Rapid7 InsightIDR is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster.
This article provides information about the Rapid7 InsightIDR connector, which facilitates automated interactions, using the Rapid7 InsightIDR API and FortiSOAR™ playbooks. Add the Rapid7 InsightIDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as updating the status of a specified investigation or adding indicators to a specified threat.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling investigations from Rapid7 InsightIDR. For more information, see the Data Ingestion Support section.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 7.4.3-3294
Rapid7 InsightIDR Version Tested on: Cloud Setup
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Rapid7 InsightIDR Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-rapid7-insightidr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Rapid7 InsightIDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Region Code | The region code for the region that hosts your data. In the URL, https://us3.idr.insight.rapid7.com, the region code is us3. |
| API Key | API key configured for your account for using the Rapid7 InsightIDR API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Investigation List | Retrieves a list of investigations from the Rapid7 InsightIDR API based on the status, source, priority, and other filter criteria that you have specified. | get_investigations Investigation |
| Close Investigations | Closes all investigations on the Rapid7 InsightIDR API based on the source, from, to and other filter criteria that you have specified. The Rapid7 InsightIDR API returns the count of investigations that were closed and a list of their IDs. |
close_investigation Investigation |
| Add Indicators to Threat | Adds threat indicators to the threat, using the Rapid7 InsightIDR API, based on the threat key and indicators that you have specified. | add_indicators Investigation |
| Replace Indicators for Threat | Replaces threat indicators in the threat, using the Rapid7 InsightIDR API, based on the threat key and indicators that you have specified. | replace_indicators Investigation |
| Create investigation | Create an investigation based on the title, status, priority, and other input parameters that you have specified. | create_investigation Investigation |
| Get Investigation Details | Retrieves investigation details based on the investigation ID and other input parameters that you have specified. | get_investigations_details Investigation |
| Get Alerts Associated With Investigation | Retrieves a detailed list of alerts associated with the specified investigation ID. The listed alerts are sorted in descending order of the alert's created time. | get_alerts_associated_with_investigation Investigation |
| Search Investigations | Retrieves detailed list of investigations based on the search criteria, sorting order, and other input parameters that you have specified. | search_investigations Investigation |
| Create Comment | Creates a comment using the Rapid7 InsightIDR API based on the target, comment body, and other input parameters that you have specified. The target determines where the comment appears within Rapid7 InsightIDR. Only certain types of RRNs are permitted as targets, such as investigation RRNs. | create_comment Investigation |
| Get Comments | Retrieves a detailed list of comments based on the target and other input parameters that yu have specified. For example, this API allows you to list all comments on an investigation by passing an investigation's RRN as the target value. | get_comments Investigation |
| Delete Comment | Deletes a comment by using an RRN that you have specified. The RRN determines which comment is deleted. Only the creator of a comment can delete it. | delete_comment Investigation |
NOTE: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Status | Specify comma-separated investigation statuses to include in the result. For example: OPEN,INVESTIGATING,CLOSED |
| Source | Specify comma-separated investigation sources to include in the result. For example: USER,ALERT |
| Priority | Specify comma-separated investigation priorities to include in the result. For example: UNSPECIFIED,LOW,MEDIUM,HIGH,CRITICAL |
| Assignee Email | Specify user's email address. Only investigations assigned to the specified user are included. |
| Start Time | Specify a start time to retrieve investigations whose created time is after the specified date and time. |
| End Time | Specify an end time to retrieve investigations whose created time is before the specified date and time. |
| Sort | Specify the sorting criteria for the retrieved investigations and specify the sort direction separated by a comma.
The retrieved investigations can be sorted as per the following values:
The retrieved investigations can be sorted as per the following directions:
For example: |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, a user API key must be provided. Investigations are returned from all organizations to which the calling user has access. |
| Tags | Specify comma-separated tags to include in the result. Only investigations that have all the specified tags are included. For example: Incident,Security Test,Reported to Customer,Potentially |
| Page Number | Specify the page number from the 0-based index of the results page from which to retrieve data. |
| Records Per Page | Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
| Get All Records | Select this checkbox to retrieve all investigation records. Selecting this option ignores the "Page Number" and "Records Per Page" parameters. By default, this option is selected, i.e. it is set to 'True'. |
The output contains the following populated JSON schema:
{
"data": [
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| Source | Specify the source of the investigation that you want to close using the Rapid7 InsightIDR API. This operation closes investigations only from this source. You can specify any of the following:
|
| From | Specify a start time to close investigations whose created time is after the specified date and time. |
| To | Specify an end time to close investigations whose created time is before the specified date and time. |
| Alert Type | Specify the category of the alert to be closed.
