actually, in the background, something much more sinister could be going on!<\/p>\r\n\r\n\r\n\r\n<p>If we as attackers are running network poisoning tools such as <a href=\"https:\/\/github.com\/Kevin-Robertson\/Inveigh\" target=\"_blank\" rel=\"noreferrer noopener\">Inveigh<\/a>, we can actually listen for Sally to make typos like this, and then intercept them. Check out this visual to get a feel for what this looks like:<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22255\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/dns-poisoning-test.png\" alt=\"dns poisoning test\" width=\"729\" height=\"420\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/dns-poisoning-test.png 729w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/dns-poisoning-test-300x173.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/dns-poisoning-test-150x86.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/dns-poisoning-test-696x401.png 696w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>Essentially, Sally\u2019s machine asks the DNS server where to find <em>\\\\pt-app0<\/em><strong><em>0<\/em><\/strong><em>1<\/em>, and when the DNS server cannot find it, Sally\u2019s machine does some shout-outs to the rest of the network using insecure protocols (NBT-NS, LLMNR and mDNS). When that happens \u2013 BOOM! \u2013 we trick her machine into sending us Sally&#8217;s username and password hash.<\/p>\r\n\r\n\r\n\r\n<p>To start this attack on network traffic, we can use Inveigh:<\/p>\r\n\r\n\r\n\r\n<p><strong>inveigh.exe -nbns y -llmnr y -mdns y<\/strong><\/p>\r\n\r\n\r\n\r\n<p>This syntax tells Inveigh to fire up and poison the insecure NBT-NS, LLMNR and mDNS traffic.<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22256\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/inveigh-dns-pentest-1024x288.png\" alt=\"inveigh dns pentest\" width=\"1024\" height=\"288\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest-1024x288.png 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest-300x84.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest-768x216.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest-150x42.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest-696x196.png 696w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest-1068x301.png 1068w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-dns-pentest.png 1350w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>After a while, hopefully we will see entries in the Inveigh log that look like this:<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22257\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/inveigh-log.png\" alt=\"inveigh log\" width=\"729\" height=\"205\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-log.png 729w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-log-300x84.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-log-150x42.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/inveigh-log-696x196.png 696w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>We can now take the hash for user <em>Beverly<\/em> and try to crack it.<\/p>\r\n\r\n\r\n\r\n<p>InsightIDR did not detect the network poisoning, but because InsightIDR is an endpoint-based tool, we did not expect it to. However, if your security solutions are looking at all network traffic in addition to endpoint activity, we recommend running Inveigh to see if it generates alerts. Alternatively, there is an awesome free tool you can run to detect network poisoning attacks called <a href=\"https:\/\/github.com\/hackern0v1c3\/CanaryPi\" target=\"_blank\" rel=\"noreferrer noopener\">CanaryPi<\/a>.<\/p>\r\n\r\n\r\n\r\n<p>The good news is here too a solution is in the works, per Rapid7: &#8220;We do have a detection for this which we have tested on a tool called Responder in the past and it has fired. We did try it with the tool you used (inveigh) and could not get it to fire. We are investigating why but will get it working soon.&#8221;<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"hash\"><\/a>Dumping hashes from domain controllers<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>If we are able to capture and crack credentials from a member of the Domain Admins group, the next thing we will do is extract <em>all<\/em> the usernames and password hashes from Active Directory. The <a href=\"https:\/\/github.com\/gentilkiwi\" target=\"_blank\" rel=\"noreferrer noopener\">mimikatz<\/a> tool works perfect for this:<\/p>\r\n\r\n\r\n\r\n<p><strong>lsadump::dcsync \/domain:pwn.town \/all \/csv<\/strong><\/p>\r\n\r\n\r\n\r\n<p>This syntax tells Mimikatz to spit out a list of all pwn.town domain users and their hashes in a clean CSV format:<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22258\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/domain-controller-hash-dump.png\" alt=\"domain controller hash dump\" width=\"727\" height=\"403\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/domain-controller-hash-dump.png 727w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/domain-controller-hash-dump-300x166.