SIEM (InsightIDR)
Copy link

SIEM (InsightIDR) is a security center for incident detection and response, authentication monitoring, and endpoint visibility. SIEM (InsightIDR) identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to scroll through thousands of data streams. You can access SIEM (InsightIDR) through Insight Homepage.

The SIEM (InsightIDR) plugin for Automation (InsightConnect) allows you to automate investigation and response in your environment to resolve alerts even quicker. Additionally, it allows you to retrieve and perform advanced queries on logs, manage investigations, and update threat feeds. To find out more about the plugin functionality, see the SIEM (InsightIDR) Extension Library listing.

To use the SIEM (InsightIDR) plugin you need to generate an API key in your Rapid7 Insight account.

Create a new SIEM (InsightIDR) API key
Copy link

Follow the below steps to generate a new API key for you SIEM (InsightIDR).

  1. Open your SIEM (InsightIDR) home page and from the settings cog icon menu at the top right hand corner of the page select API Keys.

    Settings

  2. From the left hand menu, select type of the API Key Organization Key or User Key.

    Please note, there are two types of available API keys - organization key or user key. An organization API key allows access to Insight product APIs, and can only be generated by platform administrators. The user API key is associated with a single user and inherits all permissions of that user.

    In this example we are generating a User Key.

    Key types

  3. Once you chose the type of key, you can select New User Key.

    Create new user key

  4. From the organization dropdown choose the organization you wish to create the API Key for and type the name of the key - we recommend giving the key a meaningful name that will indicate its purpose. Once done, click on the Generate button.

    Generate

  5. You will now be shown your API key. Copy it and save it in your password manager. This API key will be required in the Automation (InsightConnect) connection configuration steps.

    API Key

Configure the SIEM (InsightIDR) connection in Automation (InsightConnect)
Copy link

Now that you’ve created your API Key in SIEM (InsightIDR), you can configure the SIEM (InsightIDR) connection in Automation (InsightConnect) to use the plugin.

  1. In Automation (InsightConnect), open the connection configuration for the SIEM (InsightIDR) plugin.
    • You can do this when selecting the SIEM (InsightIDR) plugin during a workflow building session, or by creating the connection independently by choosing Plugins & Tools from the Settings tab on the left menu. On the Plugins & Tools page, select the Connections tab and click Add Connection in the upper-right corner.
Add connection in Automation (InsightConnect)

  1. Configure the connection for the SIEM (InsightIDR) plugin.

    • Give the connection a unique and identifiable name, select where the plugin should run, and choose the SIEM (InsightIDR) plugin from the list. If it’s not available, import the plugin from the Installed Plugins tab.

  2. Configure your SIEM (InsightIDR) credentials.

    • In the API Key field, select credentials to an existing SIEM (InsightIDR) account or enter the API Key for a newly created SIEM (InsightIDR) API user.
    • In the URL field enter the full URL (e.g. https://us.api.insight.rapid7.com), please note that the region will change depending of where you’re based. Use the region code to determine your API endpoint: https://REGION_CODE.api.insight.rapid7.com. See Region Codes for more information.
SIEM (InsightIDR) Connection

Test your connection
Copy link

When you save the connection, the connection test will attempt to authenticate to the specified SIEM (InsightIDR) instance. A blue circle on the Connection tile indicates that the Connection test is in progress.

In Progress

Successful connection test
Copy link

If there is no circle, the connection succeeded and you’re ready to begin orchestrating your processes with SIEM (InsightIDR).

Success

Failed connection test
Copy link

A red circle indicates that the connection test failed. If this occurs, check your connection details (including the Check Point NGFW URL, username, and password) before trying again.

Failed

The log may contain useful troubleshooting information. First, click View to see a list of your recent connection tests.

View recent connection test

Under the Test Status tab, expand the dropdown for the test that encountered an error to view its log.

View connection log