Free and Open Source Service Plugins

Automation (InsightConnect) offers a growing list of plugins created from free or open source services (FOSS). Use these plugins to enrich your data, automate your security processes, and customize your workflows without paid licenses for these tools.

For tools you aren’t already familiar with or don’t use regularly, we recommend learning more about how you can incorporate these tools into your security processes. Follow the provided links for the service you’re interested in to determine whether the service is right for you.

To determine whether a plugin is right for your organization:

First consider the services your organization and environment already uses. We’re likely to have this plugin in the lists below.
Consider the kind of services you want to automate, and then review the categories and lists below to see if Automation (InsightConnect) already has plugins that meet your needs.
Consider the kind of information you would like to add to your security processes. Many of these plugins routinely check blacklists or offer threat intelligence to help you build robust artifacts.
Review the plugin documentation in Automation (InsightConnect) to learn about the triggers and actions available for that tool. New triggers and actions are added to plugins regularly, so check the in-product documentation to learn about the latest versions of each plugin.
Look up the tool in a search engine or follow any provided links below to learn more about the tool or community opinions.
Whenever possible, try using the tool or service outside of Automation (InsightConnect) first, and then think about how to integrate it into your workflows as an action step. For example, you can see how HaveIBeenPwned works by entering an email address at haveibeenpwned.com, or entering an IP into ipstack.com and see the information these services provide.

If you’d like to help improve these plugins, the code is available at https://github.com/rapid7/insightconnect-plugins/ . Your contributions to the community are welcome!

Scripting Tools

Write your own PowerShell or Python scripts and add them to Automation (InsightConnect) with these plugins to conduct custom actions.

PowerShell: Execute Microsoft PowerShell scripts or run PowerShell commands on PowerShell scripts as strings. You need to have your own remote host set up to use this plugin.
Python 3 Script: Run Python 3 functions.

Google Tools

If you use G Suite in your organization, you can use these plugins to help manage those apps with automation.

Google Docs: Create and edit Google documents with content you configure within Automation (InsightConnect). You can also retrieve Google Docs from your G Suite instance.
Google Sheets: Modify spreadsheets in your G Suite account. You can update specific cells in or push data to a Google Sheet given a starting cell.
Google Drive: Retrieve, upload, modify, or find files in your organization’s Google Drive folders.
Google Safe Browsing: Look up a URL in the Google Safe Browsing Service to learn whether the URL is malicious or not. You can check the URL against a variety of threat types, platforms, and other categories.
Google Search: Automatically run web searches through Google, then return URLs from a search or retrieve response pages from given URLs.
Google Rapid Response (GRR): GRR is an open-source incident response framework that focuses on remote live forensics. You can gather information on clients as well as label clients based on the searches you run through the Automation (InsightConnect) plugin.

IP Tools

These tools help you gain more insight into specific IP addresses. You can look up your own public IP or check addresses against publicly available blacklists.

AbuseIPDB: Report abusive IP addresses or check IP or CIDR addresses in the AbuseIPDB database.
ipify: Use the free ipify service to look up your public-facing IPv4 or IPv6 address.
IPinfo: Use IPinfo to look up an IP address and return relevant IP information, like hostname, autonomous system number (ASN), geographic information, and other IP data.
IPintel: Look up intelligence information for digital forensics and incident response (DFIR) using IP addresses with IPintel .
ipstack: Look up geographic information for an IP address using ipstack (formerly FreeGeoIP).
MyIP: Find your public routable IP address with the free MyIP service .
Snortlabslist: Look up IP addresses against the Snort Labs IP Reputation blacklist . You can use this plugin to validate IPs against the list. Snort Labs, now part of Cisco Talos Threat Intelligence, checks IP address reputations and maintains this blacklist.
ZeuS Tracker: A popular crimeware kit that tracks ZeuS hosts, also known as “Command&Control” centers, worldwide and maintains a domain and IP blocklist. You can use this plugin to look up ZeuS hosts and gather information.
Whois: Query WHOIS databases for registered users or assignees of domain names, IP blocks, and other information. The Automation (InsightConnect) plugin uses the Linux WHOIS client to make these requests.

