Rapid7 InsightIDR

Details
Content
Dependencies
Version History

Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.

Overview

Rapid7 InsightIDR is a cloud-based SIEM that provides real-time alerting and investigation tools to detect and respond to security incidents.
The Rapid7 InsightIDR integration can significantly improve your organization's incident response capabilities and overall security posture.

This integration was integrated and tested with version 1.0.0 of Rapid7 InsightIDR.

What does this pack do?

Fetch investigations automatically from InsightIDR and populate incident fields in Cortex XSOAR.
Retrieve and manage investigations, as well as assign users to investigations.
Create, update, and delete threat indicators within InsightIDR lists.
Execute queries and download logs stored in the InsightIDR instance.

This pack includes the following playbooks:

Rapid7 InsightIDR - Indicator Hunting - queries Rapid7 InsightIDR for various indicators and returns the results.
Rapid7 InsightIDR - Traffic Indicators Hunting - queries Rapid7 InsightIDR for traffic indicators and returns the results.
Rapid7 InsightIDR - HTTP Requests Indicators Hunting - queries Rapid7 InsightIDR for HTTP requests indicators and returns the results.
Rapid7 InsightIDR - File Indicators Hunting - queries Rapid7 InsightIDR for file indicators and returns the results.
Rapid7 InsightIDR - Execution Flow Indicators Hunting - queries Rapid7 InsightIDR for execution flow indicators and returns the results.

Overview

This integration was integrated and tested with version 1.0.0 of Rapid7 InsightIDR.

What does this pack do?

Fetch investigations automatically from InsightIDR and populate incident fields in Cortex XSIAM.
Retrieve and manage investigations, as well as assign users to investigations.
Create, update, and delete threat indicators within InsightIDR lists.
Execute queries and download logs stored in the InsightIDR instance.

This pack includes the following playbooks:

Rapid7 InsightIDR - Indicator Hunting - queries Rapid7 InsightIDR for various indicators and returns the results.
Rapid7 InsightIDR - Traffic Indicators Hunting - queries Rapid7 InsightIDR for traffic indicators and returns the results.
Rapid7 InsightIDR - HTTP Requests Indicators Hunting - queries Rapid7 InsightIDR for HTTP requests indicators and returns the results.
Rapid7 InsightIDR - File Indicators Hunting - queries Rapid7 InsightIDR for file indicators and returns the results.
Rapid7 InsightIDR - Execution Flow Indicators Hunting - queries Rapid7 InsightIDR for execution flow indicators and returns the results.

Classifiers

Name	Description
Rapid7 InsightIDR - Classifier	Classifies Rapid7 InsightIDR incidents
Rapid7 InsightIDR - Incoming Mapper	Maps incoming InsightIDR alert fields.

Incident Types

Name	Description
Rapid7 InsightIDR Alert

Integrations

Name	Description
Rapid7 InsightIDR	Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.

Layouts

Name	Description
Rapid7 InsightIDR - Layout

Playbooks

Name	Description
Rapid7 InsightIDR - HTTP Requests Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for indicators associated with HTTP requests, including HTTP request methods, user agents, URIs, and Ja3. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - File Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file types, and file paths. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within Rapid7 InsightIDR SIEM logs utilizing four sub-playbooks. The sub-playbooks query Rapid7 InsightIDR SIEM for different indicators including files, traffic, HTTP requests, and execution flows indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: MD5 SHA1 SHA256 IP Address URLDomain Registry Value Registry Key Registry Hives Command Line File Name Process Name HTTP Request Methods User Agent Port Number File Path Geolocation Email Address CIDR URI Ja3 FileType
Rapid7 InsightIDR - Execution Flow Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for execution flow indicators, including registry values, registry keys, registry hives, commands, processes name, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Traffic Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for traffic indicators, including URLs, domains, ports, IP addresses, IP ranges (CIDR), email addresses, and geolocations. Note that multiple search values should be separated by commas only (without spaces or any special characters).

Classifiers

Name	Description
Rapid7 InsightIDR - Classifier	Classifies Rapid7 InsightIDR incidents
Rapid7 InsightIDR - Incoming Mapper	Maps incoming InsightIDR alert fields.

Incident Types

Name	Description
Rapid7 InsightIDR Alert

Integrations

Name	Description
Rapid7 InsightIDR	Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.

Playbooks

Name	Description
Rapid7 InsightIDR - File Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file types, and file paths. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Traffic Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for traffic indicators, including URLs, domains, ports, IP addresses, IP ranges (CIDR), email addresses, and geolocations. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Execution Flow Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for execution flow indicators, including registry values, registry keys, registry hives, commands, processes name, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - HTTP Requests Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for indicators associated with HTTP requests, including HTTP request methods, user agents, URIs, and Ja3. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within Rapid7 InsightIDR SIEM logs utilizing four sub-playbooks. The sub-playbooks query Rapid7 InsightIDR SIEM for different indicators including files, traffic, HTTP requests, and execution flows indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: MD5 SHA1 SHA256 IP Address URLDomain Registry Value Registry Key Registry Hives Command Line File Name Process Name HTTP Request Methods User Agent Port Number File Path Geolocation Email Address CIDR URI Ja3 FileType

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

2.0.1 - 970211 (April 21, 2024)

Integrations

Fixed an issue where upgrading to version 2.0.0 without reconfiguring an instance caused an error.

Related pull requests:
- 34061

Download

2.0.0 - 934602 (April 4, 2024)

Integrations

Rapid7 InsightIDR

Updated investigation existing commands.
Added new investigation commands.
Updated the Docker image to: demisto/python3:3.10.13.89873.

Related pull requests:
- 33653
- 33399

Download

1.0.29 - 819156 (February 11, 2024)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32816

Download

1.0.28 - 762016 (January 14, 2024)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32183

Download

1.0.27 - 722180 (December 28, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31828

Download

1.0.26 - R6592021 (October 13, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.13.73190.

Related pull requests:
- 29597

Download

1.0.25 - 6139598 (August 24, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29188

Download

1.0.24 - 5987442 (August 8, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.12.67728.

Related pull requests:
- 28833

Download

1.0.23 - 5847528 (July 23, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.12.65389.

Related pull requests:
- 28410

Download

1.0.22 - R5801668 (July 18, 2023)

Integrations

Rapid7 InsightIDR

You can now use credentials when configuring the InsightIDR API key field.

Related pull requests:
- 27697

Download

1.0.21 - 5610566 (June 25, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27689

Download

1.0.20 - 5447040 (June 5, 2023)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27215

Download

1.0.19 - 5297274 (May 18, 2023)

Integrations

Rapid7 InsightIDR

Fixed an issue in the following commands when multiple pages are returned pagination didn't work and potentially missing returned events:
rapid7-insight-idr-query-log-set
rapid7-insight-idr-query-log
Updated the Docker image to: demisto/python3:3.10.11.59070.

Related pull requests:
- 26205

Download

1.0.18 - R5170573 (May 2, 2023)

Playbooks

Rapid7 InsightIDR - Execution Flow Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - File Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - HTTP Requests Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - Traffic Indicators Hunting

Documentation and metadata improvements.

Related pull requests:
- 23716

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 29, 2020
Last Release	April 21, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.