Quick Start Guide
Exposure Command brings together several Rapid7 solutions, including Surface Command, External Attack Surface Management (EASM), InsightCloudSec, InsightVM, InsightConnect, and the Command Platform. This Quick Start Guide outlines what to expect during, and how to approach, each phase of the Exposure Command deployment process.
- Phase 1: Prepare for deployment: You'll familiarize yourself with key Exposure Command concepts and review the system requirements for a Surface Command Outpost
- Phase 2: Get up and running: You'll install any Surface Command Outposts (if applicable), set up your first set of connectors, and connect your External Assets
- Phase 3: Explore Surface Command: You'll start to see data appear in Surface Command and you'll learn how to create queries, widgets, and dashboards to start curating your desired perspective of your Attack Surface
Phase 1: Prepare for deployment
To ensure you can get up and running with Exposure Command as quickly as possible, it's important to understand your new product and the necessary deployment tasks as well as to create a plan for deployment.
Key Surface Command concepts and components
Before installing anything, it's important to familiarize yourself with the various concepts and components that make up Surface Command:
- Connectors - An interface that allows an information source to collect information about the objects in their environment. Each Connector interfaces with 1 information source. An information source is an existing system or data source that has information about any object of interest. Common information sources include vulnerability scanning tools, endpoint protection technologies, and cloud infrastructure, such as AWS, Azure, and GCP. Surface Command provides Connectors for most major security tools, but custom Connectors can be built for your enterprise-specific systems.
- Orchestrator - A server that can access and collect data from information sources and execute operations. An orchestrator is installed in the customer’s environment when the Surface Command platform cannot access an information source, such as an application behind a firewall, or when an application's APIs reside on a private cloud network. Once deployed, an orchestrator is paired to the platform. 1 or more Connectors are then assigned to the orchestrator.
- Data Zone - A defined area where the Connector operates, such as a specific network, physical location, or country. Surface Command uses data zones to manage distinct areas of your environment and correlates data from each data zone separately. This means Assets show only those relationships to other assets within the same data zone. You can configure a Connector to operate in multiple data zones. For example, a Connector is designed to ingest data from a Command Platform instance located in the USA data zone and a Command Platform instance located in the Europe data zone. Some types of data are considered global. For example, a vulnerability, such as a description of a CVE, is always in the global zone and accessible by a Connector in any data zone.
- Import Feed - A scheduled software job that performs a specific process like importing data from an information source. Connectors can have multiple associated Import Feeds.
- Asset - A representation of 1 or more data records that pertain to a single object in your environment. A data record can be for a physical object in your environment, such as a laptop, printer, or server. It can also be an object that is typically not considered an asset, such as a person, business application, or vulnerability. Surface Command creates the representations of assets automatically when data is ingested into the system by a Connector.
- Asset Type - Describes the structure of the data for a specific type of asset. Every data record is associated with an exact technical description of the structure and semantics of its properties. Each Connector defines its own set of asset types. Surface Command unifies all the asset types that pertain to the same class of object, such as a Machine or a Vulnerability, into a set of pre-defined unified asset types. For example, different information sources might provide information about a single device from the perspective of an EC2 Instance, CrowdStrike Device, SentinelOne Agent, and Tenable.io Asset. They all pertain to the same device and the unified asset type would be a Machine. You can use unified asset types, each information source’s asset types, or both when writing queries to select specific results. For more information on the Unified Asset Model, see Assets.
- Query - A tool used to select and display specific data that was ingested by Connectors. A query cannot add or change data. Some queries are included with Surface Command by default or included with a given Connector. You can also write your own queries to retrieve the data of interest to you. Queries are written in Cypher, which is a standards-based graph query language. Surface Command also provides a graphical interface for building basic queries without needing to understand Cypher.
- Dashboard - A user-created collection of widgets. You can use and organize dashboards to present and monitor any aspect of your security posture.
- Widget - A component that displays a specific dataset in a dashboard. A widget retrieves data from a query, filters the results to show specific data, and presents that data in a customized chart or graphic. You can configure the type of graph and how it calculates values. Since a widget filters the results from a query, you can have several different widgets based on a single query. The Surface Command home page has a set of pre-defined widgets, where each widget provides a count of assets of a specific unified type. These are not editable.
- Workflow - A set of steps that perform 1 or more actions driven by query results that define a repeatable process. You can associate workflows with queries to generate automatic responses to specific changes or invoke them manually as needed.
- Function - Code that interacts with a remote application or program to retrieve data or perform an action. It is used as a building block for workflows. When creating workflows, you can leverage functions and chain them together to achieve comprehensive operations. Functions are provided with the Connectors by default.
- Reference list - Enterprise or industry data that is not accessible by a Connector but is collected from Microsoft Excel (
.xlsx
) or CSV files. For example, it could be a spreadsheet that maps network addresses to physical locations or business owners. Reference lists let you combine this data with other information pulled from information sources when building queries.
