100+ Free InsightIDR Admin Practice Questions

Pass your Rapid7 Certified Administrator — InsightIDR exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~60-70% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

When adding a new firewall as a log source in InsightIDR, which transport protocol is most commonly used to send firewall syslog events to the Collector?

HTTPS REST API push

WMI (Windows Management Instrumentation)

UDP or TCP Syslog (RFC 3164 or RFC 5424)

JDBC database polling

to track

Same family resources

Explore More Rapid7 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Rapid7 Certified Administrator — InsightVM

Practice Questions100 questions

2026 Statistics

Key Facts: InsightIDR Admin Exam

~50

Exam Questions

Rapid7

90 min

Exam Duration

Rapid7

70%

Passing Score

Rapid7

$250

Exam Fee

Rapid7

13 months

Standard Log Retention

Rapid7 standard licensing

2 years

Certification Validity

Rapid7

The InsightIDR Admin exam has approximately 50 questions in 90 minutes with a 70% passing threshold. Key domains: architecture and data collection, UEBA/ABA detection, investigations and incident response, and administration. Hands-on InsightIDR experience is strongly recommended. Exam fee is $250. Certification is valid for 2 years.

Sample InsightIDR Admin Practice Questions

Try these sample questions to test your InsightIDR Admin exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What type of security product is Rapid7 InsightIDR primarily classified as?

A.Vulnerability scanner and patch management platform

B.SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) platform

C.Web application firewall and DDoS protection service

D.Identity governance and privileged access management solution

Explanation: InsightIDR is Rapid7's cloud-native SIEM and XDR platform. It collects logs and events from across the environment, applies UEBA (User and Entity Behavior Analytics) and ABA (Attacker Behavior Analytics), and enables detection, investigation, and response to security incidents. The XDR capabilities extend detection across endpoints, network, cloud, and identity.

2What does UEBA stand for in InsightIDR, and what is its primary purpose?

A.Unified Event Baseline Analytics — correlates events from all sources into a unified timeline

B.User and Entity Behavior Analytics — establishes behavioral baselines and detects anomalies in user and asset activity

C.Unauthorized Entry Behavior Alerting — generates alerts when unauthorized users access systems

D.Universal Endpoint Behavioral Assessment — scans endpoints for malicious software

Explanation: UEBA stands for User and Entity Behavior Analytics. In InsightIDR, UEBA builds behavioral baselines for users and assets over time, then detects deviations from normal behavior — such as unusual login times, atypical data access patterns, or lateral movement — that may indicate compromised accounts or insider threats even when individual events appear benign.

3What is 'ABA' (Attacker Behavior Analytics) in InsightIDR?

A.A machine learning model that predicts future attack targets based on industry trends

B.Curated detection rules mapped to known attacker TTPs (MITRE ATT&CK) that detect threats even without behavioral baselines

C.A report type showing the history of past successful attacks on the organization

D.An automated penetration testing module within InsightIDR

Explanation: Attacker Behavior Analytics (ABA) in InsightIDR consists of Rapid7's curated detection rules that are mapped to known adversary techniques from MITRE ATT&CK and Rapid7's threat intelligence. ABA detections fire based on pattern matching against attacker TTPs rather than requiring individual user baselines, enabling detection of sophisticated attack techniques from day one.

4What are 'Log Sources' in InsightIDR?

A.External threat intelligence feeds that supplement InsightIDR detections

B.Configured connections to systems, applications, and devices that send event data into InsightIDR for analysis

C.The physical servers where InsightIDR stores compressed log data

D.Read-only integrations with third-party SIEM tools for data sharing

Explanation: Log Sources in InsightIDR are configured integrations with data-producing systems — firewalls, Active Directory, endpoint agents, VPN systems, cloud services, DNS servers, and more. Each Log Source defines how InsightIDR receives, parses, and processes event data from that system type. Comprehensive log source coverage is essential for complete threat detection.

5What is an InsightIDR 'Collector' and what role does it play in the architecture?