NOTE: This field is mandatory IF you have selected Source as |
| Disposition | (Optional) Specify the disposition to be assigned to the investigation. Defaults to NOT_APPLICABLE. The following dispositions can be assigned: UNDECIDED, BENIGN, MALICIOUS, NOT_APPLICABLE |
| Detection Rule RNN | (Optional) Specify the RRN of the detection rule. Only investigations that are associated with this detection rule will be closed. If a detection rule RRN is specified, then alert_type must be 'Attacker Behavior Detected'. |
| Max Investigations to Close | (Optional) Specify the maximum number of investigations to close using this operation. If this parameter is not specified, all the investigations based on your filter criteria are closed. The minimum value set for this parameter is 0.IMPORTANT: Recommended not to specify any value in the Max Investigations to Close parameter since the value specified in this parameter must be greater than or equal to the number of results fetched by this operation. If you specify a value lesser than the number of results fetched, then this operation will fail. |
The output contains the following populated JSON schema:
{
"ids": [],
"num_closed": ""
}
| Parameter | Description |
|---|---|
| Threat Key | Specify the threat key to which to add indicators using the Rapid7 InsightIDR API. |
| Indicators to Add | Select the input format of the indicators to be added to the specified threat. You can select from one of the following options:
|
Following is an example of adding indicators using STIX XML:
<stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation=
"http://stix.mitre.org/stix-1 …/stix_core.xsd
http://stix.mitre.org/Indicator-2 …/indicator.xsd
http://cybox.mitre.org/default_vocabularies-2 …/cybox/cybox_default_vocabularies.xsd
http://stix.mitre.org/default_vocabularies-1 …/stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#DomainNameObject-1 …/cybox/objects/Domain_Name_Object.xsd"
id="example:STIXPackage-f61cd874-494d-4194-a3e6-6b487dbb6d6e"
timestamp="2014-05-08T09:00:00.000000Z"
version="1.1.1">
stix:STIX_Header
stix:TitleExample watchlist that contains domain information.</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>
</stix:STIX_Header>
stix:Indicators
<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-2e20c5b2-56fa-46cd-9662-8f199c69d2c9" timestamp="2014-05-08T09:00:00.000000Z">
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
indicator:DescriptionSample domain Indicator for this watchlist</indicator:Description>
<indicator:Observable id="example:Observable-87c9a5bb-d005-4b3e-8081-99f720fad62b">
<cybox:Object id="example:Object-12c760ba-cd2c-4f5d-a37d-18212eac7928">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType" type="FQDN">
<DomainNameObj:Value condition="Equals" apply_condition="ANY">malicious1.example.com##comma##malicious2.example.com##comma##malicious3.example.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Observable id="NCCIC:Observable-fb5606ea-23f0-472d-babf-8b7e89571881">
<cybox:Object id="NCCIC:Object-a105a51a-c324-11e7-b25d-64006a91c899">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_spoofed="false">
<AddressObj:Address_Value condition="Equals">185.134.98.141</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>
Output
The output contains the following populated JSON schema:
{
"threat": {
"indicator_count": "",
"published": "",
"note": "",
"name": ""
},
"rejected_indicators": []
}
| Parameter | Description |
|---|---|
| Threat Key | Specify the threat key in which to replace indicators using the Rapid7 InsightIDR API. |
| Indicators to Add | Select the input format of the indicators to be replaced in the specified threat. You can select from one of the following options:
|
The output contains the following populated JSON schema:
{
"threat": {
"indicator_count": "",
"published": "",
"note": "",
"name": ""
},
"rejected_indicators": []
}
| Parameter | Description |
|---|---|
| Title | Specify the name of the investigation that you want to create. |
| Status | Specify the status of the investigation that you want to create. For example: OPEN,CLOSED,INVESTIGATING. Defaults to OPEN. |
| Priority | Specify the priority of the investigation that you want to create. For example: UNSPECIFIED,LOW,MEDIUM,HIGH,CRITICAL. Defaults to UNSPECIFIED. |
| Disposition | Specify the disposition of the investigation that you want to create. For example: UNDECIDED,BENIGN,MALICIOUS,NOT_APPLICABLE. Defaults to UNDECIDED. |
| Assignee Email | Specify the email address of the user to whom to assign this investigation. Use the email address used to log in to the insight platform. |
The output contains the following populated JSON schema:
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID or RRN of the investigation that you want to update. |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, the ID of the investigation must be in the RRN format, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
