InsightIDR is a security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to scroll through thousands of data streams. You can access InsightIDR through Insight Homepage.
The InsightIDR plugin for InsightConnect allows you to automate investigation and response in your environment to resolve alerts even quicker. Additionally, it allows you to retrieve and perform advanced queries on logs, manage investigations, and update threat feeds. To find out more about the plugin functionality, see the InsightIDR Extension Library listing.
To use the InsightIDR plugin you need to generate an API key in your Rapid7 Insight account.
Create a new InsightIDR API key
Follow the below steps to generate a new API key for you InsightIDR.
Open your InsightIDR home page and from the settings cog icon menu at the top right hand corner of the page select API Keys.
From the left hand menu, select type of the API Key Organization Key or User Key.
Please note, there are two types of available API keys - organization key or user key. An organization API key allows access to Insight product APIs, and can only be generated by platform administrators. The user API key is associated with a single user and inherits all permissions of that user.
In this example we are generating a User Key.
Once you chose the type of key, you can select New User Key.
From the organization dropdown choose the organization you wish to create the API Key for and type the name of the key - we recommend giving the key a meaningful name that will indicate its purpose. Once done, click on the Generate button.
You will now be shown your API key. Copy it and save it in your password manager. This API key will be required in the InsightConnect connection configuration steps.
Configure the InsightIDR connection in InsightConnect
Now that you’ve created your API Key in InsightIDR, you can configure the InsightIDR connection in InsightConnect to use the plugin.
- In InsightConnect, open the connection configuration for the InsightIDR plugin.
- You can do this when selecting the InsightIDR plugin during a workflow building session, or by creating the connection independently by choosing Plugins & Tools from the Settings tab on the left menu. On the Plugins & Tools page, select the Connections tab and click Add Connection in the upper-right corner.
Configure the connection for the InsightIDR plugin.
- Give the connection a unique and identifiable name, select the orchestrator the plugin should run on, and choose the InsightIDR plugin from the list. If it’s not available, import the plugin from the Installed Plugins tab.
Configure your InsightIDR credentials.
- In the API Key field, select credentials to an existing InsightIDR account or enter the API Key for a newly created InsightIDR API user.
- In the URL field enter the full URL (e.g.
https://us.api.insight.rapid7.com), please note that the region will change depending of where you're based. Use the region code to determine your API endpoint: https://REGION_CODE.api.insight.rapid7.com. See Region Codes for more information.
Test your connection
When you save the connection, the connection test will attempt to authenticate to the specified InsightIDR instance. A blue circle on the Connection tile indicates that the Connection test is in progress.
Successful connection test
If there is no circle, the connection succeeded and you're ready to begin orchestrating your processes with InsightIDR.
Failed connection test
A red circle indicates that the connection test failed. If this occurs, check your connection details (including the Check Point NGFW URL, username, and password) before trying again.
The log may contain useful troubleshooting information. First, click View to see a list of your recent connection tests.
Under the Test Status tab, expand the dropdown for the test that encountered an error to view its log.