Quick Start Guide

Exposure Command brings together several Rapid7 solutions, including Surface Command, External Attack Surface Management (EASM), InsightCloudSec, InsightVM, InsightConnect, and the Command Platform. This Quick Start Guide outlines what to expect during, and how to approach, each phase of the Exposure Command deployment process.

  • Phase 1: Prepare for deployment: You’ll familiarize yourself with key Exposure Command concepts and review the system requirements for a Surface Command Outpost
  • Phase 2: Get up and running: You’ll install any Surface Command Outposts (if applicable), set up your first set of connectors, and connect your External Assets
  • Phase 3: Explore Surface Command: You’ll start to see data appear in Surface Command and you’ll learn how to create queries, widgets, and dashboards to start curating your desired perspective of your Attack Surface

Phase 1: Prepare for deployment

To ensure you can get up and running with Exposure Command as quickly as possible, it’s important to understand your new product and the necessary deployment tasks as well as to create a plan for deployment.

Key Surface Command concepts and components

Before installing anything, it’s important to familiarize yourself with the various concepts and components that make up Surface Command:

  • Connector - A software component that enables Surface Command to collect data from an information source, such as vulnerability scanners, endpoint protection platforms, or cloud services. Each connector understands the API and data schema of its target source. Surface Command provides connectors for most major tools and supports custom connectors for enterprise-specific systems. Learn more about Connectors.
    • Orchestrator - A software component deployed in your environment when Surface Command cannot access an information source directly. Orchestrators collect data from internal or private cloud sources and can also execute actions. After deployment, orchestrators are paired to Surface Command, and one or more connectors are assigned to them.
    • Profile - A configuration that contains credentials and import feeds for a specific connector.
    • Import Feed - A scheduled task that runs a specific data ingestion job. A connector may have multiple associated import feeds.
  • Attack Surface - Divided into internal and external components. The internal surface includes assets and identities. The external surface includes IPs, domains, certificates, and services exposed to the internet. Surface Command discovers external assets using domain and IP seeds. Learn more about your Surface Command attack surface.
    • Asset - Any network-connected device, such as a server, workstation, mobile device, or printer. Assets are created automatically when data is ingested from connectors.
    • Identity - A user-based entity like a username, service account, or shared mailbox. Identities can be human or non-human.
    • Seed - A discoverable domain, subdomain, CIDR, or IP used in external asset discovery to uncover certificates, services, and subdomains.
    • Type - * A schema that defines how data is structured for a specific kind of asset or identity. Each connector introduces its own types, which Surface Command maps into standardized unified types (for example, Server, Identity, or Vulnerability). These unified types allow for cross-source correlation and query filtering. Explore unified properties.
  • Query - A request written in Cypher or built using the graphical interface to retrieve data ingested by connectors. Queries cannot modify data but can be customized to extract specific insights. Prebuilt queries are available, and you can also create your own. Learn more about Queries.
    • Reference list - External data imported using Excel or CSV files that augments connector data. Use reference lists to enrich queries (for example, to correlate network zones with business units).
  • Dashboard - A customizable interface that displays key metrics and insights using widgets. Dashboards help you monitor your security posture visually. Learn more about Dashboards.
    • Widget - A visual component that displays filtered results from a query using charts or graphs. Widgets can be customized to show counts, trends, or metrics. The default widgets on the Surface Command home page provide asset counts by unified type and are not editable.
  • Workflow - A repeatable software process that executes steps based on query results. Workflows can be triggered automatically or manually to drive consistent response actions. Learn more about Workflows.
    • Function - A reusable unit of code that interacts with remote systems to retrieve data or take action. Functions serve as the building blocks of workflows and are typically included with connector packages.
ℹ️

Want more Surface Command details?

For a detailed overview of the Surface Command solution, review Surface Command Overview.

Rapid7 solutions overview

Several Rapid7 solutions are packaged with Exposure Command in addition to Surface Command. For more information, review the various solution-oriented documentation:

Review Insight Orchestrator requirements (if applicable)

You may not need to install an orchestrator, as it is only required in situations where a portion of your network is unavailable to Surface Command over the internet, such as when you have an on-prem system that you want to connect (for example, on-prem Active Directory, BigFix).

CentOS 7 orchestrator is no longer supported

On June 1, 2024, the CentOS 7 Insight Orchestrator reached end-of-life. As a result, orchestrators using this operating system will no longer receive security updates or patches from CentOS Linux.

