We just raised a $30M Series A: Read our story

Rapid7 InsightIDR OverviewUNIXBusinessApplication

Rapid7 InsightIDR is the #4 ranked solution in our list of top User Behavior Analytics - UEBA tools. It is most often compared to Darktrace: Rapid7 InsightIDR vs Darktrace

What is Rapid7 InsightIDR?

Parsing hundreds of trivial alerts. Managing a mountain of data. Manually forwarding info from your endpoints. Forget that. InsightIDR instantly arms you with the insight you need to make better decisions across the incident detection and response lifecycle, faster.

Rapid7 InsightIDR is also known as InsightIDR.

Buyer's Guide

Download the Security Information and Event Management (SIEM) Buyer's Guide including reviews and more. Updated: October 2021

Rapid7 InsightIDR Customers

Liberty Wines, Pioneer Telephone, Visier

Rapid7 InsightIDR Video

Archived Rapid7 InsightIDR Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
PD
Information Security Manager at a tech vendor with 51-200 employees
Real User
Users/endpoints focus gives us more understanding of network events, allowing us to see behavior patterns

Pros and Cons

  • "The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue."
  • "The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in."

What is our primary use case?

Centralized SIEM / Intrusion Detection System.

How has it helped my organization?

The focus on users/endpoints gives us so much more understanding of the events going on across the network, allowing us to step back from looking at logs only to see the actual behavior patterns instead.

What is most valuable?

The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue.

What needs improvement?

The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We have rarely encountered any issues with stability. The primary source of stability issues has been the couple times where there have been lost log messages online. While that's unavoidable, it's definitely not desirable if I happen to have an incident at that time.

What do I think about the scalability of the solution?

We haven't had any issues with scalability yet. (We'll keep trying).

How are customer service and technical support?

Technical support for InsightIDR has been fantastic. We've used Rapid7 for over a year now, and, while support calls happen, it's rarely over something simple that's just not working. Normally we call because of something heavily situational, and the techs have always figured it out.

Which solution did I use previously and why did I switch?

A private ELK stack was used originally. We moved off of it as we wanted to ensure that we were focusing on the security of the company, and not writing log parsing rules all day.

How was the initial setup?

The initial setup was pretty straightforward, but it takes a little bit of a mental leap to understand how it all works together. What's key to remember is that it is user and endpoint centric, and not account centric. That means that, over time, it will start associating user.a on host1 to user.a on host2 and treating them as the same. It could be a little confusing for some companies if they don't use standardized permissions or don't use administrative-only accounts, but for most current user-access mechanisms, it shouldn't lead to any abnormal results.

What's my experience with pricing, setup cost, and licensing?

Licensing is by endpoint and amount of retention time (at least ours is). Default retention was one year, but we are able to push the retention further if needed. There's also a provide-your-own-S3 option for longer retention if you don't want to pay for the additional retention years in your Rapid7 agreement.

Which other solutions did I evaluate?

AlienVault, LogRhythm, Qualys.

What other advice do I have?

Have a plan going forward (Syslog exports, agent-based collection, etc.) and ensure WMI is available if using Windows Servers. It was very easy to set up, but troubleshooting can be "fun" if an endpoint doesn't connect correctly. Don't be shy of support requests. They'd rather you be "that person" that keeps getting support, rather than being the one that ran into an issue and stopped using the product.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
NJ
Security Manager
Real User
It improved my organization by building a security alerting program

Pros and Cons

  • "The alerting to drive investigations and remediation has been its most valuable feature.​"
  • "It improved my organization by building a security alerting program."
  • "Customised alert recipients need to be added to allow better first-line action and quicker response. Configurable honeypots would be a welcome addition."

What is our primary use case?

The following are our main use cases for InsightIDR:

  • Log correlation and searching, as well as alerting;
  • IDR Vulnerability management;
  • IVM;
  • Incident response;
  • Breach detection.

How has it helped my organization?

The tool has improved my organization by:

  • Building a security alerting program;
  • IDR-driven improved patching;
  • Implementing IVM.

What is most valuable?

The alerting to drive investigations and remediation has been its most valuable feature. Plus the ability to quickly search multiple logs makes investigations easier. Log correlation and alerting are also helpful.

It gives us one place to have everything easily accessible and the ability to alert (including customisation of alerts).

