Quick Start Guide

Before installing anything, it's important to familiarize yourself with the various concepts and components that make up Surface Command:

• Connectors - An interface that allows an information source to collect information about the objects in their environment. Each Connector interfaces with 1 information source. An information source is an existing system or data source that has information about any object of interest. Common information sources include vulnerability scanning tools, endpoint protection technologies, and cloud infrastructure, such as AWS, Azure, and GCP. Surface Command provides Connectors for most major security tools, but custom Connectors can be built for your enterprise-specific systems.
  • Orchestrator - A server that can access and collect data from information sources and execute operations. An orchestrator is installed in the customer’s environment when the Surface Command platform cannot access an information source, such as an application behind a firewall, or when an application's APIs reside on a private cloud network. Once deployed, an orchestrator is paired to the platform. 1 or more Connectors are then assigned to the orchestrator.
  • Data Zone - A defined area where the Connector operates, such as a specific network, physical location, or country. Surface Command uses data zones to manage distinct areas of your environment and correlates data from each data zone separately. This means Assets show only those relationships to other assets within the same data zone. You can configure a Connector to operate in multiple data zones. For example, a Connector is designed to ingest data from a Command Platform instance located in the USA data zone and a Command Platform instance located in the Europe data zone. Some types of data are considered global. For example, a vulnerability, such as a description of a CVE, is always in the global zone and accessible by a Connector in any data zone.
  • Import Feed - A scheduled software job that performs a specific process like importing data from an information source. Connectors can have multiple associated Import Feeds.
• Asset - A representation of 1 or more data records that pertain to a single object in your environment. A data record can be for a physical object in your environment, such as a laptop, printer, or server. It can also be an object that is typically not considered an asset, such as a person, business application, or vulnerability. Surface Command creates the representations of assets automatically when data is ingested into the system by a Connector.
  • Asset Type - Describes the structure of the data for a specific type of asset. Every data record is associated with an exact technical description of the structure and semantics of its properties. Each Connector defines its own set of asset types. Surface Command unifies all the asset types that pertain to the same class of object, such as a Machine or a Vulnerability, into a set of pre-defined unified asset types. For example, different information sources might provide information about a single device from the perspective of an EC2 Instance, CrowdStrike Device, SentinelOne Agent, and Tenable.io Asset. They all pertain to the same device and the unified asset type would be a Machine. You can use unified asset types, each information source’s asset types, or both when writing queries to select specific results. For more information on the Unified Asset Model, see Assets.
• Query - A tool used to select and display specific data that was ingested by Connectors. A query cannot add or change data. Some queries are included with Surface Command by default or included with a given Connector. You can also write your own queries to retrieve the data of interest to you. Queries are written in Cypher, which is a standards-based graph query language. Surface Command also provides a graphical interface for building basic queries without needing to understand Cypher.
• Dashboard - A user-created collection of widgets. You can use and organize dashboards to present and monitor any aspect of your security posture.
  • Widget - A component that displays a specific dataset in a dashboard. A widget retrieves data from a query, filters the results to show specific data, and presents that data in a customized chart or graphic. You can configure the type of graph and how it calculates values. Since a widget filters the results from a query, you can have several different widgets based on a single query. The Surface Command home page has a set of pre-defined widgets, where each widget provides a count of assets of a specific unified type. These are not editable.
• Workflow - A set of steps that perform 1 or more actions driven by query results that define a repeatable process. You can associate workflows with queries to generate automatic responses to specific changes or invoke them manually as needed.
  • Function - Code that interacts with a remote application or program to retrieve data or perform an action. It is used as a building block for workflows. When creating workflows, you can leverage functions and chain them together to achieve comprehensive operations. Functions are provided with the Connectors by default.
• Reference list - Enterprise or industry data that is not accessible by a Connector but is collected from Microsoft Excel (.xlsx) or CSV files. For example, it could be a spreadsheet that maps network addresses to physical locations or business owners. Reference lists let you combine this data with other information pulled from information sources when building queries.

Several Rapid7 solutions are packaged with Exposure Command in addition to Surface Command. For more information, review the various solution-oriented documentation:

• InsightCloudSec
• InsightIDR
• InsightVM
• InsightConnect
• Command Platform

You may not need to install an orchestrator, as it is only required in situations where a portion of your network is unavailable to Surface Command over the internet, such as when you have an on-prem system that you want to connect (for example, on-prem Active Directory, BigFix).

Version requirements

The minimum version of the Insight Orchestrator required to support Surface Command connectors is v1.64.0.

Operating environment

The Insight Orchestrator runs as a virtualized machine on the following virtualization platforms:

• VirtualBox
• VMWare
• AWS (conversion to AMI needed)

Required production hardware

The orchestrator requires the following resources:

• 4-core CPU
• 8GB+ available RAM
• 64-128GB available storage

Network connectivity requirements

Ensure that the following domains and ports are accessible to the orchestrator:

• {region}.api.connect.insight.rapid7.com
  • Replace the {region} section with the code for your area: us,us2,us3, eu, ap, ca, or au
• {region}.plugins.connect.insight.rapid7.com
  • Replace the {region} section with the code for your area: us,us2,us3, eu, ap, ca, or au
• Port 443 / TCP for HTTPS egress
• mirrors.fedoraproject.org (EPEL packages)
• download.docker.com(Docker packages)
• packagecloud.io (For nightly updates to the orchestrator)

If XFS is your current filesystem, the ftype setting must be correct for Docker. To check that you have this setting, run xfs_info / | grep ftype=1 | wc -l in a terminal window. The command should return 1. If it doesn't, your XFS filesystem is not compatible with our Docker installation.