Want more Surface Command details?
For a detailed overview of the Surface Command solution, review Surface Command Overview.
Rapid7 solutions overview
Several Rapid7 solutions are packaged with Exposure Command in addition to Surface Command. For more information, review the various solution-oriented documentation:
Review Insight Orchestrator requirements (if applicable)
You may not need to install an orchestrator, as it is only required in situations where a portion of your network is unavailable to Surface Command over the internet, such as when you have an on-prem system that you want to connect (for example, on-prem Active Directory, BigFix).
CentOS 7 orchestrator is no longer supported
On June 1, 2024, the CentOS 7 Insight Orchestrator reached end-of-life. As a result, orchestrators using this operating system will no longer receive security updates or patches from CentOS Linux.
To keep your environment secure, it is highly recommended that you install the new Ubuntu orchestrator or migrate to Ubuntu if you have existing CentOS 7 orchestrators in your environment.
Version requirements
The minimum version of the Insight Orchestrator required to support Surface Command connectors is v1.64.0
.
Operating environment
The Insight Orchestrator runs as a virtualized machine on the following virtualization platforms:
- VirtualBox
- VMWare
- AWS (conversion to AMI needed)
VMWare version requirements
The orchestrator .ova
requires SHA256 support. If you are a VMWare user, make sure you have a VMWare ESXi Server version number above 6.5.0.
If you need to convert the OVA for compatibility, visit the resource here: https://www.sonicwall.com/en-us/support/knowledge-base/180411180839044.
Required production hardware
The orchestrator requires the following resources:
- 4-core CPU
- 8GB+ available RAM
- 64-128GB available storage
Disk Space Requirements
You should provision at minimum 64GB of disk space for the orchestrator. The more workflows you intend to use, you should allocate more disk space in advance.
Network connectivity requirements
Ensure that the following domains and ports are accessible to the orchestrator:
{region}.api.connect.insight.rapid7.com
- Replace the
{region}
section with the code for your area:us
,us2
,us3
,eu
,ap
,ca
, orau
- Replace the
{region}.plugins.connect.insight.rapid7.com
- Replace the
{region}
section with the code for your area:us
,us2
,us3
,eu
,ap
,ca
, orau
- Replace the
- Port 443 / TCP for HTTPS egress
mirrors.fedoraproject.org
(EPEL packages)download.docker.com
(Docker packages)packagecloud.io
(For nightly updates to the orchestrator)
If XFS is your current filesystem, the ftype
setting must be correct for Docker. To check that you have this setting, run xfs_info / | grep ftype=1 | wc -l
in a terminal window. The command should return 1
. If it doesn't, your XFS filesystem is not compatible with our Docker installation.
When using the script installer with a RHEL 7 or 8 image, ensure SELinux is disabled or set to permissive mode.
Software requirements
In order for Surface Command connectors to run using an Insight Orchestrator, Docker Community Edition (CE) is required for all supported operating systems. The virtual appliance will ensure Docker CE is already installed while the install script will ensure the necessary Yum or Apt repo is added and that Docker is installed for Ubuntu version 20.04 or 22.04 and RHEL version 7 or 8.
Supported container engines for Red Hat Enterprise Linux
Although Docker CE is not directly supported by Red Hat, it remains a system requirement for running Surface Command connectors on Red Hat Enterprise Linux and is the only container engine currently supported. The Red Hat Container Tools module
(such as Podman) is not a supported replacement for Docker CE, has not been known to work, and has not been tested by Rapid7.
Log in to the Command Platform
Already have a Command Platform account?
If you already have a Command Platform account (formerly known as the Insight Platform) from a trial or existing subscription to another Rapid7 solution, you’re all set! Use your existing email address to log in to https://insight.rapid7.com/login.
The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud products and services. It provides a centralized location for administrative functions and makes navigating the Insight product suite simple. To log in to the platform, you need a Rapid7 Command Platform account.
To create an account:
- Check your corporate email inbox for an email from the Rapid7 Command Platform team.
- Visit
insight.rapid7.com/login
. - Select Haven’t activated your account?.
- Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Manager (CSM).
- Refer to the activation email and follow the instructions to create and activate your Command Platform account
Phase 2: Get up and running
After you have familiarized yourself with Surface Command and Exposure Command, determined if you need an Outpost, and you've logged in to the Command Platform to confirm your account is set up properly, you're ready to get everything up and running!
