New
- Response Actions in InsightIDR and Active Response 2.0
- Customers can now use Response Actions to initiate use and asset quarantines on individual actors directly from an InsightIDR investigation.
- Customers with an MDR, MTC, or IDR license, with access to InsightConnect can configure Response Actions from the Investigations page of InsightIDR.
- MDR Elite and MTC customers can now choose to opt their configured Response Actions into the free, optional Active Response service directly from InsightIDR. Active Response enables Rapid7 SOC analysts to respond to validated threats in a customer's environment within minutes by containing endpoints and/or users on their behalf.
- Quarantine and un-quarantine response actions can be run with the Insight Agent, Carbon Black Cloud, Microsoft Defender, SentinelOne, and CrowdStrike. All quarantine and un-quarantine asset response actions can run in the cloud without an on premise orchestrator.
- Enable and disable user response actions can be run with Active Directory. This action requires the deployment of an on premise InsightConnect orchestrator.
- Response Actions results are posted to the InsightIDR timeline and audit log.
- The Slack component and decision prompt have been removed from the Active Response 2.0 service to reduce the time to action, complexity, and set up time.
- Review the Response Actions Help Docs for a guide on how to set Response Actions in InsightIDR and, for MDR Elite and MTC customers, how to opt into Active Response 2.0.