Quick Start Guide

Exposure Command brings together several Rapid7 solutions, including Surface Command, External Attack Surface Management (EASM), InsightCloudSec, InsightVM, InsightConnect, and the Command Platform. This Quick Start Guide outlines what to expect during, and how to approach, each phase of the Exposure Command deployment process.

  • Phase 1: Prepare for deployment: You'll familiarize yourself with key Exposure Command concepts and review the system requirements for a Surface Command Outpost
  • Phase 2: Get up and running: You'll install any Surface Command Outposts (if applicable), set up your first set of connectors, and connect your External Assets
  • Phase 3: Explore Surface Command: You'll start to see data appear in Surface Command and you'll learn how to create queries, widgets, and dashboards to start curating your desired perspective of your Attack Surface

Phase 1: Prepare for deployment

To ensure you can get up and running with Exposure Command as quickly as possible, it's important to understand your new product and the necessary deployment tasks as well as to create a plan for deployment.

Key Surface Command concepts and components

Before installing anything, it's important to familiarize yourself with the various concepts and components that make up Surface Command:

  • Connectors - An interface that allows an information source to collect information about the objects in their environment. Each Connector interfaces with 1 information source. An information source is an existing system or data source that has information about any object of interest. Common information sources include vulnerability scanning tools, endpoint protection technologies, and cloud infrastructure, such as AWS, Azure, and GCP. Surface Command provides Connectors for most major security tools, but custom Connectors can be built for your enterprise-specific systems.
    • Outpost - A remote Kubernetes Cluster that can access and collect data from information sources and execute operations. An Outpost is installed in the customer’s environment when the Surface Command platform cannot access an information source, such as an application behind a firewall, or when an application's APIs reside on a private cloud network. Once deployed, an Outpost is paired to the platform. 1 or more Connectors are then assigned to the Outpost.
    • Data Zone - A defined area where the Connector operates, such as a specific network, physical location, or country. Surface Command uses data zones to manage distinct areas of your environment and correlates data from each data zone separately. This means Assets show only those relationships to other assets within the same data zone. You can configure a Connector to operate in multiple data zones. For example, a Connector is designed to ingest data from a Command Platform instance located in the USA data zone and a Command Platform instance located in the Europe data zone. Some types of data are considered global. For example, a vulnerability, such as a description of a CVE, is always in the global zone and accessible by a Connector in any data zone.
    • Import Feed - A scheduled software job that performs a specific process like importing data from an information source. Connectors can have multiple associated Import Feeds.
  • Asset - A representation of 1 or more data records that pertain to a single object in your environment. A data record can be for a physical object in your environment, such as a laptop, printer, or server. It can also be an object that is typically not considered an asset, such as a person, business application, or vulnerability. Surface Command creates the representations of assets automatically when data is ingested into the system by a Connector.
    • Asset Type - Describes the structure of the data for a specific type of asset. Every data record is associated with an exact technical description of the structure and semantics of its properties. Each Connector defines its own set of asset types. Surface Command unifies all the asset types that pertain to the same class of object, such as a Machine or a Vulnerability, into a set of pre-defined unified asset types. For example, different information sources might provide information about a single device from the perspective of an EC2 Instance, CrowdStrike Device, SentinelOne Agent, and Tenable.io Asset. They all pertain to the same device and the unified asset type would be a Machine. You can use unified asset types, each information source’s asset types, or both when writing queries to select specific results. For more information on the Unified Asset Model, see Assets.
  • Query - A tool used to select and display specific data that was ingested by Connectors. A query cannot add or change data. Some queries are included with Surface Command by default or included with a given Connector. You can also write your own queries to retrieve the data of interest to you. Queries are written in Cypher, which is a standards-based graph query language. Surface Command also provides a graphical interface for building basic queries without needing to understand Cypher.
  • Dashboard - A user-created collection of widgets. You can use and organize dashboards to present and monitor any aspect of your security posture.
    • Widget - A component that displays a specific dataset in a dashboard. A widget retrieves data from a query, filters the results to show specific data, and presents that data in a customized chart or graphic. You can configure the type of graph and how it calculates values. Since a widget filters the results from a query, you can have several different widgets based on a single query. The Surface Command home page has a set of pre-defined widgets, where each widget provides a count of assets of a specific unified type. These are not editable.
  • Workflow - A set of steps that perform 1 or more actions driven by query results that define a repeatable process. You can associate workflows with queries to generate automatic responses to specific changes or invoke them manually as needed.
    • Function - Code that interacts with a remote application or program to retrieve data or perform an action. It is used as a building block for workflows. When creating workflows, you can leverage functions and chain them together to achieve comprehensive operations. Functions are provided with the Connectors by default.
  • Reference list - Enterprise or industry data that is not accessible by a Connector but is collected from Microsoft Excel (.xlsx) or CSV files. For example, it could be a spreadsheet that maps network addresses to physical locations or business owners. Reference lists let you combine this data with other information pulled from information sources when building queries.