Connect your Attack Surface
Surface Command offers many different Connectors, all of which are outlined on the Connector Library page. Rapid7 has organized Connectors into 5 categories to simplify the process of ensuring you have coverage across your entire Attack Surface. We recommend installing at least 1 Connector from each category:
Category | Example Connectors |
---|---|
Asset Management |
|
Endpoint Detection & Response (EDR) / Endpoint Protection Platforms (EPP) |
|
Vulnerability Management |
|
Cloud Service Provider (CSP) / Cloud Security Posture Management (CSPM) |
|
Identity Management |
|
When Surface Command is provisioned, your desired Connectors, including Rapid7 Connectors (and orchestator, if applicable), are installed automatically by the Rapid7 deployment team. This means if you have any existing Rapid7 solutions, their data should appear in Surface Command with no additional configuration on your part. For additional Connector installations or help with Connectors, contact Support through the customer portal.
After you've confirmed that Connectors have been installed, you need to provide credentials in Surface Command and update any necessary settings. You may also want to verify your Import Feeds are scheduled to ensure data is coming properly.
Add Connector Credentials
For detailed information on interacting with Connectors, visit Connectors.
To add Connector credentials and update settings:
- Log in to the Command Platform.
- Navigate to Surface Command > Connectors.
- Search for a Connector, then click its corresponding card.
- Click Settings.
All configured Data Zones for the Connector appear. Click a Data Zone to expand the configuration details. Ensure the necessary Data Zones are turned on.
Verify Import Feeds
To verify Import Feeds:
- Log in to the Command Platform.
- Navigate to Surface Command > Import Feeds.
- Search for a Connector.
The Import Feeds results are filtered for the search string. Click Edit to adjust the schedule or Connector settings for the given Data Zone.
Connect your External Assets
Rapid7 External Attack Surface enables you to achieve better visibility of your externally accessible systems by scanning your complete connected attack surface.
How it works:
- First, you provide 1 or more known Seed Assets, which are systems that you know are externally accessible, such as a public web site domain name.
- After seed assets are entered, Rapid7’s External Asset Engine will use a combination of non-invasive methods to discover and spider the external surface of your organization and report discoveries and analysis.
Add your Seed Assets
The first step in gaining visibility into your External Attack Surface is to provide Seed Assets, or Seeds. Seeds are assets that you are aware of being externally accessible, such as the domain name of a public web site, or the IP Address of a server. On the Seeds page, you will see a brief introduction if you have never added Seeds before, or a list of Seed assets if you’ve added them in the past.
Supported Seed Types
- For IP addresses, only individual IPv4 addresses are supported. CIDR notation, IP ranges, or IPv6 addresses are not supported.
- For Domain names, only top-level domain names (TLDs) are supported. Subdomains are not supported.
The reason for these limitations is that Rapid7’s External Asset Engine requires only unique seed information to begin discovering your external assets. You should enter Seed Assets that represent the widely-known public-facing accessible surface of your organization, such as your main top-level domain, or IP addresses of highly visible servers or assets.
To add seeds:
- Navigate to Command Platform Home.
- In the left navigation menu, click External Attack Surface > Seeds.
- If your company has multiple Rapid7 Organizations, for example for multiple divisions or locations, ensure you select the correct Organization by using the drop-down next to the title. This will help keep your external attack surface findings appropriate for the given organization. If you only have one Organization, you can skip this step.
- To add a new Seed, click Add Seeds in the top right. You’ll see a dialog with an open text input, which allows you to easily enter or paste in up to 50 IP Addresses or root Domains to add as Seed assets.
Once Seed Assets are added, Rapid7’s External Asset Engine will begin scanning based on them immediately. You will begin to see discoveries populate in Discovered Assets within a few minutes.
Set up InsightCloudSec
To start seeing your cloud data integrated with Exposure Command, you'll need to set up InsightCloudSec. Follow the Getting Started Overview and then return to the Exposure Command Quick Start Guide.
Set up InsightVM
To start seeing your on-prem data and detailed vulnerabilities integrated with Exposure Command, you'll need to set up InsightVM. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.
Set up InsightConnect
To start building automated workflows to handle security operations tasks, you'll need to set up InsightConnect. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.
Phase 3: Explore Surface Command
Now that the most important data to you and to your Attack Surface is flowing into Surface Command, you should start querying your data and using dashboards and widgets.
Exploring your Attack Surface data
To access the Surface Command home page, log in to the Command Platform and click Surface Command from the Solutions list. The home page offers a quick glance at the total number of assets by type as well as recommended dashboards and queries that are relevant to your data. Click 1 of the asset widgets to open the Workspace filtered to the selected asset type. From the Workspace, you can create:
These 3 Surface Command components are the building blocks you can use to quickly and effectively understand your Attack Surface. The following sections contain examples for getting a dashboard set up to track admin users without multi-factor authentication turned on.
Create queries
Queries are created from the Workspace page and filter specific data from Connectors. You can query data using the interface or write queries in the Cypher query language. If you want information on querying your data using Cypher, check out Building Queries with Cypher.
To create a basic query using the interface:
- Navigate to Surface Command > Workspace.
