Quick Start Guide

Before installing anything, it’s important to familiarize yourself with the various concepts and components that make up Incident Command:

• Connector - A software component that enables Attack Surface Management to collect data from an information source, such as vulnerability scanners, endpoint protection platforms, or cloud services. Each connector understands the API and data schema of its target source. Attack Surface Management provides connectors for most major tools and supports custom connectors for enterprise-specific systems. Learn more about connectors .
  • Orchestrator - A software component deployed in your environment when Attack Surface Management cannot access an information source directly. Orchestrators collect data from internal or private cloud sources and can also execute actions. After deployment, orchestrators are paired to Attack Surface Management, and one or more connectors are assigned to them.
  • Profile - A configuration that contains credentials and import feeds for a specific connector. A connector may have one or more profiles.
  • Import Feed - A scheduled task that runs a specific data ingestion job. A connector may have multiple associated import feeds.
• Attack Surface - Divided into internal and external components. The internal surface includes assets and identities. The external surface includes IPs, domains, certificates, and services exposed to the internet. Attack Surface Management discovers external assets using domain and IP seeds. Learn more about your Attack Surface Management attack surface .
  • Asset - Any network-connected device, such as a server, workstation, mobile device, or printer. Assets are created automatically when data is ingested from connectors.
  • Identity - A user-based entity like a username, service account, or shared mailbox. Identities can be human or non-human.
  • Seed - A discoverable domain, subdomain, CIDR, or IP used in external asset discovery to uncover certificates, services, and subdomains.
  • Type - A schema that defines how data is structured for a specific kind of asset or identity. Each connector introduces its own types, which Attack Surface Management maps into standardized unified types (for example, Server, Identity, or Vulnerability). These unified types allow for cross-source correlation and query filtering. Explore unified properties .
• Query - A request written in Cypher or built using the graphical interface to retrieve data ingested by connectors. Queries cannot modify data but can be customized to extract specific insights. Prebuilt queries are available, and you can also create your own. Learn more about queries .
  • Reference list - External data imported using Excel or CSV files that augments connector data. Use reference lists to enrich queries (for example, to correlate network zones with business units).
• Dashboard - A customizable interface that displays key metrics and insights using widgets. Dashboards help you monitor your security posture visually. Learn more about dashboards .
  • Widget - A visual component that displays filtered results from a query using charts or graphs. Widgets can be customized to show counts, trends, or metrics. The default widgets on the Attack Surface Management home page provide asset counts by unified type and are not editable.
• Workflow - A repeatable software process that executes steps based on query results. Workflows can be triggered automatically or manually to drive consistent response actions. Learn more about workflows .
  • Function - A reusable unit of code that interacts with remote systems to retrieve data or take action. Functions serve as the building blocks of workflows and are typically included with connector packages.

Several capabilities are packaged with the Incident Command offering. For more information, review the various capability-oriented documentation:

• Attack Surface Management 
• SIEM (InsightIDR) 
• Threat Intelligence (Intelligence Hub) 
• Automation (InsightConnect) 

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud offerings, capabilities, and services. It provides a centralized location for administrative functions and makes navigating the platform simple. To log in to the platform, you need a Rapid7 Command Platform account.

To create an account:

1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
2. Visit insight.rapid7.com/login.
3. Select Haven’t activated your account?.
4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Advisor (CSA).
5. Refer to the activation email and follow the instructions to create and activate your Command Platform account.

Once you have a Command Platform account, you then need to assign yourself the following roles in order to use Incident Command effectively:

For a detailed overview of roles, review Manage Rapid7 users with role-based access control (RBAC) .

To start unifying asset data across hybrid environments to break down silos and deliver a comprehensive, real-time view of your attack surface, you’ll need to set up Attack Surface Management. Follow the instructions in Get Started with Attack Surface Management (Surface Command)  and then return to the Incident Command Quick Start Guide.

To start setting up your security center for incident detection and response, authentication monitoring, and endpoint visibility, you’ll need to set up SIEM (InsightIDR). Review the SIEM (InsightIDR) Overview  and then return to the Incident Command Quick Start Guide.

To start receiving curated, high-fidelity threat intelligence directly within the Command Platform to enhance threat detection, investigation, and response, you’ll need to set up Threat Intelligence (Intelligence Hub). Review Welcome to Threat Intelligence (Intelligence Hub)  and then return to the Incident Command Quick Start Guide.

To start building automated workflows to handle security operations tasks, you’ll need to set up Automation (InsightConnect). Review Get Started with Automation (InsightConnect)  and then return to the Incident Command Quick Start Guide.

If you run into any problems with Incident Command, search the documentation  for solutions or contact Rapid7 Support through the customer portal .

The Rapid7 Academy  holds training, webcasts, workshops, and more, all led by our Rapid7 experts.

• On-demand training  helps you get started with Rapid7 products, answer frequently-asked questions, and recommend best practices.
• Rapid7 Webcasts  are hosted by Rapid7’s teams and provide a forum where you can learn about best practices as well as what’s new in your Rapid7 products.
• Virtual Instructor-Led Training Courses  are live training sessions broken down by product and available for enrollment.
• Certification Exams  are product-specific exams to help you demonstrate your knowledge of using Rapid7’s solutions as a cybersecurity professional.
• Product Workshops  are Rapid7’s free training on all things, all products, and are on average about an hour long.

To make sure you receive the Rapid7 communications that best suit your needs, set your communication preferences .

• Whether it’s an emergent cybersecurity threat, a product update, or a notice of service degradation for maintenance, we’ll alert you with an in-product message to ensure you’re aware of all that affects your environment.
• Rapid7’s research  provides information on a variety of topics, such as cloud misconfigurations, vulnerability management, detection and response, application security, and more.
• Rapid7’s blog  offers conversational guidance and information from our security experts.

Rapid7 supports a range of open-source projects. Consider joining one of our Open-Source communities!

• AttackerKB captures, highlights, and expands on security researcher knowledge to shed light on the specific conditions and characteristics that make a vulnerability exploitable and useful to attackers.
• Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
• Metasploit empowers and arms defenders to stay one step ahead of the game by verifying vulnerabilities, managing security assessments, and improving security awareness.
• Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.
• Our customer advocacy program, Rapid7 Voice, provides you with a network of customers, offers the chance to deepen your security expertise, and provides the opportunity to share input on future product developments.