To keep your environment secure, you must install the new Ubuntu orchestrator or migrate to Ubuntu if you have existing CentOS 7 orchestrators in your environment.

Version requirements

The minimum version of the Insight Orchestrator required to support Surface Command connectors is v1.64.0.

Operating environment

The Insight Orchestrator runs as a virtualized machine on the following virtualization platforms:

  • VirtualBox
  • VMWare
  • AWS (conversion to AMI needed)
⚠️

VMWare version requirements

The orchestrator .ova requires SHA256 support. If you are a VMWare user, make sure you have a VMWare ESXi Server version number above 6.5.0.

If you need to convert the OVA for compatibility, visit the resource here: https://www.sonicwall.com/en-us/support/knowledge-base/180411180839044.

Required production hardware

The orchestrator requires the following resources:

  • 4-core CPU
  • 8GB+ available RAM
  • 64-128GB available storage
ℹ️

Disk Space Requirements

You should provision at minimum 64GB of disk space for the orchestrator. The more workflows you intend to use, you should allocate more disk space in advance.

Network connectivity requirements

Ensure that the following domains and ports are accessible to the orchestrator:

  • {region}.api.connect.insight.rapid7.com
    • Replace the {region} section with the code for your area: us,us2,us3, eu, ap, ca, or au
  • {region}.plugins.connect.insight.rapid7.com
    • Replace the {region} section with the code for your area: us,us2,us3, eu, ap, ca, or au
  • Port 443 / TCP for HTTPS egress
  • mirrors.fedoraproject.org (EPEL packages)
  • download.docker.com(Docker packages)
  • packagecloud.io (For nightly updates to the orchestrator)

If XFS is your current filesystem, the ftype setting must be correct for Docker. To check that you have this setting, run xfs_info / | grep ftype=1 | wc -l in a terminal window. The command should return 1. If it doesn’t, your XFS filesystem is not compatible with our Docker installation.

When using the script installer with a RHEL 7 or 8 image, ensure SELinux is disabled or set to permissive mode.

Software requirements

In order for Surface Command connectors to run using an Insight Orchestrator, Docker Community Edition (CE) is required for all supported operating systems. The virtual appliance will ensure Docker CE is already installed while the install script will ensure the necessary Yum or Apt repo is added and that Docker is installed for Ubuntu version 20.04 or 22.04 and RHEL version 7 or 8.

⚠️

Supported container engines for Red Hat Enterprise Linux

Although Docker CE is not directly supported by Red Hat, it remains a system requirement for running Surface Command connectors on Red Hat Enterprise Linux and is the only container engine currently supported. The Red Hat Container Tools module (such as Podman) is not a supported replacement for Docker CE, has not been known to work, and has not been tested by Rapid7.

Log in to the Command Platform

ℹ️

Already have a Command Platform account?

If you already have a Command Platform account (formerly known as the Insight Platform) from a trial or existing subscription to another Rapid7 solution, you’re all set! Use your existing email address to log in to https://insight.rapid7.com/login.

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud products and services. It provides a centralized location for administrative functions and makes navigating the Insight product suite simple. To log in to the platform, you need a Rapid7 Command Platform account.

To create an account:

  1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
  2. Visit insight.rapid7.com/login.
  3. Select Haven’t activated your account?.
  4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Advisor (CSA).
  5. Refer to the activation email and follow the instructions to create and activate your Command Platform account

Phase 2: Get up and running

After you have familiarized yourself with Surface Command and Exposure Command, determined if you need an Outpost, and you’ve logged in to the Command Platform to confirm your account is set up properly, you’re ready to get everything up and running!

Connect your Attack Surface

Surface Command offers many different Connectors, all of which are outlined on the Connector Library page. Rapid7 has organized Connectors into 5 categories to simplify the process of ensuring you have coverage across your entire Attack Surface. We recommend installing at least 1 Connector from each category:

CategoryExample Connectors
Asset Management
  • Microsoft Entra ID
  • Microsoft Active Directory
  • Microsoft InTune/Endpoints
  • Bigfix
  • Meraki
  • JAMF
Endpoint Detection & Response (EDR) / Endpoint Protection Platforms (EPP)
  • InsightIDR
  • CrowdStrike
  • SentinelOne
  • Azure Defender
Vulnerability Management
  • InsightVM
  • Qualys
  • Tenable
Cloud Service Provider (CSP) / Cloud Security Posture Management (CSPM)
  • InsightCloudSec
  • Wiz
  • AWS
  • Azure
  • GCP
Identity Management
  • Okta
  • Duo

When Surface Command is provisioned, your desired Connectors, including Rapid7 Connectors (and orchestator, if applicable), are installed automatically by the Rapid7 deployment team. This means if you have any existing Rapid7 solutions, their data should appear in Surface Command with no additional configuration on your part. For additional Connector installations or help with Connectors, contact Support through the customer portal.