- Click + Query.
- Select an asset to query for. For example: Asset, Vulnerability, or Exposure.
- Click Execute query.
To create a query to find admin users without multi-factor authentication:
- Navigate to Surface Command > Workspace.
- Click + Query.
- Search for User and select its card.
- Click Filter result.
- Click the Select a property drop-down menu.
- Search for mfa and select has_mfa.
- Click the Select an operator drop-down menu.
- Click is false.
- Click + to add another parameter.
- Click the Select a property drop-down menu.
- Search for admin and select is_administrator.
- Click the Select an operator drop-down menu.
- Click is true.
- Click Apply.
- Click Execute query.
Results featuring admin users without multi-factor authentication appear.
Save your work!
We recommend saving this query so you can refer to it in the future and also use it in the examples that follow.
Create widgets
A widget is based on a query and is customized to present all or some of the results of the query as a number, chart, or table. You can create as many widgets as you want based on a single query. Widgets are then used to populate dashboards.
To create a widget to track admin users without multi-factor authentication:
- Navigate to Surface Command > Saved queries.
- Click Edit query for the example Admin users without MFA query.
- Click Widgets.
- Toggle Use query for dashboard widgets on.
- Click Create a widget.
- Update the settings:
- Widget name: Admin users without MFA
- Widget description: Users that are administrators that do not have multi-factor authentication turned on.
- Type: Trend line
- Measure: Count
- Frequency: Daily, Last 30 days
- Dimensions: Multi Factor?
- Legend: Toggle on
- Click Save.
Create dashboards
Dashboards provide curated views of your environment using Widgets. Each team can have their own set of dashboards that present only the information they need to monitor. For example, you can create strategic dashboards to track high-level metrics and group-level tactical dashboards to help drive and prioritize day-to-day operations and tasks. You can use colors and sections to make it easier to see relevant data quickly.
To create a new dashboard to track at-risk users (like admins without MFA):
- Navigate to Surface Command > Dashboards.
- Click + Dashboard.
- Input a Dashboard Name. For example, At-risk Users.
- Click + Widgets.
- Search for the Admin users without MFA you created in the previous example.
- Click Add to dashboard.
- Add additional widgets as necessary.
- Click Save.
What's next?
Understanding your Attack Surface and Security Program
With Exposure Command fully deployed and configured, you can now start evaluating your Attack Surface and Security Program holistically.
Review the documentation for those pages for details.
Installing more Connectors
Having deployed the core connectors, we encourage you to continue adding applicable connectors to expand your monitoring capabilities and enhance your overall Surface Command coverage. Visit the Connector Library for inspiration.
Using Surface Command workflows
Every third-party integration within our Connector ecosystem comes equipped with relevant functions and workflows. These pre-built templates serve as a ready-made toolkit, streamlining the integration process and catering to diverse needs, such as enrichment, notification, and remediation. This way, you can significantly expedite the integration of new tools or systems into existing workflows. Visit Workflows for more information.
Connecting with Rapid7
Support
If you run into any problems with Surface Command, search the documentation for solutions or contact Rapid7 Support through the customer portal.
Rapid7 Academy
The Rapid7 Academy holds training, webcasts, workshops, and more, all led by our Rapid7 experts.
- On-demand training helps you get started with Rapid7 products, answer frequently-asked questions, and recommend best practices.
- Rapid7 Webcasts are hosted by Rapid7's teams and provide a forum where customers can learn about best practices as well as what’s new in their Rapid7 products.
- Virtual Instructor-Led Training Courses are live training sessions broken down by product and available for enrollment.
- Certification Exams are product-specific exams to help you demonstrate your knowledge of using Rapid7's solutions as a cybersecurity professional.
- Product Workshops are Rapid7's free trainings on all things, all products, and average about an hour long
Communications
To make sure you receive the Rapid7 communications that best suit your needs, set your communication preferences.
- Whether it's an emergent cybersecurity threat, a product update, or a notice of service degradation for maintenance, we'll alert you with an in-product message to ensure you're aware of all that affects your environment.
- Rapid7's research provides information on a variety of topics, such as, cloud misconfigurations, vulnerability management, detection and response, application security, and more.
- Rapid7's blog offers conversational guidance and information from our security experts.
Communities
Rapid7 supports a range of open-source projects. Consider joining one of our Open-Source communities!
- AttackerKB captures, highlights, and expands on security researcher knowledge to shed light on the specific conditions and characteristics that make a vulnerability exploitable and useful to attackers.
- Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
- Metasploit empowers and arms defenders to stay one step ahead of the game by verifying vulnerabilities, managing security assessments, and improving security awareness.
- Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
- Our customer advocacy program, Rapid7 Voice, provides you with a network of customers, offers the chance to deepen your security expertise, and provides the opportunity to share input on future product developments.