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/domain-controller-hash-dump-150x83.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/domain-controller-hash-dump-696x386.png 696w\" sizes=\"(max-width: 727px) 100vw, 727px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>In our opinion, this specific attack is the worst thing that can happen to your Active Directory environment. Why? Well, if the attacker has this information and is still inside of your network, they can conduct pass-the-hash (PTH) attacks to take action in the Active Directory while impersonating any user they want! And even if you break the foothold that attackers have in your environment, they may be able to crack some of those hashes and then get right back into your network via email, VPN, VDI, etc.<\/p>\r\n\r\n\r\n\r\n<p>InsightIDR <em>did <\/em>detect the presence of the <em>mimikatz.exe<\/em> on endpoints that had the InsightIDR agent on them. However, when we dumped the Active Directory hashes from a non-monitored endpoint using <a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\" target=\"_blank\" rel=\"noreferrer noopener\">impacket<\/a>, InsightIDR did not throw an alert. Traditionally, we will see security solutions alert on the hash dumping action. And while that is good news, it is also kind of frustrating because basically the solution detected the attacker&#8217;s Active Directory \u201cfinishing move.\u201d<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong><a id=\"pth\"><\/a>Pass the hash (PTH) attacks<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Armed with the hashes we dumped out of Active Directory, we can use a tool like <a href=\"https:\/\/github.com\/byt3bl33d3r\/CrackMapExec\" target=\"_blank\" rel=\"noreferrer noopener\">CrackMapExec<\/a> to \u201cpass\u201d the hash around the network to other systems:<\/p>\r\n\r\n\r\n\r\n<p><strong>cme smb 10.0.7.0\/24 -u brian -H PASSWORD-HASH-FOR-BRIAN<\/strong><\/p>\r\n\r\n\r\n\r\n<p>In this syntax, <em>cme<\/em> calls CrackMapExec, <em>smb <\/em>specifies the protocol to use, <em>10.0.7.0\/24<\/em> specifies the subnet of systems we are going to \u201cspray\u201d the hash to, <em>-u brian<\/em> specifies the Brian user, and the <em>-H PASSWORD-HASH-FOR-BRIAN<\/em> is Brian\u2019s password hash:<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-22259\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/pass-the-hash-attack-1024x297.png\" alt=\"pass the hash attack\" width=\"1024\" height=\"297\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack-1024x297.png 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack-300x87.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack-768x223.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack-150x44.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack-696x202.png 696w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack-1068x310.png 1068w, https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/pass-the-hash-attack.png 1254w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\r\n\r\n\r\n\r\n<p>As you can see, we have &#8220;sprayed&#8221; this hash to the entire 10.0.7.0\/24 subnet and found that not only is the user\/hash combination valid, but it is a high privilege account on many systems (indicated by <em>Pwn3d!<\/em>).<\/p>\r\n\r\n\r\n\r\n<p>InsightIDR did not detect the pass-the-hash attacks. In general, we are seeing corporate endpoint detection and response (EDR) endpoint protection tools throw alerts when they see pass-the-hash behavior.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Pentesting-Your-Environment-for-%E2%80%98Warning-Shot-Detection\"><\/span><a id=\"conclusion\"><\/a>Pentesting Your Environment for &#8216;Warning Shot&#8217; Detection<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<p>It is important to note that these kinds of blind spots are common in many SIEMs. In a perfect world, we could wave a magic wand and find a combination of security solutions that would make your network hack-proof. In the meantime, though, we feel there <em>are<\/em> a lot of detectable &#8220;warning shots&#8221; that can happen during an attack (or a pentest) that will let you know that bad things are brewing behind the scenes. We encourage you to use this article as a guide to conduct your own in-house testing of security solutions. If one or more of these attacks are not detected, challenge your vendors to write a signature for them. And if you are in the market for a new monitoring and logging solution, check out our <a href=\"https:\/\/gist.github.com\/braimee\/edf91f87ee95b48c803895614a0ec57a\" target=\"_blank\" rel=\"noreferrer noopener\">SIEMple SIEM questionnaire<\/a>. It contains a list of pre-sales questions you can ask to better understand what the solution does and does not do, as well as additional technical tests you can run to determine if the solution is effective at detecting and\/or stopping threats.