Rapid7 InsightIDR

Details
Content
Dependencies
Version History

Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.

Overview

Rapid7 InsightIDR is a cloud-based SIEM that provides real-time alerting and investigation tools to detect and respond to security incidents.
The Rapid7 InsightIDR integration can significantly improve your organization's incident response capabilities and overall security posture.

This integration was integrated and tested with version 1.0.0 of Rapid7 InsightIDR.

What does this pack do?

Fetch investigations automatically from InsightIDR and populate incident fields in Cortex XSOAR.
Retrieve and manage investigations, as well as assign users to investigations.
Create, update, and delete threat indicators within InsightIDR lists.
Execute queries and download logs stored in the InsightIDR instance.

This pack includes the following playbooks:

Rapid7 InsightIDR - Indicator Hunting - queries Rapid7 InsightIDR for various indicators and returns the results.
Rapid7 InsightIDR - Traffic Indicators Hunting - queries Rapid7 InsightIDR for traffic indicators and returns the results.
Rapid7 InsightIDR - HTTP Requests Indicators Hunting - queries Rapid7 InsightIDR for HTTP requests indicators and returns the results.
Rapid7 InsightIDR - File Indicators Hunting - queries Rapid7 InsightIDR for file indicators and returns the results.
Rapid7 InsightIDR - Execution Flow Indicators Hunting - queries Rapid7 InsightIDR for execution flow indicators and returns the results.

Overview

This integration was integrated and tested with version 1.0.0 of Rapid7 InsightIDR.

What does this pack do?

Fetch investigations automatically from InsightIDR and populate incident fields in Cortex.
Retrieve and manage investigations, as well as assign users to investigations.
Create, update, and delete threat indicators within InsightIDR lists.
Execute queries and download logs stored in the InsightIDR instance.

This pack includes the following playbooks:

Rapid7 InsightIDR - Indicator Hunting - queries Rapid7 InsightIDR for various indicators and returns the results.
Rapid7 InsightIDR - Traffic Indicators Hunting - queries Rapid7 InsightIDR for traffic indicators and returns the results.
Rapid7 InsightIDR - HTTP Requests Indicators Hunting - queries Rapid7 InsightIDR for HTTP requests indicators and returns the results.
Rapid7 InsightIDR - File Indicators Hunting - queries Rapid7 InsightIDR for file indicators and returns the results.
Rapid7 InsightIDR - Execution Flow Indicators Hunting - queries Rapid7 InsightIDR for execution flow indicators and returns the results.

Classifiers

Name	Description
Rapid7 InsightIDR - Classifier	Classifies Rapid7 InsightIDR incidents
Rapid7 InsightIDR - Incoming Mapper	Maps incoming InsightIDR alert fields.

Incident Types

Name	Description
Rapid7 InsightIDR Alert

Integrations

Name	Description
Rapid7 InsightIDR	Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.

Layouts

Name	Description
Rapid7 InsightIDR - Layout

Playbooks

Name	Description
Rapid7 InsightIDR - Execution Flow Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for execution flow indicators, including registry values, registry keys, registry hives, commands, processes name, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Traffic Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for traffic indicators, including URLs, domains, ports, IP addresses, IP ranges (CIDR), email addresses, and geolocations. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - HTTP Requests Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for indicators associated with HTTP requests, including HTTP request methods, user agents, URIs, and Ja3. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within Rapid7 InsightIDR SIEM logs utilizing four sub-playbooks. The sub-playbooks query Rapid7 InsightIDR SIEM for different indicators including files, traffic, HTTP requests, and execution flows indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: MD5 SHA1 SHA256 IP Address URLDomain Registry Value Registry Key Registry Hives Command Line File Name Process Name HTTP Request Methods User Agent Port Number File Path Geolocation Email Address CIDR URI Ja3 FileType
Rapid7 InsightIDR - File Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file types, and file paths. Note that multiple search values should be separated by commas only (without spaces or any special characters).

Classifiers

Name	Description
Rapid7 InsightIDR - Classifier	Classifies Rapid7 InsightIDR incidents
Rapid7 InsightIDR - Incoming Mapper	Maps incoming InsightIDR alert fields.

Incident Types

Name	Description
Rapid7 InsightIDR Alert

Integrations

Name	Description
Rapid7 InsightIDR	Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.