Want more Surface Command details?

For a detailed overview of the Surface Command solution, review Surface Command Overview.

Rapid7 solutions overview

Several Rapid7 solutions are packaged with Exposure Command in addition to Surface Command. For more information, review the various solution-oriented documentation:

Review Surface Command Outpost requirements (if applicable)

You may not need to install an Outpost as it is only required in situations where a portion of your network is unavailable to Surface Command over the internet, such as when you have an on-prem system that you want to connect (for example, on-prem Active Directory, BigFix). Outposts can be installed on a Linux system or using an OVF file to create a bespoke virtual machine. If you are planning on installing the Outpost on a Linux system, the following requirements must be met:

  • Supported Operating Systems (OS)
    • CentOS 9
    • CentOS 8
    • Red Hat 9
    • Red Hat 8
    • Ubuntu 22.04 LTS
  • Recommended Specifications
    • 50GB disk space
    • 8GB RAM
    • 2 core CPU
  • Networking Requirements
    • The system does not require internet access for installation except for a connection to Surface Command
    • Outbound | 443
      • Support provides you with your unique fully-qualified domain name (FQDN) Surface Command URL

Additional requirements

In addition to the system and network requirements, Outpost installations require:

  • A user account with sudo permission.
  • System must not be on a 10.42.x.x or 10.43.x.x network. Kubernetes requires those ranges for its cluster and service, respectively.
  • Extensive use of the /var/ directory. The 50GB of storage space must be available for the /var/ folder if it is on a separate partition.
  • The /var/ directory must not be mounted to the filesystem as noexec.
  • You have permission to manage Outposts in Surface Command.
  • AWS EC2 Red Hat installation: There are 2 cloud networking services that must be disabled before running the installation. A reboot of the server is required after disabling the services:
shell
1
systemctl disable nm-cloud-setup.service
2
systemctl disable nm-cloud-setup.timer
Log in to the Command Platform

Already have a Command Platform account?

If you already have a Command Platform account (formerly known as the Insight Platform) from a trial or existing subscription to another Rapid7 solution, you’re all set! Use your existing email address to log in to https://insight.rapid7.com/login.

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud products and services. It provides a centralized location for administrative functions and makes navigating the Insight product suite simple. To log in to the platform, you need a Rapid7 Command Platform account.

To create an account:

  1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
  2. Visit insight.rapid7.com/login.
  3. Select Haven’t activated your account?.
  4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Manager (CSM).
  5. Refer to the activation email and follow the instructions to create and activate your Command Platform account

Phase 2: Get up and running

After you have familiarized yourself with Surface Command and Exposure Command, determined if you need an Outpost, and you've logged in to the Command Platform to confirm your account is set up properly, you're ready to get everything up and running!

Connect your Attack Surface

Surface Command offers many different Connectors, all of which are outlined on the Connector Library page. Rapid7 has organized Connectors into 5 categories to simplify the process of ensuring you have coverage across your entire Attack Surface. We recommend installing at least 1 Connector from each category:

CategoryExample Connectors
Asset Management
  • Microsoft Entra ID
  • Microsoft Active Directory
  • Microsoft InTune/Endpoints
  • Bigfix
  • Meraki
  • JAMF
Endpoint Detection & Response (EDR) / Endpoint Protection Platforms (EPP)
  • InsightIDR
  • CrowdStrike
  • SentinelOne
  • Azure Defender
Vulnerability Management
  • InsightVM
  • Qualys
  • Tenable
Cloud Service Provider (CSP) / Cloud Security Posture Management (CSPM)
  • InsightCloudSec
  • Wiz
  • AWS
  • Azure
  • GCP
Identity Management
  • Okta
  • Duo

When Surface Command is provisioned, your desired Connectors, including Rapid7 Connectors (and Outpost, if applicable), are installed automatically by the Rapid7 deployment team. This means if you have any existing Rapid7 solutions, their data should appear in Surface Command with no additional configuration on your part! For additional Connector installations or help with Connectors, contact Support through the customer portal.

After you've confirmed that Connectors have been installed, you need to provide credentials in Surface Command and update any necessary settings. You may also want to verify your Import Feeds are scheduled to ensure data is coming properly.

Add Connector Credentials

For detailed information on interacting with Connectors, visit Connectors.