When using the script installer with a RHEL 7 or 8 image, ensure SELinux is disabled or set to permissive mode.

Software requirements

In order for Surface Command connectors to run using an Insight Orchestrator, Docker Community Edition (CE) is required for all supported operating systems. The virtual appliance will ensure Docker CE is already installed while the install script will ensure the necessary Yum or Apt repo is added and that Docker is installed for Ubuntu version 20.04 or 22.04 and RHEL version 7 or 8.

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud products and services. It provides a centralized location for administrative functions and makes navigating the Insight product suite simple. To log in to the platform, you need a Rapid7 Command Platform account.

To create an account:

1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
2. Visit insight.rapid7.com/login.
3. Select Haven’t activated your account?.
4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Manager (CSM).
5. Refer to the activation email and follow the instructions to create and activate your Command Platform account

Surface Command offers many different Connectors, all of which are outlined on the Connector Library page. Rapid7 has organized Connectors into 5 categories to simplify the process of ensuring you have coverage across your entire Attack Surface. We recommend installing at least 1 Connector from each category:

When Surface Command is provisioned, your desired Connectors, including Rapid7 Connectors (and orchestator, if applicable), are installed automatically by the Rapid7 deployment team. This means if you have any existing Rapid7 solutions, their data should appear in Surface Command with no additional configuration on your part. For additional Connector installations or help with Connectors, contact Support through the customer portal.

After you've confirmed that Connectors have been installed, you need to provide credentials in Surface Command and update any necessary settings. You may also want to verify your Import Feeds are scheduled to ensure data is coming properly.

Add Connector Credentials

For detailed information on interacting with Connectors, visit Connectors.

To add Connector credentials and update settings:

1. Log in to the Command Platform.
2. Navigate to Surface Command > Connectors.
3. Search for a Connector, then click its corresponding card.
4. Click Settings.

All configured Data Zones for the Connector appear. Click a Data Zone to expand the configuration details. Ensure the necessary Data Zones are turned on.

Verify Import Feeds

To verify Import Feeds:

1. Log in to the Command Platform.
2. Navigate to Surface Command > Import Feeds.
3. Search for a Connector.

The Import Feeds results are filtered for the search string. Click Edit to adjust the schedule or Connector settings for the given Data Zone.

Rapid7 External Attack Surface enables you to achieve better visibility of your externally accessible systems by scanning your complete connected attack surface.

How it works:

• First, you provide 1 or more known Seed Assets, which are systems that you know are externally accessible, such as a public web site domain name.
• After seed assets are entered, Rapid7’s External Asset Engine will use a combination of non-invasive methods to discover and spider the external surface of your organization and report discoveries and analysis.

Add your Seed Assets

The first step in gaining visibility into your External Attack Surface is to provide Seed Assets, or Seeds. Seeds are assets that you are aware of being externally accessible, such as the domain name of a public web site, or the IP Address of a server. On the Seeds page, you will see a brief introduction if you have never added Seeds before, or a list of Seed assets if you’ve added them in the past.

To add seeds:

1. Navigate to Command Platform Home.
2. In the left navigation menu, click External Attack Surface > Seeds.
3. If your company has multiple Rapid7 Organizations, for example for multiple divisions or locations, ensure you select the correct Organization by using the drop-down next to the title. This will help keep your external attack surface findings appropriate for the given organization. If you only have one Organization, you can skip this step.
4. To add a new Seed, click Add Seeds in the top right. You’ll see a dialog with an open text input, which allows you to easily enter or paste in up to 50 IP Addresses or root Domains to add as Seed assets.

Once Seed Assets are added, Rapid7’s External Asset Engine will begin scanning based on them immediately. You will begin to see discoveries populate in Discovered Assets within a few minutes.

To start seeing your cloud data integrated with Exposure Command, you'll need to set up InsightCloudSec. Follow the Getting Started Overview and then return to the Exposure Command Quick Start Guide.

To start seeing your on-prem data and detailed vulnerabilities integrated with Exposure Command, you'll need to set up InsightVM. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.

To start building automated workflows to handle security operations tasks, you'll need to set up InsightConnect. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.

To access the Surface Command home page, log in to the Command Platform and click Surface Command from the Solutions list. The home page offers a quick glance at the total number of assets by type as well as recommended dashboards and queries that are relevant to your data. Click 1 of the asset widgets to open the Workspace filtered to the selected asset type. From the Workspace, you can create:

• Queries
• Widgets
• Dashboards

These 3 Surface Command components are the building blocks you can use to quickly and effectively understand your Attack Surface. The following sections contain examples for getting a dashboard set up to track admin users without multi-factor authentication turned on.