Integrating InsightIDR
This integration enables the Delinea Platform to forward JSON-formatted event logs to Rapid7 InsightIDR using a webhook endpoint. Logs are ingested into InsightIDR as custom events, allowing administrators to monitor privileged access activities and other security-related events directly in their SIEM.
This integration offers the following benefits:
-
Centralizes Delinea Platform security events in InsightIDR for correlation and analysis.
-
Provides visibility into privileged access activity, including secret access, modifications, and authentication events.
-
Enhances detection and response capabilities by enabling event correlation across multiple sources.
Prerequisites
The integration of Rapid7 InsightIDR with the Delinea Platform requires the following:
-
The Delinea Platform is properly provisioned and configured in your environment. For more information about provisioning and configuring Delinea Platform, see the Delinea Platform documentation.
-
You have admin permissions for logging in to the Delinea Platform.
Configuration
To enable the integration between Rapid7 InsightIDR and the Delinea Platform, complete the following steps:
Step 1: Create an Event Source in Rapid7 InsightIDR
To generate a webhook URL in Rapid7 InsightIDR for log ingestion, use the Custom Logs event source.
This process creates a webhook endpoint to which the Delinea Platform will send log data, leveraging the Raw Data ingestion feature described in Rapid7’s SIEM documentation.
-
Log in to your Rapid7 InsightIDR console.
-
In the left navigation menu, select Data Collection, and then click the Event Sources tab.
-
Click Add Event Source.
-
From the available options, choose Custom Logs under the Add Raw Data menu. Depending on your InsightIDR version, you may first select Raw Data, then Custom Logs.
-
In the configuration panel, set the collection method to Webhook.
-
Enter a name for your event source, for example: Delinea Logs Collector.
-
InsightIDR generates a unique webhook URL for this event source. Copy this URL for use in your Delinea Platform configuration.
Example format: https://<region>.api.insight.rapid7.com/siem/custom/webhook/<unique-id> -
To create a replacement endpoint, click Generate new webhook URL.
-
(Optional) If you are sending JSON logs and want to map nested arrays or specific fields, specify the JSON Events Key with the correct field name. No special header is required, but both application/json and application/text headers are recognized.
Rapid7 previously supported HTTP(S) ingress endpoints. These have been replaced by the Custom Logs (Webhook) ingestion method.
Step 2: Configure a Webhook in Delinea Platform
-
On the Delinea Platform, search for or navigate to Webhooks. The Webhooks page opens.
-
Select Create Webhook.
-
On the Create Webhook page, complete the following fields:
-
Name: Rapid7 InsightIDR Webhook
-
Target: Paste the webhook URL from InsightIDR.
-
Events: Select which events to send.
-
Headers (optional): If InsightIDR requires authentication or content-type headers, configure them here.
-
-
Save the webhook configuration.
To learn more about webhooks, see the Delinea Platform Webhooks documentation.
Step 3: Map JSON Fields (Optional)
-
Go back to the webhook you just created and select View Webhook Logs.
-
Select a log and click View Payload to inspect the JSON.
Example payload for a session event:
{
"AuditEventMessageId": "a6a7e50d-d64b-46db-9963-025a93e55381",
"EventDateTime": "2025-10-06T16:02:08.9653521+00:00",
"Action": {
"Name": "Delinea.Identity.AuthSession.SessionStart",
"Verb": "SessionStart"
},
"Actor": {
"Name": "xpmregistration-0fb644dd-4a43-4a66-a971-43e6a6053d8f@pm-xpm"
},
"Target": null,
"ClientIPAddress": "10.xxx.4.160",
"Source": {
"Network": {
"IpAddress": "::ffff:127.0.0.1"
}
}
}
Example payload for a secret event:
{
"AuditEventMessageId": "b1c2d3e4-5678-90ab-cdef-1234567890ab",
"EventDateTime": "2025-10-06T16:10:00+00:00",
"Action": {
"Name": "SecretViewed",
"Verb": "View"
},
"Actor": {
"Name": "jdoe"
},
"Target": {
"secretId": "42",
"secretName": "Database Credentials"
},
"ClientIPAddress": "10.xxx.4.160"
}
3. Use the following mapping to ensure that Delinea Platform logs are ingested correctly into Rapid7 InsightIDR: (example):
|
InsightIDR Field |
Delinea Payload Field |
Notes / Transformation |
|---|---|---|
|
Event ID |
AuditEventMessageId |
Unique ID for the event |
|
Event Name |
Action.Name |
The full action string. Example: "Delinea.Identity.AuthSession.SessionStart" |
|
User |
Actor.Name |
The username of the actor performing the action. Example: "xpmregistration-0fb644dd-...@pm-xpm" |
|
Source IP |
Source.Network.IpAddress |
IPv4 or IPv6 |
|
Resource |
Target.secretName (if exists) |
Null for session events |
|
Event Time |
EventDateTime |
The timestamp of the event in UTC. Example: "2025-10-06T16:02:08.9653521+00:00" |
|
Client IP |
ClientIPAddress |
Use the client IP address rather than the local network IP for accurate logging. |
4. Use InsightIDR’s Custom Parsing Rules if needed to handle nested objects or arrays within the Delinea JSON payloads.
Verification
To verify that the integration works:
-
Trigger a known event in Delinea.
-
Confirm that the event is visible in Raw Logs in InsightIDR.
-
Check that field mappings (user, IP, event type, resource, timestamp) display correctly.
Troubleshooting
The following table provides troubleshooting guidance for common issues you may encounter when integrating the Delinea Platform with Rapid7 InsightIDR. Each issue includes its potential cause and recommended solution.
|
Issue |
Cause |
Solution |
|---|---|---|
|
No logs in InsightIDR |
Incorrect URL |
Verify the copied URL is correct. |
|
Logs rejected |
JSON format mismatch |
Ensure payloads match InsightIDR’s expected JSON structure. |
|
Authentication failure |
Missing API key |
Add required authentication headers in the webhook configuration. |
|
TLS errors |
Internal CA certificates |
Import the CA chain or switch to a trusted certificate. |