To add Connector credentials and update settings:

  1. Log in to the Command Platform.
  2. Navigate to Surface Command > Connectors.
  3. Search for a Connector, then click its corresponding card.
  4. Click Settings.

All configured Data Zones for the Connector appear. Click a Data Zone to expand the configuration details. Ensure the necessary Data Zones are turned on.

Verify Import Feeds

To verify Import Feeds:

  1. Log in to the Command Platform.
  2. Navigate to Surface Command > Import Feeds.
  3. Search for a Connector.

The Import Feeds results are filtered for the search string. Click Edit to adjust the schedule or Connector settings for the given Data Zone.

Connect your External Assets

Rapid7 External Attack Surface enables you to achieve better visibility of your externally accessible systems by scanning your complete connected attack surface.

How it works:

  • First, you provide 1 or more known Seed Assets, which are systems that you know are externally accessible, such as a public web site domain name.
  • After seed assets are entered, Rapid7’s External Asset Engine will use a combination of non-invasive methods to discover and spider the external surface of your organization and report discoveries and analysis.

Add your Seed Assets

The first step in gaining visibility into your External Attack Surface is to provide Seed Assets, or Seeds. Seeds are assets that you are aware of being externally accessible, such as the domain name of a public web site, or the IP Address of a server. On the Seeds page, you will see a brief introduction if you have never added Seeds before, or a list of Seed assets if you’ve added them in the past.

Supported Seed Types

  • For IP addresses, only individual IPv4 addresses are supported. CIDR notation, IP ranges, or IPv6 addresses are not supported.
  • For Domain names, only top-level domain names (TLDs) are supported. Subdomains are not supported.

The reason for these limitations is that Rapid7’s External Asset Engine requires only unique seed information to begin discovering your external assets. You should enter Seed Assets that represent the widely-known public-facing accessible surface of your organization, such as your main top-level domain, or IP addresses of highly visible servers or assets.

To add seeds:

  1. Navigate to Command Platform Home.
  2. In the left navigation menu, click External Attack Surface > Seeds.
  3. If your company has multiple Rapid7 Organizations, for example for multiple divisions or locations, ensure you select the correct Organization by using the drop-down next to the title. This will help keep your external attack surface findings appropriate for the given organization. If you only have one Organization, you can skip this step.
  4. To add a new Seed, click Add Seeds in the top right. You’ll see a dialog with an open text input, which allows you to easily enter or paste in up to 50 IP Addresses or root Domains to add as Seed assets.

Once Seed Assets are added, Rapid7’s External Asset Engine will begin scanning based on them immediately. You will begin to see discoveries populate in Discovered Assets within a few minutes.

Set up InsightCloudSec

To start seeing your cloud data integrated with Exposure Command, you'll need to set up InsightCloudSec. Follow the Getting Started Overview and then return to the Exposure Command Quick Start Guide.

Set up InsightVM

To start seeing your on-prem data and detailed vulnerabilities integrated with Exposure Command, you'll need to set up InsightVM. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.

Set up InsightConnect

To start building automated workflows to handle security operations tasks, you'll need to set up InsightConnect. Follow the Quick Start Guide and then return to the Exposure Command Quick Start Guide.

Phase 3: Explore Surface Command

Now that the most important data to you and to your Attack Surface is flowing into Surface Command, you should start querying your data and using dashboards and widgets.

Exploring your Attack Surface data

To access the Surface Command home page, log in to the Command Platform and click Surface Command from the Solutions list. The home page offers a quick glance at the total number of assets by type as well as recommended dashboards and queries that are relevant to your data. Click 1 of the asset widgets to open the Workspace filtered to the selected asset type. From the Workspace, you can create:

These 3 Surface Command components are the building blocks you can use to quickly and effectively understand your Attack Surface. The following sections contain examples for getting a dashboard set up to track admin users without multi-factor authentication turned on.

Create queries

Queries are created from the Workspace page and filter specific data from Connectors. You can query data using the interface or write queries in the Cypher query language. If you want information on querying your data using Cypher, check out Building Queries with Cypher.

To create a basic query using the interface:

  1. Navigate to Surface Command > Workspace.
  2. Click + Query.
  3. Select an asset to query for. For example: Asset, Vulnerability, or Exposure.
  4. Click Execute query.