What needs improvement?

Customised alert recipients need to be added to allow better first-line action and quicker response. Configurable honeypots would be a welcome addition.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

While we have encountered stability issues, these are resource intensive systems so additional hardware solved this problem.

What do I think about the scalability of the solution?

There have been no scalability issues. It's easy to add servers.

How are customer service and technical support?

The technical support can be considered competent. However, they can be slow to discover solutions to tricky problems.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

Very simple. Spin up a couple of servers, create all the log connectors and you are up and running. The setup was complete within days and we had alerts being generated straight away.

What about the implementation team?

We did the installation without any technical help. The configuration was performed by non-technical staff.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing are competitive. Licensing is simple and straightforward.

Which other solutions did I evaluate?

We did not evaluate any other solution in the market.

What other advice do I have?

You should use it to drive change within your IT from a security point of view. Run a PoC and see exactly what it can do for you. The simple setup means it will be running in no time and you will get meaningful alerts straight away.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about Rapid7, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: October 2021.
542,721 professionals have used our research since 2012.
JC
Database Administrator with 501-1,000 employees
Real User
User behavioral analytics allows us to pinpoint abnormal or suspicious behavior among millions of events every day

Pros and Cons

  • "​​User behavioral analytics allows us to pinpoint abnormal or suspicious behavior among millions of events every day."
  • "Log search allows us to dive deep into aggregated logs and query all event types at once.​"
  • "The log aggregation and storage provided by InsightIDR has shown no issues with scalability; aggregating over one hundred millions events daily."
  • "InsightIDR has allowed us to find potential security issues that we did not know existed, and get remediation quickly."
  • "It would be useful to import threat intelligence in YARA format along with known incorrect email addresses.​"

What is our primary use case?

  • Security incident
  • Event management

How has it helped my organization?

InsightIDR has allowed us to find potential security issues that we did not know existed, and get remediation quickly.

What is most valuable?

  • User behavioral analytics allows us to pinpoint abnormal or suspicious behavior among millions of events every day. 
  • Log search allows us to dive deep into aggregated logs and query all event types at once.

What needs improvement?

Threat Intelligence: It would be useful to import threat intelligence in YARA format along with known incorrect email addresses.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

During the entire duration of use, there have been no issues noted with stability.

What do I think about the scalability of the solution?

The log aggregation and storage provided by InsightIDR has shown no issues with scalability; aggregating over one hundred millions events daily. The only constriction point in deployment is the collectors as they are required for agentless logging. However, keeping with the documentation provided for deployment, it handles the load appropriately if the documentation is adhered to.

How are customer service and technical support?

Among the best! Their support responds promptly. They fully resolve issues before closing tickets.

Which solution did I use previously and why did I switch?

We did not use a previous solution.

How was the initial setup?

The initial setup is quite straightforward and can be accomplished from their Quick Start Guide. As the platform is quite adaptable, it can continue to be expanded to add many different log types, which you may find to be a continuous process.

What's my experience with pricing, setup cost, and licensing?

Accurately predict your licensing counts as this is a subscription based product.

Which other solutions did I evaluate?

We evaluated FireEye Helix, LogRhythm, Splunk, and IBM QRadar.

What other advice do I have?

The product is a shift in paradigm being cloud-based with cloud storage. Be prepared to set up several virtual collector servers within your network, if you have a large network.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Josh Serna
Information Security Systems Administrator at a non-tech company with 5,001-10,000 employees
Real User
I am able to run automated actions based on the output of reports

Pros and Cons

  • "I am able to run automated actions based on the output of reports, leaving me extra time to focus on more pressing matters."
  • "The ability to ingest Office 365 log files, then process them into events and display them on a map."
  • "The technical support is a solid 10 out of 10 as they take the time to answer any questions or problems which may arise in a reasonable time frame."
  • "I feel it would greatly benefit from more supported log sources."
  • "The ability to tune the collector for custom logs would greatly help."

What is our primary use case?

Visibility and response.

How has it helped my organization?

I am able to run automated actions based on the output of reports, leaving me extra time to focus on more pressing matters.

What is most valuable?

The ability to ingest Office 365 log files, then process them into events and display them on a map. This feature is particularly useful as it allows us to view students who are attempting to bypass our content filters, and it shows us users who have been phished.

