InsightIDR

One of the aspects I absolutely love about Rapid7 InsightIDR is its ability to provide a single pane of glass view across our entire environment. This capability allows me to see everything from my cloud environment to our on-premise assets through its robust logging capabilities. Being able to monitor user activities comprehensively is hugely important from a security perspective. Secondly, I greatly appreciate the ease of its logging capabilities, particularly the ability to parse logs. Even if Rapid7 does not have a pre-existing parsing tool for specific logs, I can easily go in and parse them myself, making them usable for our needs. This flexibility ensures we can integrate various log sources effectively. Furthermore, the log searches themselves are remarkably easy to learn. For someone new to this field or just starting, there is abundant information available from Rapid7. With just a few minutes of reviewing their documentation, new users can quickly learn to query logs, find specific information, and extract actionable data. This user-friendliness extends to the UI and navigation experience, which is intuitive for analysts. Investigating threats is streamlined, often requiring just a few clicks within the interface to dig into details. Finally, a significant benefit is the system's support for team collaboration and continuity. For instance, if a ticket is assigned to a team member, they can add notes directly within the system. If that person is unavailable, another team member can seamlessly take over, reviewing all the same information, clicking through logs, and accessing notes left by their colleague. This feature makes it a really good system for ensuring that no data or information is missed, fostering effective teamwork and incident management.

Regularly updated intelligence means less time needed deciphering events

There are a large number of detection rules that come out of the box and can just be enabled, provided you have the right log sources coming into the platform. The Mitre Att&ck framework is integrated with the platform and helps to assess tactics and techniques that may be being used. The community threats feature is also great as it provides some insight on what others across the industry are monitoring / assessing within their environments.

One of the most frustrating aspects we've encountered is the turnover of the assigned Rapid7 agent who works with us on a monthly basis as part of our licensing agreement. While the current representative is excellent and I hope we retain him, the frequency with which these representatives change has been our biggest complaint. This turnover makes it difficult to establish a strong rapport and for the representative to fully understand our specific goals and environmental needs. Related to this, we sometimes face a struggle getting answers to our tickets when we submit them. Although we eventually receive the necessary responses, the process can be painful at times. Another area for improvement, from my perspective, concerns the features offered through the InsightIDR tool. Rapid7 offers certain functionalities, such as automations, but they are presented as separate add-ons. I would prefer to see these features included directly in the licensing rather than requiring an additional purchase.

Constant addition of adverts posing as new features

We haven't been able to integrate Sophos properly yet with our SIEM solution, we bought the platform being advised we could, as a new app would be released soon, but this hasn't come out yet and so our existing integration with Sophos is in place, but via workarounds, which is less than ideal.