Threats

Threats can be used to track indicators of compromise (IOCs). You can create your own threats or use Rapid7 or other community threats to add to your defenses.

IOCs may be a known bad IP address, domain, or URL for which you want to be notified if someone in the organization accesses it. A threat in SIEM (InsightIDR) can also be a hash for which you want to be notified if someone runs it.

To protect your environment, learn how to utilize existing threats or add your own threats.

To see how other organizations utilize threats, or to see other Rapid7 recommendations, you can Subscribe to Community Threats.

Threat APIs

SIEM (InsightIDR) has an updated API  you can use to interact with threats by adding and replacing indicators. To use this API, you must generate a threat key to identify the threat and apply the indicator action.

Generate the Threat Key

When configuring threats, you’ll see the Threat API Key field in the bottom right corner. To generate the threat key:

1. Log in to your account in SIEM (InsightIDR). Click Intelligence in the left menu. Navigate to SIEM > Detection Rules.
2. Click the Community Threats tab. You will see your threat feed, comprised of subscribed threats or your own threats.
3. Find the threat you want to generate a new key for, and click View.
4. In the Threat Key section on the right side of the screen (you may need to scroll down), click Generate New Key.
5. Choose a format, operation, and request type. Based on your choices, a cURL command will appear.

The “Contributing Collaborative Threat”

Your instance of SIEM (InsightIDR) includes a privately owned threat called the Contributing Collaborative Threat, which has the SIEM (InsightIDR) Threat API exposed for you to use if desired.