<\/p>\r\n\r\n\r\n\r\n<h2><span class=\"ez-toc-section\" id=\"Explore-Other-Top-SIEM-Solutions\"><\/span>Explore Other Top SIEM Solutions<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n<!-- ICP Plugin: Start --><div class=\"icp-list icp-list-main icp-list-body-vertical\">\n            <!--\n            ICP Plugin - body vertical\n            ----------\n            Category: SEC-SIEM\n            Count: 5\n            Country: HK\n        -->\n    <\/div><!-- ICP Plugin: End -->\r\n<p>Read next:<\/p>\r\n<ul>\r\n<li><strong><a href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-siem-tutorial\/\">Getting Started with Rapid7 InsightIDR: A SIEM Tutorial<\/a><\/strong><\/li>\r\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/siem-tools\/\"><strong>Best SIEM Tools &amp; Software<\/strong><\/a><\/li>\r\n<\/ul>\r\n\n\n<div id=\"ta-campaign-widget-66d6d4e117248-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6d4e117248\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6d4e117248\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6d4e117248\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6d4e117248\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6d4e117248\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6d4e117248\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>As companies continue to get breached by the hour, IT and security teams are constantly scrambling their defenses in hopes of eradicating attackers from their networks. The (sort of) good news is that security software and hardware vendors are overflowing with product and service offerings designed to help you. Many of them even promise to [&hellip;]<\/p>\n","protected":false},"author":290,"featured_media":22253,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[14,17],"tags":[28055,31708,9454,11190,3483,28046,30578],"b2b_audience":[33,34],"b2b_industry":[],"b2b_product":[382,378,377,448,389,143,375,376,146,31776,379,31775],"class_list":["post-19363","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networks","category-products","tag-edr","tag-pentesting","tag-rapid7","tag-security-testing","tag-siem","tag-ueba","tag-xdr","b2b_audience-awareness-and-consideration","b2b_audience-evaluation-and-selection","b2b_product-application-security-vulnerability-management","b2b_product-endpoint-security","b2b_product-gateway-and-network-security","b2b_product-hosted-and-managed-services","b2b_product-managed-security-services","b2b_product-security","b2b_product-security-management","b2b_product-security-services","b2b_product-services","b2b_product-siem","b2b_product-threats-and-vulnerabilities","b2b_product-web-applications-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Rapid7 InsightIDR Testing &amp; Review<\/title>\n<meta name=\"description\" content=\"We ran a number of pentests against Rapid7 InsightIDR to reveal common SIEM shortcomings - and to help readers conduct their own tests.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rapid7 InsightIDR Testing &amp; Review\" \/>\n<meta property=\"og:description\" content=\"We ran a number of pentests against Rapid7 InsightIDR to reveal common SIEM shortcomings - and to help readers conduct their own tests.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-09T01:05:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-06-14T19:18:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png\" \/>\n\t<meta property=\"og:image:width\" content=\"624\" \/>\n\t<meta property=\"og:image:height\" content=\"682\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Brian Johnson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Brian Johnson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\"},\"author\":{\"name\":\"Brian Johnson\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/d75b0723c93e419becb11af3d4eb7757\"},\"headline\":\"Testing &#038; Evaluating SIEM Systems: A Review of Rapid7 InsightIDR\",\"datePublished\":\"2022-06-09T01:05:00+00:00\",\"dateModified\":\"2022-06-14T19:18:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\"},\"wordCount\":2650,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png\",\"keywords\":[\"EDR\",\"pentesting\",\"Rapid7\",\"Security Testing\",\"SIEM\",\"UEBA\",\"XDR\"],\"articleSection\":[\"Networks\",\"Products\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\",\"name\":\"Rapid7 InsightIDR Testing & Review\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png\",\"datePublished\":\"2022-06-09T01:05:00+00:00\",\"dateModified\":\"2022-06-14T19:18:55+00:00\",\"description\":\"We ran a number of pentests against Rapid7 InsightIDR to reveal common SIEM shortcomings - and to help readers conduct their own tests.