Networking and Device Scanning Tools

These plugins allow you to gather information and perform operations on your network traffic.

BHR (Black Hole Router): Manage router blocks with the BHR Site system .
Dumbno: If your organization uses Arista switches and you need to control elephant flows, divert a flow by modifying your access control lists (ACLs) on an Arista switch with dumbno .
FreeIPA: If you have a Linux/UNIX environment and use FreeIPA for your integrated security information management solution, you can use this plugin to manage users in your environment.
Tcpdump: Read contents from packet capture (PCAP) files with the tcpdump command. Automation (InsightConnect) allows you to read the dump contents as strings or as a file.
Tcpxtract: Extract files from Base64-encoded network traffic PCAP files with TCPxtract .
Chaosreader: Run Chaosreader on PCAP or snoop files to extract files and retrieve session details.
Shodan: Search for internet-connected devices in Shodan’s database .
Network Total: Analyze PCAP files and quickly detect malware. You can upload a file to Network Total’s public service or search for PCAPs with a MD5 hash.
MxToolBox DNS: Use MxToolBox DNS to look up DNS and DNS MX records for a domain, check IPs or hosts for reputation, and perform other DNS query actions.
Traceroute: Trace a route to a domain or IP address of a host and return the traceroute path.
Tshark: Analyze PCAP files with Wireshark’s command line tool to dump and analyze network traffic.
Netmiko: Simplify SSH management for network devices with Python. You can run Netmiko commands from Automation (InsightConnect).
Dig: Run forward or reverse DNS lookups with Dig .
Nmap: Run a Network Mapper (nmap) scan on a network and return the results of the scan.
SMB: Interact with files on a remote Server Message Block (SMB) server.
Ifconfig.co: Look up public IP addresses and check TCP ports with ifconfig .
Ping : Ping a host by domain name or IP address to check for connectivity.
P0f: Run the P0f passive OS fingerprinting tool on a PCAP file to return network traffic information.
SSH: Use SSH to run a command on a remote server.
Syslog Forwarder: Forward messages to a syslog server.
Subnet: Retrieve subnet information, like subnetworks, subnet ID, hosts, and more, for a network in CIDR notation.
RPM: Get information about a software package with RPM .
URL Expander: Expand shortened URLs.
Finger: Query a finger daemon for user information.
FTP: Upload, download, or delete files between servers using File Transfer Protocol (FTP). Trigger workflows on file or directory changes.
Get URL: Download files by URL and trigger workflows on downloaded files.
REST : Make GET, POST, PUT, PATCH, and DELETE requests using REST.
Typo Squatter: For a given domain, trigger a workflow on a query for new certifications, check for potential typo squatters, and get a phishing score.
Bluecoat Labs: Check a URL against Symantec Bluecoat Labs’ Site Reviewer service.

Malware Analysis

Use these plugins to perform malware analysis and learn more about malware in your environment.

Checkdmarc: Use Checkdmarc to check SPF or DMARC records and return reports of the checks.
Hybrid Analysis: Look up hashes for malware information with Hybrid Analysis .
MalwareConfig: Search the MalwareConfig database for MD5 hashes, domains, IP addresses, and configurations to learn if your search item is part of a malware configuration.
Phishtank: Check a URL against the PhishTank clearing house site feed .
SHAttered: Check a file against the SHAttered database for SHA-1 collisions.
VirusTotal Yara: Check a file for malware against common malware patterns with VirusTotal Yara . You will need to build or upload a file containing the string pattern you want to match the suspicious file against.
Team Cymru MHR: Look up files or hashes in the Malware Hash Registry by Team Cymru

Social Media and Content

Use these plugins to monitor your social media or content accounts and take action when needed.