What needs improvement?

Personally, I feel it would greatly benefit from more supported log sources. Additionally, the ability to tune the collector for custom logs would greatly help.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

Product is cloud-based. Thus far, it has proven to be stable.

What do I think about the scalability of the solution?

No product scales extremely well

How is customer service and technical support?

The technical support is a solid 10 out of 10 as they take the time to answer any questions or problems which may arise in a reasonable time frame.

How was the initial setup?

Initial setup was straightforward. 

What about the implementation team?

I had a support engineer sit with me through the whole process over the course of three days. He was a huge help!

What's my experience with pricing, setup cost, and licensing?

This is a great product. The team is very willing to work with companies. My suggestion is to call the Rapid7 sales department and see how they can help.

Which other solutions did I evaluate?

We did PoC with a couple of other products. However, Rapid7 InsightIDR was the best product for our needs and budget.

We evaluated LogRhythm and AlienVault. Both were inferior in regards to pricing or performance.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Chad Kliewer
Information Security Officer at a comms service provider with 501-1,000 employees
Real User
Dashboards provide critical information at a glance, without hours of coding

Pros and Cons

  • "Dashboards, including the main screen, provide much-needed information at a glance, without hours of coding and sifting through logs to find it. In case of an actual security incident, I have faith that insightIDR has retained all logs in a secure manner that prevents log tampering as well."
  • "InsightIDR’s ability to process millions of transactions per day, and to notify me of the most critical ones, is priceless. InsightIDR has the alerts tuned, and has the ability to quickly drill down to determine the threat level."
  • "Another very important part of insightIDR is the ability to collect data from endpoint devices via agent software. With a large remote workforce, this allows visibility into the endpoints that are connected to the internet, but not to the corporate network."
  • "I would like the ability to adjust the threshold of certain existing alerts. Currently the only option is to change the notifications or create my own alert."

What is our primary use case?

I was looking for a behavior analytics solution to help me monitor our users' activity and to notify of any suspicious activity.

InsightIDR was able to meet those needs and even exceed it by providing full SIEM capabilities, even for devices they don’t support directly. Most importantly, I don’t need a team of people dedicated to log collecting and sifting.

How has it helped my organization?

With the full suite of Rapid7 products, I am able to provide effective oversight to the information security program with measurable progress. This is a very difficult thing to measure with the ever-changing threat landscape. Dashboards, including the main screen, provide much-needed information at a glance, without hours of coding and sifting through logs to find it. In case of an actual security incident, I have faith that insightIDR has retained all logs in a secure manner that prevents log tampering as well.

What is most valuable?

InsightIDR’s ability to process millions of transactions per day, and to notify me of the most critical ones, is priceless. InsightIDR has the alerts tuned, and has the ability to quickly drill down to determine the threat level, which is very important to me as a one-person security department.

Another very important part of insightIDR is the ability to collect data from endpoint devices via agent software. With a large remote workforce, this allows visibility into the endpoints that are connected to the internet, but not to the corporate network.

What needs improvement?

I would like the ability to adjust the threshold of certain existing alerts.  Currently the only option is to change the notifications or create my own alert. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I have not encountered any stability issues with the local collector. On the rare occasion that the cloud part of insightIDR is undergoing maintenance or having other issues, I usually receive a notification from Rapid7 before I even notice a problem.

What do I think about the scalability of the solution?

I have not seen any issues with scalability. On average, insightIDR is processing about 60 million events per day from my environment.

How are customer service and technical support?

The technical support folks at Rapid7 are a great bunch of folks. I haven’t had much need to contact them, but when I have they have been extremely professional and will escalate issues and suggestions to developers, if needed.

Which solution did I use previously and why did I switch?

I actually purchased the predecessor, InsightUBA, which quickly changed into the insightIDR that we have today. There was no other previous solution.

How was the initial setup?

Setup was extremely simple. An implementation specialist was assigned to me to help get me started and to learn my environment and challenges.

For the most part, all communications are sent to a log aggregation server. It is as simple as pointing syslogs to that server. For some, such as Active Directory and Exchange, there are plugins that are simple to install on those servers to make sure the appropriate logs are sent.

From InsightIDR, it is as simple as choosing from a list of supported log sources, or you can create a generic log source by specifying a port number. It’s that simple.