After you’ve confirmed that Connectors have been installed, you need to provide credentials in Surface Command and update any necessary settings. You may also want to verify your Import Feeds are scheduled to ensure data is coming properly.

Add Connector Credentials

For detailed information on interacting with Connectors, visit Connectors.

To add Connector credentials and update settings:

  1. Log in to the Command Platform.
  2. Navigate to Surface Command > Connectors.
  3. Search for a Connector, then click its corresponding card.
  4. Click Settings.

All configured profiles for the Connector appear. Click a profile to expand the configuration details.

Verify Import Feeds

To verify Import Feeds:

  1. Log in to the Command Platform.
  2. Navigate to Surface Command > Import Feeds.
  3. Search for a Connector.

The Import Feeds results are filtered for the search string. Click Edit to adjust the schedule or Connector settings for the given profile.

Connect your External Assets

Rapid7 External Attack Surface helps you achieve better visibility of your externally accessible assets by scanning your complete connected attack surface.

How it works:

  • First, you add seeds, which are domains, CIDRs, and IP addresses (or ranges) that you know are externally accessible.
  • After seeds are added, Rapid7’s External Asset Engine will use a combination of non-invasive methods to discover and crawl the external surface of your organization and report discoveries and analysis.

To add seeds:

  1. Log in to the Command Platform and navigate to Command Platform Home.
    1. If your company has multiple Rapid7 Organizations, for example for multiple divisions or locations, ensure you select the correct Organization by using the drop-down next to the Rapid7 logo. This will help keep your external attack surface findings appropriate for the given organization. If you only have one Organization, you can skip this step.
  2. In the navigation menu, click Attack Surface > External Attack Surface > Seeds. On the Seeds tab, you will see a brief introduction if you have never added seeds before or a list of existing seeds.
  3. Click Add Seeds. A window containing a free text field opens.
  4. Enter seeds (separated by spaces, commas, or line breaks) into the text field.
  5. Click Add Seeds. Rapid7’s External Asset Engine begins scanning your seeds immediately, and you will see discoveries populate the IPs & Domains and Network Services & Certificates tabs as appropriate.

Set up InsightCloudSec

To start seeing your cloud data integrated with Exposure Command, you’ll need to set up InsightCloudSec. Follow the Getting Started Overview and then return to the Exposure Command Quick Start Guide.

Set up InsightVM

To start seeing your on-prem data and detailed vulnerabilities integrated with Exposure Command, you’ll need to set up InsightVM. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.

Set up InsightConnect

To start building automated workflows to handle security operations tasks, you’ll need to set up InsightConnect. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.

Phase 3: Explore Surface Command

Now that the most important data to you and to your Attack Surface is flowing into Surface Command, you should start querying your data and using dashboards and widgets.

Exploring your Attack Surface data

To access the Surface Command home page, log in to the Command Platform and click Surface Command from the Solutions list. The home page offers a quick glance at the total number of assets by type as well as recommended dashboards and queries that are relevant to your data. Click 1 of the asset widgets to open the Workspace filtered to the selected asset type. From the Workspace, you can create:

These 3 Surface Command components are the building blocks you can use to quickly and effectively understand your Attack Surface. The following sections contain examples for getting a dashboard set up to track admin users without multi-factor authentication turned on.

Create queries

Queries are created from the Workspace page and filter specific data from Connectors. You can query data using the interface or write queries in the Cypher query language. If you want information on querying your data using Cypher, check out Building Queries with Cypher.

To create a basic query using the interface:

  1. Navigate to Surface Command > Workspace.
  2. Click + Query.
  3. Select an asset to query for. For example: Asset, Vulnerability, or Exposure.
  4. Click Execute query.

To create a query to find admin users without multi-factor authentication:

  1. Navigate to Surface Command > Workspace.
  2. Click + Query.
  3. Search for User and select its card.
  4. Click Filter result.
  5. Click the Select a property drop-down menu.
  6. Search for mfa and select has_mfa.
  7. Click the Select an operator drop-down menu.
  8. Click is false.
  9. Click + to add another parameter.
  10. Click the Select a property drop-down menu.
  11. Search for admin and select is_administrator.
  12. Click the Select an operator drop-down menu.
  13. Click is true.
  14. Click Apply.
  15. Click Execute query.