Twitter: Trigger workflows when a flagged event occurs, like tweets of interest, messages received, mentions, or tweets from a specific user. You can also publish tweets, block users, or destroy messages.
WordPress: Manage user permissions for Wordpress blogs. You can suspend or delete users from your WordPress instance.

Data Storage

Automation (InsightConnect) plugins support environments that use the following open source data storage solutions:

InfluxDB: If you use the InfluxDB open source time series database , you can use this plugin to perform checks, queries, and write operations to your instance of InfluxDB.
Redis: If you use Redis in-memory data storage , you can use this plugin to manage your database, perform operations, and retrieve relevant information from your data stores.
SQL: Perform a SQL query against a connected SQL database.

Data Visualization

Use these plugins to graph select metrics and better understand your data.

Graphite: Store and graph metrics with Graphite . You can find and return metrics along certain paths, retrieve raw metrics data, and render data as a graph.
Matplotlib: Graph or plot Base64-encoded CSV data using the Matplotlib , NumPy, Pandas, and Seaborn Python libraries

Use these plugins to manage Graphite or Grafana data visualization tools. Note that these plugins do not generate the graphs, but help you send data to a graphing tool or manage users in your organization.

Statsd: Listen for metrics on your network and perform operations on these metrics with the Statsd plugin. In Statsd, you can send this data to a graphing tool.
Grafana: If you use Grafana for your analytics and data visualization needs, you can manage your organization’s Grafana users with this plugin

Development Tools

These services help you develop and manage code. Use these Automation (InsightConnect) plugins to automate code backup, user provisioning, code-sharing, change management, and more.

BitBucket: Free for five users or less, BitBucket is Atlassian’s Git code management tool. In Automation (InsightConnect), you can trigger workflows on newly created issues, create issues, manage your repositories, and get user information from BitBucket.
Git: If you use git , you can modify files in your repositories with an Automation (InsightConnect) workflow.
GitHub: If you use GitHub , you can trigger workflows on newly created issues, as well as manage users, create tickets, and retrieve repository details.
GitLab: You can use GitLab to manage your entire devops lifecycle, in addition to code management. In Automation (InsightConnect), you can trigger workflows on newly created issues, manage users, create issues, and manage user SSH keys.
Jenkins: Jenkins helps you automate your development processes. IWith the Jenkins plugin, you can start a build job or retrieve detailed build information.
TruffleHog: If you use git, you can use TruffleHog to search through your git commit history and branches for secrets that were accidentally committed.
Phabricator: You can use the Phabricator suite of tools for code review, task management, and project communication. In Automation (InsightConnect), you can perform operations on tasks and projects to automate your development process.
Docker Engine: You can use this plugin to perform automated actions on your Docker containers.

Malicious Behavior and Vulnerability Detection

Use these tools to scan for threats and check your organization or environment for vulnerabilities.

Elastalert: Trigger workflows on new alerts from an ElastAlert webhook. ElastAlert uses ElasticSearch to create alerts based on anomalies, spikes, patterns of interest.
ElasticSearch: Trigger workflows on new documents from a query, execute search queries, check on document cluster health, and perform other document operations with the ElasticSearch distributed real-time search and analytics engine.
OpenVAS: Use the Open Vulnerability Assessment System (OpenVAS) to trigger workflows on completed scans and perform a variety of other scan operations on the OpenVAS server.
SQLmap: Safely penetration-test your backend databases with SQL injections and database takeovers with SQLmap .
HaveIBeenPwned: Check whether a given email address was compromised, and learn more details about which data breaches it was exposed in with HaveIBeenPwned .
Rapid7 Metasploit: Trigger workflows on new Metasploit modules, search for exploits, or run Metasploit exploits.

Incident Response

These free and open source solutions allow you to respond to incidents in your organization.