| Title | Specify the name of the investigation that you want to update. |
| Status | Specify the status of the investigation that you want to update. For example: OPEN,CLOSED,INVESTIGATING. |
| Priority | Specify the priority of the investigation that you want to update. For example: UNSPECIFIED,LOW,MEDIUM,HIGH,CRITICAL. |
| Disposition | Specify the disposition of the investigation that you want to update. For example: UNDECIDED,BENIGN,MALICIOUS,NOT_APPLICABLE. |
| Assignee Email | Specify the email address of the user to whom to assign this investigation. Use the email address used to log in to the insight platform. |
| Threat Command Close Reason | Specify the Threat Command reason for closing. This parameter is applicable only if the investigation being closed has an associated alert in Threat Command. The Close Reason description depends on the Threat Command's alert type. For example: ProblemSolved, InformationalOnly, ProblemWeAreAlreadyAwareOf, NotRelatedToMyCompany, FalsePositive, LegitimateApplication/Profile, CompanyOwnedDomain, or Other. |
| Threat Command Free Text | Specify any additional information when closing a Threat Command alert. |
The output contains the following populated JSON schema:
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify an ID or RRN of the investigation to get investigation details. |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
The output contains the following populated JSON schema:
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify an ID or RRN of the investigation to get its associated alerts. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as 0 |
| Records Per Page | (Optional) Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
| Multi Customer | (Optional) Select whether the requester has multi-customer access. If selected, i.e. set to true, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
| Get All Records | Select this checkbox to retrieve all alert records associated with the investigation. Selecting this option ignores the "Offset" and "Records Per Page" parameters. By default, this option is selected, i.e. it is set to 'True'. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"title": "",
"alert_type": "",
"alert_type_description": "",
"created_time": "",
"first_event_time": "",
"latest_event_time": "",
"alert_source": "",
"detection_rule_rrn": {
"rule_name": "",
"rule_rrn": ""
}
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| Search | Specify the search criteria to filter the records. All operators are case-insensitive when operating on strings. For more information refer to https://help.rapid7.com/insightidr/en-us/api/v2/docs.html#tag/Investigations/operation/searchInvestigations. |
| Sort | Specify a sorting criteria to filter the records. For more information refer to https://help.rapid7.com/insightidr/en-us/api/v2/docs.html#tag/Investigations/operation/searchInvestigations |
| Start Time | Specify a start time to search investigations whose created time is after the specified date and time. Defaults to 28 days ago. |
| End Time | Specify an end time to search investigations whose created time is before the specified date and time. Defaults to the current time. |
| Page Number | Specify the page number from the 0-based index of the results page from which to retrieve data. |
| Records Per Page | Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
The output contains the following populated JSON schema:
{
"data": [
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| Target | Specify the ID, or the RRN of the investigation which determines where the comment appears within InsightIDR. |
| Body | Specify a description for the comment. |
| Attachments | Specify an array of attachment RRNs to associate with the comment. |
The output contains the following populated JSON schema:
{
"created_time": "",
"rrn": "",
"target": "",
"creator": {
"type": "",
"name": ""
},
"body": "",
"visibility": "",
"attachments": [
{
"rrn": "",
"creator": {
"type": "",
"name": ""
},
"created_time": "",
"file_name": "",
"mime_type": "",
"size": "",
"scan_status": ""
}
]
}
| Parameter | Description |
|---|---|
| Target | Specify the ID or the RRN of the investigation to return comments associated with it. |
| Page Number | Specify the page number from the 0-based index of the results page from which to retrieve data. |
| Records Per Page | Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
The output contains the following populated JSON schema:
{
"data": [
{
"created_time": "",
"rrn": "",
"target": "",
"creator": {
"type": "",
"name": ""
},
"body": "",
"visibility": "",
"attachments": [
{
"rrn": "",
"creator": {
"type": "",
"name": ""
},
"created_time": "",
"file_name": "",
"mime_type": "",
"size": "",
"scan_status": ""
}
]
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| RRN | Specify the RRN of the comment to delete.