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png\",\"width\":624,\"height\":682},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Testing &#038; Evaluating SIEM Systems: A Review of Rapid7 InsightIDR\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/d75b0723c93e419becb11af3d4eb7757\",\"name\":\"Brian Johnson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/BrianJohnson-headshot-2022-2-Brian-Johnson-1-1-150x150.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/BrianJohnson-headshot-2022-2-Brian-Johnson-1-1-150x150.png\",\"caption\":\"Brian Johnson\"},\"description\":\"Brian Johnson is the president of 7 Minute Security, which specializes in security assessments, penetration testing and training. He is especially passionate about teaching others about security, and hosts a weekly podcast to help consumers and businesses strengthen their security posture. When he isn\u2019t camped out behind a keyboard, he enjoys outdoor activities with his family, as well as singing and playing guitar in an acoustic duo.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/bjohnson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rapid7 InsightIDR Testing & Review","description":"We ran a number of pentests against Rapid7 InsightIDR to reveal common SIEM shortcomings - and to help readers conduct their own tests.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/","og_locale":"en_US","og_type":"article","og_title":"Rapid7 InsightIDR Testing & Review","og_description":"We ran a number of pentests against Rapid7 InsightIDR to reveal common SIEM shortcomings - and to help readers conduct their own tests.","og_url":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/","og_site_name":"eSecurity Planet","article_published_time":"2022-06-09T01:05:00+00:00","article_modified_time":"2022-06-14T19:18:55+00:00","og_image":[{"width":624,"height":682,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png","type":"image\/png"}],"author":"Brian Johnson","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Brian Johnson","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/"},"author":{"name":"Brian Johnson","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/d75b0723c93e419becb11af3d4eb7757"},"headline":"Testing &#038; Evaluating SIEM Systems: A Review of Rapid7 InsightIDR","datePublished":"2022-06-09T01:05:00+00:00","dateModified":"2022-06-14T19:18:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/"},"wordCount":2650,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png","keywords":["EDR","pentesting","Rapid7","Security Testing","SIEM","UEBA","XDR"],"articleSection":["Networks","Products"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/","url":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/","name":"Rapid7 InsightIDR Testing & Review","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png","datePublished":"2022-06-09T01:05:00+00:00","dateModified":"2022-06-14T19:18:55+00:00","description":"We ran a number of pentests against Rapid7 InsightIDR to reveal common SIEM shortcomings - and to help readers conduct their own tests.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/as-rep-roasting.png","width":624,"height":682},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"Testing &#038; Evaluating SIEM Systems: A Review of Rapid7 InsightIDR"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/d75b0723c93e419becb11af3d4eb7757","name":"Brian Johnson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/BrianJohnson-headshot-2022-2-Brian-Johnson-1-1-150x150.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/BrianJohnson-headshot-2022-2-Brian-Johnson-1-1-150x150.png","caption":"Brian Johnson"},"description":"Brian Johnson is the president of 7 Minute Security, which specializes in security assessments, penetration testing and training. He is especially passionate about teaching others about security, and hosts a weekly podcast to help consumers and businesses strengthen their security posture. When he isn\u2019t camped out behind a keyboard, he enjoys outdoor activities with his family, as well as singing and playing guitar in an acoustic duo.","url":"https:\/\/www.esecurityplanet.com\/author\/bjohnson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/19363"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/290"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=19363"}],"version-history":[{"count":0,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/19363\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/22253"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=19363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=19363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=19363"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=19363"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=19363"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=19363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}