A.A cloud service that aggregates threat intelligence from external feeds

B.An on-premise software component that receives log data from local sources and forwards it securely to the InsightIDR cloud

C.A query engine for searching stored log data in the SIEM

D.A hardware appliance that stores raw log data for compliance retention

Explanation: The InsightIDR Collector is an on-premise software component (deployed as a VM or on a Windows/Linux server) that acts as a collection proxy. It receives log data from local systems (via syslog, WMI, JDBC, etc.), normalizes it, and forwards it securely to the InsightIDR cloud platform for analysis. Collectors bridge on-premise log sources to the cloud SIEM.

6What is the InsightIDR 'Insight Network Sensor' used for?

A.Performing active vulnerability scans on network devices

B.Passively monitoring network traffic for NTA (Network Traffic Analysis) to detect lateral movement and DNS-based threats

C.Providing Wi-Fi spectrum analysis for rogue access point detection

D.Enforcing network segmentation policies based on user identity

Explanation: The InsightIDR Insight Network Sensor (formerly the Insight Network Sensor / Honeypot appliance) performs passive Network Traffic Analysis (NTA), monitoring network flows for indicators of lateral movement, C2 communication, DNS anomalies, and other network-based threats. It sends metadata (not full packets) to InsightIDR for correlation with other events.

7In InsightIDR, what is an 'Investigation'?

A.A scheduled vulnerability scan initiated by the security team

B.A tracked security incident in InsightIDR that groups related alerts, evidence, and response actions with status and assignment

C.A threat hunt query using the InsightIDR log search interface

D.A compliance audit record exported for regulatory review

Explanation: An Investigation in InsightIDR is the platform's incident management unit. When alerts are generated, analysts can create or be auto-assigned an Investigation that groups correlated alerts, associated timeline events, evidence (logs, user activity, endpoints), analyst notes, and response actions. Investigations have status (Open, Investigating, Closed), priority, and assignee.

8What is InsightIDR's 'Threat Library' and how does it benefit security teams?

A.A searchable database of all CVEs relevant to the organization's asset inventory

B.Rapid7's curated collection of detection rules mapped to MITRE ATT&CK that power automated threat detections in InsightIDR

C.A repository of sample phishing emails for security awareness training

D.A library of pre-built SOAR playbooks for automated incident response

Explanation: The InsightIDR Threat Library contains Rapid7's curated set of detection rules (ATB and ABA) that power automated threat detection. Each rule is mapped to MITRE ATT&CK tactics and techniques, includes Rapid7's risk rating, and is continuously updated as new adversary techniques emerge. Teams benefit from Rapid7's threat research without building every detection rule from scratch.

9Which InsightIDR feature provides a visual representation of how an attacker moved through the environment during an incident?

A.The Asset Inventory page

B.The Attack Map and Investigation Timeline

C.The Log Search query results

D.The UEBA behavioral baseline graph

Explanation: InsightIDR's Attack Map (within an Investigation's timeline) visually shows lateral movement by mapping how compromised accounts or assets connected to other systems during an incident. The Investigation Timeline stitches together related events in chronological order, providing analysts a narrative of the attack chain — from initial access through persistence and lateral movement.

10What is an InsightIDR 'Hunt' and how does it differ from an Investigation?

A.Hunts are automated; Investigations are manual — there is no other difference

B.A Hunt is a proactive analyst-driven search for undetected threats using log queries; an Investigation is a reactive tracked record of a detected alert or incident

C.Hunts scan for vulnerabilities; Investigations analyze detected incidents

D.Hunts are available only to Rapid7 MDR analysts; Investigations are available to all customers

Explanation: Threat Hunting in InsightIDR is a proactive, analyst-driven activity where analysts formulate hypotheses and search log data for indicators of compromise that may not have triggered automated alerts. Investigations are reactive — they are created in response to detected alerts. Hunts can lead to new Investigations if undetected threats are confirmed.

About the InsightIDR Admin Exam

The Rapid7 Certified Administrator — InsightIDR certification validates expertise in deploying and operating InsightIDR, Rapid7's cloud-native SIEM and XDR platform. It covers the Collector and network sensor architecture, log source configuration, UEBA behavioral analytics, ABA detection rules, Threat Library management, investigation workflows, threat hunting with LEQL, endpoint containment, and compliance reporting.