Results featuring admin users without multi-factor authentication appear.

⚠️

Save your work!

We recommend saving this query so you can refer to it in the future and also use it in the examples that follow.

Create widgets

A widget is based on a query and is customized to present all or some of the results of the query as a number, chart, or table. You can create as many widgets as you want based on a single query. Widgets are then used to populate dashboards.

To create a widget to track admin users without multi-factor authentication:

  1. Navigate to Surface Command > Saved queries.
  2. Click Edit query for the example Admin users without MFA query.
  3. Click Widgets.
  4. Toggle Use query for dashboard widgets on.
  5. Click Create a widget.
  6. Update the settings:
    1. Widget name: Admin users without MFA
    2. Widget description: Users that are administrators that do not have multi-factor authentication turned on.
    3. Type: Trend line
    4. Measure: Count
    5. Frequency: Daily, Last 30 days
    6. Dimensions: Multi Factor?
    7. Legend: Toggle on
  7. Click Save.

Create dashboards

Dashboards provide curated views of your environment using Widgets. Each team can have their own set of dashboards that present only the information they need to monitor. For example, you can create strategic dashboards to track high-level metrics and group-level tactical dashboards to help drive and prioritize day-to-day operations and tasks. You can use colors and sections to make it easier to see relevant data quickly.

To create a new dashboard to track at-risk users (like admins without MFA):

  1. Navigate to Surface Command > Dashboards.
  2. Click + Dashboard.
  3. Input a Dashboard Name. For example, At-risk Users.
  4. Click + Widgets.
  5. Search for the Admin users without MFA you created in the previous example.
  6. Click Add to dashboard.
  7. Add additional widgets as necessary.
  8. Click Save.

What’s next?

Understanding your Attack Surface and Security Program

With Exposure Command fully deployed and configured, you can now start evaluating your Attack Surface and Security Program holistically.

Review the documentation for those pages for details.

Installing more Connectors

Having deployed the core connectors, we encourage you to continue adding applicable connectors to expand your monitoring capabilities and enhance your overall Surface Command coverage. Visit the Connector Library for inspiration.

Using Surface Command workflows

Every third-party integration within our Connector ecosystem comes equipped with relevant functions and workflows. These pre-built templates serve as a ready-made toolkit, streamlining the integration process and catering to diverse needs, such as enrichment, notification, and remediation. This way, you can significantly expedite the integration of new tools or systems into existing workflows. Visit Workflows for more information.

Connecting with Rapid7

Support

If you run into any problems with Surface Command, search the documentation for solutions or contact Rapid7 Support through the customer portal.

Rapid7 Academy

The Rapid7 Academy holds training, webcasts, workshops, and more, all led by our Rapid7 experts.

  • On-demand training helps you get started with Rapid7 products, answer frequently-asked questions, and recommend best practices.
  • Rapid7 Webcasts are hosted by Rapid7’s teams and provide a forum where customers can learn about best practices as well as what’s new in their Rapid7 products.
  • Virtual Instructor-Led Training Courses are live training sessions broken down by product and available for enrollment.
  • Certification Exams are product-specific exams to help you demonstrate your knowledge of using Rapid7’s solutions as a cybersecurity professional.
  • Product Workshops are Rapid7’s free trainings on all things, all products, and average about an hour long

Communications

To make sure you receive the Rapid7 communications that best suit your needs, set your communication preferences.

  • Whether it’s an emergent cybersecurity threat, a product update, or a notice of service degradation for maintenance, we’ll alert you with an in-product message to ensure you’re aware of all that affects your environment.
  • Rapid7’s research provides information on a variety of topics, such as, cloud misconfigurations, vulnerability management, detection and response, application security, and more.
  • Rapid7’s blog offers conversational guidance and information from our security experts.

Communities

Rapid7 supports a range of open-source projects. Consider joining one of our Open-Source communities!

  • AttackerKB captures, highlights, and expands on security researcher knowledge to shed light on the specific conditions and characteristics that make a vulnerability exploitable and useful to attackers.
  • Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
  • Metasploit empowers and arms defenders to stay one step ahead of the game by verifying vulnerabilities, managing security assessments, and improving security awareness.
  • Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
  • Our customer advocacy program, Rapid7 Voice, provides you with a network of customers, offers the chance to deepen your security expertise, and provides the opportunity to share input on future product developments.