NOTE: Use the Get Comments action to get RRN. For example: |
The output contains the following populated JSON schema:
{
"message": ""
}
The Sample - Rapid7 InsightIDR - 2.1.0 playbook collection comes bundled with the Rapid7 InsightIDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Rapid7 InsightIDR connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling investigations from Rapid7 InsightIDR. Currently, "investigations" in Rapid7 InsightIDR are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Rapid7 InsightIDR "Investigations" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Rapid7 InsightIDR into FortiSOAR™. It also lets you pull some sample data from Rapid7 InsightIDR using which you can define the mapping of data between Rapid7 InsightIDR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Rapid7 InsightIDR investigation.
On the Field Mapping screen, map the fields of a Rapid7 InsightIDR investigation to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the title parameter of a Rapid7 InsightIDR investigation to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the title field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Rapid7 InsightIDR, so that the content gets pulled from the Rapid7 InsightIDR integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Rapid7 InsightIDR every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Rapid7 InsightIDR is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster.
This article provides information about the Rapid7 InsightIDR connector, which facilitates automated interactions, using the Rapid7 InsightIDR API and FortiSOAR™ playbooks. Add the Rapid7 InsightIDR connector as a step in FortiSOAR™ playbooks and perform automated operations, such as updating the status of a specified investigation or adding indicators to a specified threat.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling investigations from Rapid7 InsightIDR. For more information, see the Data Ingestion Support section.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 7.4.3-3294
Rapid7 InsightIDR Version Tested on: Cloud Setup
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Rapid7 InsightIDR Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-rapid7-insightidr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Rapid7 InsightIDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Region Code | The region code for the region that hosts your data. In the URL, https://us3.idr.insight.rapid7.com, the region code is us3. |
| API Key | API key configured for your account for using the Rapid7 InsightIDR API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Investigation List | Retrieves a list of investigations from the Rapid7 InsightIDR API based on the status, source, priority, and other filter criteria that you have specified. | get_investigations Investigation |
| Close Investigations | Closes all investigations on the Rapid7 InsightIDR API based on the source, from, to and other filter criteria that you have specified. The Rapid7 InsightIDR API returns the count of investigations that were closed and a list of their IDs. |
close_investigation Investigation |
| Add Indicators to Threat | Adds threat indicators to the threat, using the Rapid7 InsightIDR API, based on the threat key and indicators that you have specified. | add_indicators Investigation |
| Replace Indicators for Threat | Replaces threat indicators in the threat, using the Rapid7 InsightIDR API, based on the threat key and indicators that you have specified. | replace_indicators Investigation |
| Create investigation | Create an investigation based on the title, status, priority, and other input parameters that you have specified. | create_investigation Investigation |
| Get Investigation Details | Retrieves investigation details based on the investigation ID and other input parameters that you have specified. | get_investigations_details Investigation |
| Get Alerts Associated With Investigation | Retrieves a detailed list of alerts associated with the specified investigation ID. The listed alerts are sorted in descending order of the alert's created time. | get_alerts_associated_with_investigation Investigation |
| Search Investigations | Retrieves detailed list of investigations based on the search criteria, sorting order, and other input parameters that you have specified. | search_investigations Investigation |
| Create Comment | Creates a comment using the Rapid7 InsightIDR API based on the target, comment body, and other input parameters that you have specified. The target determines where the comment appears within Rapid7 InsightIDR. Only certain types of RRNs are permitted as targets, such as investigation RRNs. | create_comment Investigation |
| Get Comments | Retrieves a detailed list of comments based on the target and other input parameters that yu have specified. For example, this API allows you to list all comments on an investigation by passing an investigation's RRN as the target value. | get_comments Investigation |
| Delete Comment | Deletes a comment by using an RRN that you have specified. The RRN determines which comment is deleted. Only the creator of a comment can delete it. | delete_comment Investigation |
NOTE: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Status | Specify comma-separated investigation statuses to include in the result. For example: OPEN,INVESTIGATING,CLOSED |
| Source | Specify comma-separated investigation sources to include in the result. For example: USER,ALERT |
| Priority | Specify comma-separated investigation priorities to include in the result. For example: UNSPECIFIED,LOW,MEDIUM,HIGH,CRITICAL |
| Assignee Email | Specify user's email address. Only investigations assigned to the specified user are included. |
| Start Time | Specify a start time to retrieve investigations whose created time is after the specified date and time. |
| End Time | Specify an end time to retrieve investigations whose created time is before the specified date and time. |
| Sort | Specify the sorting criteria for the retrieved investigations and specify the sort direction separated by a comma.