What's my experience with pricing, setup cost, and licensing?

Licensing is straightforward. If, for some reason, you don’t meet the minimum licensing requirements, there is a third-party managed service that can help.

Which other solutions did I evaluate?

I did not consider any other options in depth. Most other options I saw required one or more full-time employees to maintain.

What other advice do I have?

In the past I have made several requests and have had the opportunity to work with developers and user-interface specialists to add enhancements to the product. The effort that Rapid7 puts into the user interface, after gaining first-hand use-case information directly from us, the end users, is unprecedented.  Even when I worked for much larger companies, I did not see so many suggestions turn into reality.

Be sure to take full advantage of the agents. I have not seen any performance problems on the endpoints, and having this level of information from outside the network is difficult otherwise.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user836481
Information Security Officer at a tech vendor with 201-500 employees
Real User
Enables the use of honey pots, honey users, and honey files to monitor for suspicious patterns

Pros and Cons

  • "Intelligent alerting to avoid the common problem of alert fatigue associated with traditional SIEMs."
  • "Great coverage of all systems within our network from endpoint to firewall."
  • "Integration with threat modeling from the Metasploit and InsightIDR repositories."
  • "Enables the use of honey pots, honey users, and honey files to monitor for suspicious patterns."
  • "One thing that springs to mind is easier API integration with ITSMs. We are evaluating a new ITSM and I would like to have InsightIDR create a ticket when an attack is identified, and the ticket would be closed in InsightIDR when the ITSM resolution is completed. This would take out the "single point of failure" we currently have, if the email recipient is somehow absent, in recording the risk appetite for the incident and the actions taken to mitigate or not."

What is our primary use case?

It is used to maintain our security posture by monitoring inside our network for behavior likely to be conducive with elements of the kill chain.

I was an early adopter of the product. I have seen it get better over time, making use of the data and methodologies used by the industry standard and Rapid7 Metasploit community.

How has it helped my organization?

We were able to identify criminals attempting to login from China and put a stop on their IP locations.

What is most valuable?

  • Intelligent alerting to avoid the common problem of alert fatigue associated with traditional SIEMs.
  • Great coverage of all systems within our network from endpoint to firewall.
  • Integration with threat modeling from the Metasploit and InsightIDR repositories.
  • Enables the use of honey pots, honey users, and honey files to monitor for suspicious patterns.

It gives all the advantages of a SIEM. However, using clever AI, it looks for patterns of behavior rather than just flooding me with all the alerts.

What needs improvement?

Although the solution has been improving continually in the time I have been using it, there could be areas of improvement. 

The one thing that springs to mind is easier API integration with ITSMs. We are evaluating a new ITSM and I would like to have InsightIDR create a ticket when an attack is identified, and the ticket would be closed in InsightIDR when the ITSM resolution is completed. This would take out the "single point of failure" we currently have, if the email recipient is somehow absent, in recording the risk appetite for the incident and the actions taken to mitigate or not.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

None at all. Even as an early adopter, there were no significant issues with stability. Due to the continual improvement, I do not recall the last issue that I had with the system.

What do I think about the scalability of the solution?

We are only a small PLC with 300 staff over six sites and two continents, so scalability has never been a major concern. However, the InsightIDR system looks to be scalable, if required.

How are customer service and technical support?

Technical support is excellent both technically, timely, and professional throughout any incident or enhancement request.

Which solution did I use previously and why did I switch?

This was our first look at a security as a single entity. After creating a threat register, we were able to mitigate over two-thirds of the threats with this one product.

How was the initial setup?

It is very simple. It is a case of requesting a trial from Rapid7, then connecting the relevant logging devices, such as our AD servers or DNS servers to it and sitting back. 

Obviously, there is more to it than that, but that is the principle.

What's my experience with pricing, setup cost, and licensing?

I am sure that there are cheaper products out there, but none that meet so many of our needs whilst maintaining stability and usability.

Which other solutions did I evaluate?

At the time, there was no other product that came close to InsightIDR feature set coupled with Rapid7's world leading security position producing other products, such as Metasploit and Nexpose (InsiteVR), which we also use.

What other advice do I have?

Use it. The setup is minimal, but the payback is phenomenal.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Rapid7, Splunk, IBM, and more!