To create a query to find admin users without multi-factor authentication:

  1. Navigate to Surface Command > Workspace.
  2. Click + Query.
  3. Search for User and select its card.
  4. Click Filter result.
  5. Click the Select a property drop-down menu.
  6. Search for mfa and select has_mfa.
  7. Click the Select an operator drop-down menu.
  8. Click is false.
  9. Click + to add another parameter.
  10. Click the Select a property drop-down menu.
  11. Search for admin and select is_administrator.
  12. Click the Select an operator drop-down menu.
  13. Click is true.
  14. Click Apply.
  15. Click Execute query.

Results featuring admin users without multi-factor authentication appear.

Save your work!

We recommend saving this query so you can refer to it in the future and also use it in the examples that follow.

Create widgets

A widget is based on a query and is customized to present all or some of the results of the query as a number, chart, or table. You can create as many widgets as you want based on a single query. Widgets are then used to populate dashboards.

To create a widget to track admin users without multi-factor authentication:

  1. Navigate to Surface Command > Saved queries.
  2. Click Edit query for the example Admin users without MFA query.
  3. Click Widgets.
  4. Toggle Use query for dashboard widgets on.
  5. Click Create a widget.
  6. Update the settings:
    1. Widget name: Admin users without MFA
    2. Widget description: Users that are administrators that do not have multi-factor authentication turned on.
    3. Type: Trend line
    4. Measure: Count
    5. Frequency: Daily, Last 30 days
    6. Dimensions: Multi Factor?
    7. Legend: Toggle on
  7. Click Save.
Create dashboards

Dashboards provide curated views of your environment using Widgets. Each team can have their own set of dashboards that present only the information they need to monitor. For example, you can create strategic dashboards to track high-level metrics and group-level tactical dashboards to help drive and prioritize day-to-day operations and tasks. You can use colors and sections to make it easier to see relevant data quickly.

To create a new dashboard to track at-risk users (like admins without MFA):

  1. Navigate to Surface Command > Dashboards.
  2. Click + Dashboard.
  3. Input a Dashboard Name. For example, At-risk Users.
  4. Click + Widgets.
  5. Search for the Admin users without MFA you created in the previous example.
  6. Click Add to dashboard.
  7. Add additional widgets as necessary.
  8. Click Save.

What's next?

Understanding your Attack Surface and Security Program

With Exposure Command fully deployed and configured, you can now start evaluating your Attack Surface and Security Program holistically.

Review the documentation for those pages for details.

Installing more Connectors

Having deployed the core connectors, we encourage you to continue adding applicable connectors to expand your monitoring capabilities and enhance your overall Surface Command coverage. Visit the Connector Library for inspiration.

Using Surface Command workflows

Every third-party integration within our Connector ecosystem comes equipped with relevant functions and workflows. These pre-built templates serve as a ready-made toolkit, streamlining the integration process and catering to diverse needs, such as enrichment, notification, and remediation. This way, you can significantly expedite the integration of new tools or systems into existing workflows. Visit Workflows for more information.

Connecting with Rapid7

Support

If you run into any problems with Surface Command, search the documentation for solutions or contact Rapid7 Support through the customer portal.

Rapid7 Academy

The Rapid7 Academy holds training, webcasts, workshops, and more, all led by our Rapid7 experts.

  • On-demand training helps you get started with Rapid7 products, answer frequently-asked questions, and recommend best practices.
  • Rapid7 Webcasts are hosted by Rapid7's teams and provide a forum where customers can learn about best practices as well as what’s new in their Rapid7 products.
  • Virtual Instructor-Led Training Courses are live training sessions broken down by product and available for enrollment.
  • Certification Exams are product-specific exams to help you demonstrate your knowledge of using Rapid7's solutions as a cybersecurity professional.
  • Product Workshops are Rapid7's free trainings on all things, all products, and average about an hour long

Communications

To make sure you receive the Rapid7 communications that best suit your needs, set your communication preferences.

  • Whether it's an emergent cybersecurity threat, a product update, or a notice of service degradation for maintenance, we'll alert you with an in-product message to ensure you're aware of all that affects your environment.
  • Rapid7's research provides information on a variety of topics, such as, cloud misconfigurations, vulnerability management, detection and response, application security, and more.
  • Rapid7's blog offers conversational guidance and information from our security experts.

Communities

Rapid7 supports a range of open-source projects. Consider joining one of our Open-Source communities!

  • AttackerKB captures, highlights, and expands on security researcher knowledge to shed light on the specific conditions and characteristics that make a vulnerability exploitable and useful to attackers.
  • Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
  • Metasploit empowers and arms defenders to stay one step ahead of the game by verifying vulnerabilities, managing security assessments, and improving security awareness.
  • Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
  • Our customer advocacy program, Rapid7 Voice, provides you with a network of customers, offers the chance to deepen your security expertise, and provides the opportunity to share input on future product developments.