OSSEC: Parse syscheck, rootcheck, and alert-type alerts in OSSEC , a host-based intrusion detection system (IDS).
TheHive: Manage cases and gather user or case information from TheHive solutions.
Wazuh OSSEC: Gain security visibility into your environment, improve compliance, and monitor infrastructure with Wazuh OSSEC . Wazuh OSSEC is a security monitoring solution for threat detection, integrity monitoring, incident response, and compliance. In Automation (InsightConnect), you can retrieve agent data, run checks , and perform other OSSEC tasks.

Threat Intelligence and Information Sharing

Gather data from and contribute to information sharing communities and advance security knowledge for all.

Collective Intelligence Framework: Query observables and ping routers in the Collective Intelligence Framework threat intel management system.
CRITs: Fetch intelligence items or upload new information to the CRITs malware and threat repository.
Facebook Threat Exchange: Share, retrieve, and search for threat data with Facebook’s ThreatExchange platform.
Hippocampe: Search for and aggregate threat feed data for your organization. Hippocampe works well with other TheHive products like TheHive and Cortex servers.
MISP: Trigger workflows on Malware Information Sharing Platform (MISP) events with specified tags. You can also contribute data to or retrieve data from MISP.
OpenPhish: Check URL reputations or trigger workflows on feed data from the fully automated OpenPhish phishing intelligence platform.
RSS: Monitor any generic RSS feed and trigger workflows on new security events discovered in your feed.
Cortex and Cortex V2: Analyze observables and gather threat intel from the Cortex continuous security platform.
Blockade: Send threat information to and gather intel from the Blockade Cloud Node . Blockade adds antivirus-like capabilities to Chrome browsers with the Blockade extension enabled.

Encryption and Encoding

Encode or decode data or generate hashes for encoding.

Base64: Encode text data to Base64 binary, and decode Base64 to text data.
HashIt: Generate common hashes from text strings or file bytes.

Information Extraction

Use these plugins to extract information from strings or files.

Foremost: Extract files from a disk image file with Foremost . You can carve the following file types with Foremost: jpg, gif, png, bmp, avi, exe, mpg, mp4, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, cpp, and nts.
EML: Extract headers and file attachments from EML files. EML files are email messages, like those used in Microsoft Outlook or Apple Mail.
ExtractIt: Extract a variety of data types from a string or file, such as URLs, IP addresses, email addresses, MAC addresses, domain names, file paths, dates, Indicators of Compromise (IoCs), MD5 hashes, SHA1 hashes, SHA256 hashes, and SHA512 hashes.

String Operations

Use these plugins to modify and process strings or run string operations using command line tools.

Awk: Process strings or files with the GNU awk programming language.
CEF: Create or parse Comment Event Format (CEF) strings.
Diff: Run diff on two strings to see changes made to create the new string.
Grep: Use the grep command to match patterns in given strings or Base64 files.
Sed: Process strings or bytes of a Base64-encoded string with the sed GNU stream editor.
Uniq: Manage and remove duplicate/repeated lines in data with the uniq command.
Pastebin: Trigger workflows on patterns of text pasted to Pastebin.com , scrape recent pastes, or post to Pastebin.
String Operations: Easily manipulate string data with Python 3 String library methods. You can convert strings to lists of strings or objects, as well as convert letters between uppercase and lowercase.
Translate: Use the UNIX tr command to replace characters in string input.

JSON Tools

Manage JSON content with these plugins.

JSON: Parse and transform JSON data using an extraction template .
JSON Edit: Update or delete JSON content by keyname.
jq: Filter JSON data with the jq command-line tool.

File Formats

Extract data from, create, or convert content between a variety of file formats.

PDF Generator: Create a .pdf file from text input.
PDF Reader: Extract text from a .pdf file.
Markdown: Convert HTML to Markdown, or Markdown to HTML or PDF.
TSV: Extract fields from a TSV (tab-separated value) file.
CSV: Extract fields from a CSV (comma-separated value) file, or convert CSV content to JSON.
HTML: Validate HTML files or convert HTML to Markdown, HTML5, PDF, EPUB, or DOCX file types.