Questions

50 scored questions

Time Limit

90 minutes

Passing Score

70%

Exam Fee

$250 (Rapid7)

InsightIDR Admin Exam Content Outline

~25%

Architecture and Data Collection

Cloud SIEM/XDR architecture, Collectors, Network Sensor, Insight Agent, log source types (syslog, WMI, WEC, API), log normalization, retention

~30%

Detection and Analytics

UEBA behavioral baselines, ABA Attacker Behavior Analytics, Threat Library (MITRE ATT&CK), honeypots, custom alert rules, User Risk scoring, threat intelligence

~25%

Investigations and Incident Response

Investigation lifecycle (Open/Investigating/Closed), User Timeline, Attack Map, LEQL log search, alert prioritization, endpoint containment, automated containment

~20%

Administration and Reporting

Dashboards, compliance reports (PCI/SOC 2), log source health monitoring, RBAC, user management, MDR integration

How to Pass the InsightIDR Admin Exam

What You Need to Know

Passing score: 70%
Exam length: 50 questions
Time limit: 90 minutes
Exam fee: $250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

InsightIDR Admin Study Tips from Top Performers

1Know the role of each InsightIDR component: Collector (log aggregation), Network Sensor (NTA), Insight Agent (endpoint telemetry)

2Understand the difference between UEBA (behavioral baseline anomalies) and ABA (known attacker TTP pattern matching)

3Know key Windows Event IDs for authentication: 4624, 4625, 4768, 4769, 4740 — and what each indicates

4Understand LEQL syntax for common threat hunting queries — filtering by user, IP, event type

5Know the Investigation lifecycle and what each status means (Open, Investigating, Closed)

6Understand how honeypots generate high-confidence alerts with very low false positive rates

7Know the difference between alert confidence levels (High vs. Low) and how they affect triage priority

8Understand MITRE ATT&CK tactics and map them to common detection scenarios

Frequently Asked Questions

What is the InsightIDR Admin certification?

The Rapid7 Certified Administrator — InsightIDR validates expertise in operating InsightIDR as a SIEM and XDR platform. It covers Collector deployment, log source configuration for diverse systems (AD, firewall, cloud), UEBA behavioral detection, ABA threat detection rules, investigation workflows, LEQL log search, endpoint containment, and compliance reporting.

Is InsightIDR a SIEM or XDR?

InsightIDR is both — it is a cloud-native SIEM (Security Information and Event Management) platform that also provides XDR (Extended Detection and Response) capabilities. As a SIEM, it collects and analyzes logs from across the environment. As an XDR, it correlates detections from endpoints (via Insight Agent), network (via Network Sensor), cloud, and identity sources for coordinated detection and response across all attack surfaces.

What is LEQL and how is it used?

LEQL (Log Entry Query Language) is InsightIDR's query language for searching and analyzing stored log data. It uses key:value syntax with operators to filter events, aggregate statistics, and build custom detection logic. Analysts use LEQL in Log Search for threat hunting (proactively searching for indicators of compromise) and in custom alert rule creation. Example: `where(destination_account = administrator) groupby(source_ip)` to find which IPs are accessing admin accounts.

How long is InsightIDR log data retained?

InsightIDR's standard licensing typically includes 13 months of hot log retention — all logs are searchable and available for LEQL queries. Extended retention options are available for compliance programs requiring longer data availability. Since InsightIDR is cloud-native, Rapid7 manages the storage infrastructure — customers do not need to plan their own log storage capacity.

How does InsightIDR differ from a traditional on-premise SIEM?

InsightIDR is cloud-native with Rapid7-managed infrastructure, built-in UEBA and ABA detection content, automatic Threat Library updates, and predictable subscription pricing. Traditional SIEMs (Splunk Enterprise, IBM QRadar on-premise) require customer-managed hardware, significant ongoing rule content development, and separate UEBA tools. InsightIDR reduces operational overhead while providing advanced detection capabilities out of the box.