The retrieved investigations can be sorted as per the following values:
The retrieved investigations can be sorted as per the following directions:
For example: |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, a user API key must be provided. Investigations are returned from all organizations to which the calling user has access. |
| Tags | Specify comma-separated tags to include in the result. Only investigations that have all the specified tags are included. For example: Incident,Security Test,Reported to Customer,Potentially |
| Page Number | Specify the page number from the 0-based index of the results page from which to retrieve data. |
| Records Per Page | Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
| Get All Records | Select this checkbox to retrieve all investigation records. Selecting this option ignores the "Page Number" and "Records Per Page" parameters. By default, this option is selected, i.e. it is set to 'True'. |
The output contains the following populated JSON schema:
{
"data": [
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| Source | Specify the source of the investigation that you want to close using the Rapid7 InsightIDR API. This operation closes investigations only from this source. You can specify any of the following:
|
| From | Specify a start time to close investigations whose created time is after the specified date and time. |
| To | Specify an end time to close investigations whose created time is before the specified date and time. |
| Alert Type | Specify the category of the alert to be closed.
NOTE: This field is mandatory IF you have selected Source as |
| Disposition | (Optional) Specify the disposition to be assigned to the investigation. Defaults to NOT_APPLICABLE. The following dispositions can be assigned: UNDECIDED, BENIGN, MALICIOUS, NOT_APPLICABLE |
| Detection Rule RNN | (Optional) Specify the RRN of the detection rule. Only investigations that are associated with this detection rule will be closed. If a detection rule RRN is specified, then alert_type must be 'Attacker Behavior Detected'. |
| Max Investigations to Close | (Optional) Specify the maximum number of investigations to close using this operation. If this parameter is not specified, all the investigations based on your filter criteria are closed. The minimum value set for this parameter is 0.IMPORTANT: Recommended not to specify any value in the Max Investigations to Close parameter since the value specified in this parameter must be greater than or equal to the number of results fetched by this operation. If you specify a value lesser than the number of results fetched, then this operation will fail. |
The output contains the following populated JSON schema:
{
"ids": [],
"num_closed": ""
}
| Parameter | Description |
|---|---|
| Threat Key | Specify the threat key to which to add indicators using the Rapid7 InsightIDR API. |
| Indicators to Add | Select the input format of the indicators to be added to the specified threat. You can select from one of the following options:
|
Following is an example of adding indicators using STIX XML:
<stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation=
"http://stix.mitre.org/stix-1 …/stix_core.xsd
http://stix.mitre.org/Indicator-2 …/indicator.xsd
http://cybox.mitre.org/default_vocabularies-2 …/cybox/cybox_default_vocabularies.xsd
http://stix.mitre.org/default_vocabularies-1 …/stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#DomainNameObject-1 …/cybox/objects/Domain_Name_Object.xsd"
id="example:STIXPackage-f61cd874-494d-4194-a3e6-6b487dbb6d6e"
timestamp="2014-05-08T09:00:00.000000Z"
version="1.1.1">
stix:STIX_Header
stix:TitleExample watchlist that contains domain information.</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>
</stix:STIX_Header>
stix:Indicators
<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-2e20c5b2-56fa-46cd-9662-8f199c69d2c9" timestamp="2014-05-08T09:00:00.000000Z">
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Domain Watchlist</indicator:Type>
indicator:DescriptionSample domain Indicator for this watchlist</indicator:Description>
<indicator:Observable id="example:Observable-87c9a5bb-d005-4b3e-8081-99f720fad62b">
<cybox:Object id="example:Object-12c760ba-cd2c-4f5d-a37d-18212eac7928">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType" type="FQDN">
<DomainNameObj:Value condition="Equals" apply_condition="ANY">malicious1.example.com##comma##malicious2.example.com##comma##malicious3.example.com</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Observable id="NCCIC:Observable-fb5606ea-23f0-472d-babf-8b7e89571881">
