Welcome to Managed Threat Complete
Rapid7 Managed Threat Complete (MTC)
Rapid7’s MTC is a single, integrated service that allows you to prepare for, detect, and respond to threats in your environment. MTC is delivered as a collaboration between Rapid7 and your team to accelerate your proactive, responsive, and strategic security maturity and extend your security operations by providing customized security guidance and hands-on 24x7x365 monitoring, threat hunting, incident response, and exposure management.
MTC has three service level offerings you may subscribe to: MTC Essential, MTC Advanced, or MTC Ultimate. The Scope of Service for each will define the service delivery experience for the service levels (and delineate differences where applicable).
MTC Team
Your MTC team will be composed of a Security Operations Center (SOC) Pod team of Threat Analysts, Tactical Operations team, and the Rapid7 Incident Response team.
- MTC Essential customers can submit support tickets to consult with a rotation of customer advisors.
- MTC Advanced customers will be assigned a Managed Detection & Response (MDR) Customer Advisor (CA) for program guidance and customization.
- MTC Ultimate customers will be assigned an MDR Customer Advisor (CA) for D&R program guidance and customization. Ultimate customers will also be assigned a Managed Vulnerability Management (MVM) Customer Advisor, and a Digital Risk Protection (DRP) Analyst.
Please review your corresponding Scope of Service for more details on the team members involved in your program.
Customer Advisor Engagement - MTC Ultimate & Advanced
During the term of your MTC Ultimate or MTC Advanced service, you will regularly engage with your CA. Your CA will be available to answer any questions about your MDR service, and advise you toward advancing your security maturity.
Your CA will be available during normal business hours by email. During non-business hours, a member of the CA team will be on-call via the CA Hotline for urgent issues. Please view the Contact Us page for more details on opening a support case.
Service Deliverables
MTC service reports and deliverables are sent to customers via the secure file transfer system located in the Rapid7 Services Portal. Some of the reports can be pulled directly from the User interface. You can view samples and excerpts from these reports for all MTC Deliverables.
The image below shows what is included for MTC Essential, MTC Advanced, and MTC Ultimate. The deliverables at the bottom of the image are only included in the Advanced and Ultimate services.
Managed Digital Risk Protection (Managed DRP)
To view information on this add-on service view Managed DRP under the MDR Menu. (MTC Ultimate services includes Managed DRP.)
InsightIDR Event Sources
Rapid7 supports a wide range of security-relevant event sources, which can be configured in the ‘Event Sources’ page of InsightIDR.
Event source log data is stored in InsightIDR and available for search for thirteen months from the time of collection. We recommend that you onboard all supported event sources that are present within your in-scope environment. At a minimum, we strongly recommend you onboard the following event sources:
- For organizations that have Microsoft Windows domains, send the Windows Security event logs from each Microsoft Active Directory Domain Controller to InsightIDR – without this event source, many InsightIDR UBA detection rules will not be supported.
- For organizations that have Microsoft Windows domains, Microsoft Azure AD Domain Services, or Amazon AWS Domain Services, connect at least one LDAP event source for each domain– without this event source, Rapid7 MDR will not have vital contextual information about users in your environment.
- Connect all supported DHCP log sources to InsightIDR–without this event source, Rapid7 may not be able to accurately attribute network traffic to the appropriate assets in your environment.
- Connect all supported network logs - DNS, firewall, VPN, and Web Proxy - to InsightIDR, particularly network devices at your internet ingress and egress points. Without these event sources, some InsightIDR UBA detection rules and all NBI (Network Based Indicator) ABA detection rules will not be supported. In addition, this data is leveraged by Rapid7 to further investigate suspicious or malicious activity in your environment.
- Connect all supported Cloud Services logs to InsightIDR. Without these event sources, some InsightIDR UBA and ABA detection rules will not be supported. In addition, this data is leveraged by Rapid7 to further investigate suspicious or malicious activity in your environment.
Rapid7 MDR leverages InsightIDR event sources as described below:
Real-time Detection These event sources are processed by our threat detection engine and may generate alerts that are reviewed by our 24x7x365 SOC (see the ‘Detection Rules’ page of InsightIDR for a list of all current detection rules, and see the ‘Detection Rules’ section below for more details about which detection rules are in-scope for the MDR service).
Threat Hunting Data from these event sources are aggregated and leveraged by analysts when performing threat hunts (see Threat Hunting for additional details).
Investigation Data from these event sources may be leveraged to accurately attribute other activity to an asset or user, and to provide other useful context data in the course of investigating alerts or performing incident response.
Detection Rules InsightIDR detection rules generate investigations based on activity from your configured event sources, the Insight Agent, and the Rapid7 Network Traffic Analysis (NTA) network sensor.
These detection rules are available in the ‘Detection Rules’ page of InsightIDR. These detection rules are grouped into the following detection libraries:
Should you identify activity in these investigations from the Detection Rules that you believe is suspicious, please contact Rapid7 for further investigation and (if needed) incident response. Incidents discovered as a result of these investigations are eligible for MDR incident response as described in the Incident Response' section of the MTC SOS.