Playbooks

Name	Description
Rapid7 InsightIDR - Execution Flow Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for execution flow indicators, including registry values, registry keys, registry hives, commands, processes name, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within Rapid7 InsightIDR SIEM logs utilizing four sub-playbooks. The sub-playbooks query Rapid7 InsightIDR SIEM for different indicators including files, traffic, HTTP requests, and execution flows indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: MD5 SHA1 SHA256 IP Address URLDomain Registry Value Registry Key Registry Hives Command Line File Name Process Name HTTP Request Methods User Agent Port Number File Path Geolocation Email Address CIDR URI Ja3 FileType
Rapid7 InsightIDR - Traffic Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for traffic indicators, including URLs, domains, ports, IP addresses, IP ranges (CIDR), email addresses, and geolocations. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - HTTP Requests Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for indicators associated with HTTP requests, including HTTP request methods, user agents, URIs, and Ja3. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - File Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file types, and file paths. Note that multiple search values should be separated by commas only (without spaces or any special characters).

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.0.9 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.0.8 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.0.7 - R5469292 (October 20, 2025)

Integrations

Added support for the 'Preference Center' feature for selected commands.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40192

Download

2.0.6 - R3368777 (May 11, 2025)

Integrations

Rapid7 InsightIDR

Metadata and documentation improvements.

Related pull requests:
- 39095

Download

2.0.5 - R2989425 (March 26, 2025)

Rapid7 InsightIDR

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

2.0.4 - 2561300 (February 25, 2025)

Playbooks

Rapid7 InsightIDR - File Indicators Hunting

Fixed the playbook flow to ensure that if no indicators are found, the flow will proceed to 'done' rather than 'Save Queries Results'.

Related pull requests:
- 38700

Download

2.0.3 - R2040490 (January 22, 2025)

Playbooks

Rapid7 InsightIDR - HTTP Requests Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - Execution Flow Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - File Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - Traffic Indicators Hunting

Documentation and metadata improvements.

Related pull requests:
- 37687

Download

2.0.2 - 1718057 (November 28, 2024)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

2.0.1 - R1709192 (November 26, 2024)

Integrations

Rapid7 InsightIDR

Fixed an issue where upgrading to version 2.0.0 without reconfiguring an instance caused an error.

Related pull requests:
- 34061

Download

2.0.0 - 934602 (April 4, 2024)

Integrations

Rapid7 InsightIDR

Updated investigation existing commands.
Added new investigation commands.
Updated the Docker image to: demisto/python3:3.10.13.89873.

Related pull requests:
- 33653
- 33399

Download

1.0.29 - 819156 (February 11, 2024)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32816

Download

2.0.9 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.0.8 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.0.7 - R5469292 (October 20, 2025)

Integrations

Rapid7 InsightIDR

Added support for the 'Preference Center' feature for selected commands.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40192

Download

2.0.6 - R3368777 (May 11, 2025)

Integrations

Rapid7 InsightIDR

Metadata and documentation improvements.

Related pull requests:
- 39095

Download

2.0.5 - R2989425 (March 26, 2025)

Rapid7 InsightIDR

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

2.0.4 - 2561300 (February 25, 2025)

Playbooks

Rapid7 InsightIDR - File Indicators Hunting

Fixed the playbook flow to ensure that if no indicators are found, the flow will proceed to 'done' rather than 'Save Queries Results'.

Related pull requests:
- 38700

Download

2.0.3 - R2040490 (January 22, 2025)

Playbooks

Rapid7 InsightIDR - HTTP Requests Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - Execution Flow Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - File Indicators Hunting

Documentation and metadata improvements.

Rapid7 InsightIDR - Traffic Indicators Hunting

Documentation and metadata improvements.

Related pull requests:
- 37687

Download

2.0.2 - 1718057 (November 28, 2024)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

2.0.1 - R1709192 (November 26, 2024)

Integrations

Rapid7 InsightIDR

Fixed an issue where upgrading to version 2.0.0 without reconfiguring an instance caused an error.

Related pull requests:
- 34061

Download

2.0.0 - 933455 (April 3, 2024)

Integrations

Rapid7 InsightIDR

Updated investigation existing commands.
Added new investigation commands.
Updated the Docker image to: demisto/python3:3.10.13.89873.

Related pull requests:
- 33653
- 33399

Download

1.0.29 - 819156 (February 11, 2024)

Integrations

Rapid7 InsightIDR

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32816

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 29, 2020
Last Release	March 22, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.