<cybox:Object id="NCCIC:Object-a105a51a-c324-11e7-b25d-64006a91c899">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_spoofed="false">
<AddressObj:Address_Value condition="Equals">185.134.98.141</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>
Output
The output contains the following populated JSON schema:
{
"threat": {
"indicator_count": "",
"published": "",
"note": "",
"name": ""
},
"rejected_indicators": []
}
| Parameter | Description |
|---|---|
| Threat Key | Specify the threat key in which to replace indicators using the Rapid7 InsightIDR API. |
| Indicators to Add | Select the input format of the indicators to be replaced in the specified threat. You can select from one of the following options:
|
The output contains the following populated JSON schema:
{
"threat": {
"indicator_count": "",
"published": "",
"note": "",
"name": ""
},
"rejected_indicators": []
}
| Parameter | Description |
|---|---|
| Title | Specify the name of the investigation that you want to create. |
| Status | Specify the status of the investigation that you want to create. For example: OPEN,CLOSED,INVESTIGATING. Defaults to OPEN. |
| Priority | Specify the priority of the investigation that you want to create. For example: UNSPECIFIED,LOW,MEDIUM,HIGH,CRITICAL. Defaults to UNSPECIFIED. |
| Disposition | Specify the disposition of the investigation that you want to create. For example: UNDECIDED,BENIGN,MALICIOUS,NOT_APPLICABLE. Defaults to UNDECIDED. |
| Assignee Email | Specify the email address of the user to whom to assign this investigation. Use the email address used to log in to the insight platform. |
The output contains the following populated JSON schema:
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify the ID or RRN of the investigation that you want to update. |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, the ID of the investigation must be in the RRN format, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
| Title | Specify the name of the investigation that you want to update. |
| Status | Specify the status of the investigation that you want to update. For example: OPEN,CLOSED,INVESTIGATING. |
| Priority | Specify the priority of the investigation that you want to update. For example: UNSPECIFIED,LOW,MEDIUM,HIGH,CRITICAL. |
| Disposition | Specify the disposition of the investigation that you want to update. For example: UNDECIDED,BENIGN,MALICIOUS,NOT_APPLICABLE. |
| Assignee Email | Specify the email address of the user to whom to assign this investigation. Use the email address used to log in to the insight platform. |
| Threat Command Close Reason | Specify the Threat Command reason for closing. This parameter is applicable only if the investigation being closed has an associated alert in Threat Command. The Close Reason description depends on the Threat Command's alert type. For example: ProblemSolved, InformationalOnly, ProblemWeAreAlreadyAwareOf, NotRelatedToMyCompany, FalsePositive, LegitimateApplication/Profile, CompanyOwnedDomain, or Other. |
| Threat Command Free Text | Specify any additional information when closing a Threat Command alert. |
The output contains the following populated JSON schema:
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify an ID or RRN of the investigation to get investigation details. |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
The output contains the following populated JSON schema:
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
| Parameter | Description |
|---|---|
| Investigation ID | Specify an ID or RRN of the investigation to get its associated alerts. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say alerts starting from the 10th alert. By default, this is set as 0 |
| Records Per Page | (Optional) Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
| Multi Customer | (Optional) Select whether the requester has multi-customer access. If selected, i.e. set to true, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
| Get All Records | Select this checkbox to retrieve all alert records associated with the investigation. Selecting this option ignores the "Offset" and "Records Per Page" parameters. By default, this option is selected, i.e. it is set to 'True'. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"title": "",
"alert_type": "",
"alert_type_description": "",
"created_time": "",
"first_event_time": "",
"latest_event_time": "",
"alert_source": "",
"detection_rule_rrn": {
