Integrate Devices

The Rapid7 Threat Command Automation and TIP modules streamline the threat remediation process by identifying and taking down internal and external threats.

Threat Command delivers:

  • Early warnings of hacking efforts and fraudulent attacks targeting a specific user or individual company, via a sophisticated cyber-intelligence platform.
  • Tailored intelligence by scanning a wide range of sources (such as: the clear web, dark web, cyber-crime forums, IRC channels, social media, app stores, and paste sites) and provides near-real-time alerts regarding cyber-threats.

Every indicator of compromise (IOC) is examined to validate its severity and context. The outcome is a tailor-made list of indicators that can be shared with security information and event management (SIEM) devices.

For example, by pushing IOCs to a security device, you can protect employees and customers by automatically blocking email messages sent from malicious IP addresses and domains. Rapid7 sends the IOCs to the device’s anti-spam service, and the IOCs are immediately added to the blocked senders list.

For customer on-premises devices, the Threat Command virtual appliance connects the IOCs Management module running in the Threat Command cloud to the security or monitoring devices that protect your organizational network. The IOCs Management module in the cloud aggregates IOCs, acquired from Threat Command alerts, Rapid7 analyst research, third-party intelligence feeds, customer documents and emails, and more.

For customer cloud devices, the appliance is not necessary, as all communication takes place in the cloud.

Devices can be updated with IOCs using the following methods:

  • Pull - The device pulls IOCs from Threat Command.

  • Push - Threat Command pushes IOCs to the device.

The device itself defines the method (push or pull) as well as whether communication is using the virtual appliance or with the Threat Command cloud.

The following process describes how Threat Command pushes IOCs to an anti-spam blocklist on a cloud device:

  1. Threat Command identifies IOCs from the Threat Command Tailored Intelligence Platform (TIP), and optionally from public and private feeds on the internet.
  2. IOCs are stored in the Threat Command cloud.
  3. Threat Command enriches the IOCs in the cloud, to get as much information about threat actors, malware, and campaigns as possible, to provide maximum benefit to the client.
  4. Within Threat Command, the client determines which IOCs are sent to their device.
  5. The client integrates their device with Threat Command, via the cloud interface and/or the Threat Command virtual appliance.
  6. The Threat Command cloud integration server connects to the client device account.
  7. The Threat Command cloud server pushes new IOCs to the client anti-spam blocklist on their device.

Integration with devices

To successfully configure integration with a security device, you need to complete the following steps:

  1. Add a device with the virtual appliance or the cloud.
  2. Create an IOC group that will share IOCs with the device.
  3. Copy the URL of the IOC group to the device manager and perform additional configuration, as necessary.

This section describes steps 1 and 3.

Creating an IOC group (step 2) is described in the "Automate Internal Remediation" section of the Threat Command User Guide.

Integration support list

The following table lists the supported cloud and on-premises devices:

Device typeDeviceMinimum VersionIOC share methodCredentials
CloudArcSight REST6.11PullN/A
Carbon Black ResponsePull
Check PointR80.xPull
Cisco FirepowerPull
CrowdStrike Falcon InsightPush
Fortinet FortiGate6.2Pull
Fortinet FortiSIEMPull
LogRhythm (SIEM)Pull
McAfee ESM (SIEM)Pull
Microsoft Azure SentinelPull
Microsoft Office 365Push
MISPPull
Palo Alto PanoramaPull
Splunk Enterprise Security7.0PullN/A
TAXII server
On-PremisesArcSight REST6.11PullN/A
Carbon Black Response6.1PullN/A
Check PointR80.xPush - SSH (22)Admin user with BASH as default shell (IOCs are pushed through SSH)
Cisco FirePower6.4.0PullN/A
FireEye Endpoint Security (HX series)PushUser with API permissions (either the role of API Analyst or API Admin).
Fortinet FortiGate6.2Pull
Fortinet FortiManager5.4.xPush - HTTPS (443)Admin user
Fortinet FortiSIEM5.2PullN/A
IBM Qradar7.3.xPush- HTTPS (443) Push - syslog (514/UDP) is required to share Threat Command alerts.Admin user
LogRhythm (SIEM)7.2.3Pull (TAXII) Port 9000
McAfee ESM (SIEM)PullN/A
Microsoft Active DirectoryWindows Server 2012Query Domain Controller (QDC) - over LDAP (389/TCP) or LDAPS (636/TCP)Domain user
Palo Alto Firewall7.1PullN/A
Palo Alto PanoramaPull
Splunk Enterprise Security7.0Pull For the TAXII integration, port 9000 is required.
Splunk Standalone6.5.3Push - 8089 Push – HEC (8088/TCP by default) is required to share Threat Command alerts.User with Read/Write access to the Rest API
Symantec ProxySG6.6.4.xPullN/A
Websense8.5Push - TCP 15873API account
Zscaler Internet Access (ZIA)Push – HTTPS (443)Console user and API key

In addition, the following external apps are supported:

  • IntSights App for Splunk
  • IntSights App for Splunk
  • IntSights App for Splunk SOAR
  • ServiceNow Security App
  • ServiceNow ITSM App
  • IntSights App for IBM Qradar
  • Rapid7 Threat Command App for Elastic SIEM