"rule_name": "",
"rule_rrn": ""
}
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| Search | Specify the search criteria to filter the records. All operators are case-insensitive when operating on strings. For more information refer to https://help.rapid7.com/insightidr/en-us/api/v2/docs.html#tag/Investigations/operation/searchInvestigations. |
| Sort | Specify a sorting criteria to filter the records. For more information refer to https://help.rapid7.com/insightidr/en-us/api/v2/docs.html#tag/Investigations/operation/searchInvestigations |
| Start Time | Specify a start time to search investigations whose created time is after the specified date and time. Defaults to 28 days ago. |
| End Time | Specify an end time to search investigations whose created time is before the specified date and time. Defaults to the current time. |
| Page Number | Specify the page number from the 0-based index of the results page from which to retrieve data. |
| Records Per Page | Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
| Multi Customer | Select whether the requester has multi-customer access. If selected, i.e. set to true, the region of the RRN must match the region of the endpoint and a user API key must be provided. |
The output contains the following populated JSON schema:
{
"data": [
{
"rrn": "",
"organization_id": "",
"title": "",
"source": "",
"status": "",
"priority": "",
"last_accessed": "",
"created_time": "",
"disposition": "",
"assignee": {
"name": "",
"email": ""
},
"first_alert_time": "",
"latest_alert_time": "",
"tags": [],
"responsibility": ""
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| Target | Specify the ID, or the RRN of the investigation which determines where the comment appears within InsightIDR. |
| Body | Specify a description for the comment. |
| Attachments | Specify an array of attachment RRNs to associate with the comment. |
The output contains the following populated JSON schema:
{
"created_time": "",
"rrn": "",
"target": "",
"creator": {
"type": "",
"name": ""
},
"body": "",
"visibility": "",
"attachments": [
{
"rrn": "",
"creator": {
"type": "",
"name": ""
},
"created_time": "",
"file_name": "",
"mime_type": "",
"size": "",
"scan_status": ""
}
]
}
| Parameter | Description |
|---|---|
| Target | Specify the ID or the RRN of the investigation to return comments associated with it. |
| Page Number | Specify the page number from the 0-based index of the results page from which to retrieve data. |
| Records Per Page | Specify the maximum number of results that this operation should return per page. By default, this is set to 20 and the maximum supported value is 100. |
The output contains the following populated JSON schema:
{
"data": [
{
"created_time": "",
"rrn": "",
"target": "",
"creator": {
"type": "",
"name": ""
},
"body": "",
"visibility": "",
"attachments": [
{
"rrn": "",
"creator": {
"type": "",
"name": ""
},
"created_time": "",
"file_name": "",
"mime_type": "",
"size": "",
"scan_status": ""
}
]
}
],
"metadata": {
"index": "",
"size": "",
"total_pages": "",
"total_data": ""
}
}
| Parameter | Description |
|---|---|
| RRN | Specify the RRN of the comment to delete.
NOTE: Use the Get Comments action to get RRN. For example: |
The output contains the following populated JSON schema:
{
"message": ""
}
The Sample - Rapid7 InsightIDR - 2.1.0 playbook collection comes bundled with the Rapid7 InsightIDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Rapid7 InsightIDR connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling investigations from Rapid7 InsightIDR. Currently, "investigations" in Rapid7 InsightIDR are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Rapid7 InsightIDR "Investigations" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Rapid7 InsightIDR into FortiSOAR™. It also lets you pull some sample data from Rapid7 InsightIDR using which you can define the mapping of data between Rapid7 InsightIDR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Rapid7 InsightIDR investigation.
On the Field Mapping screen, map the fields of a Rapid7 InsightIDR investigation to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the title parameter of a Rapid7 InsightIDR investigation to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the title field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Rapid7 InsightIDR, so that the content gets pulled from the Rapid7 InsightIDR integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Rapid7 InsightIDR every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.