Install Plugins

• Configure Microsoft Office 365
• Create Plugin Connections
• Configure Your Slack Workspace

The following 6 plugins contain parameters, actions, and connections that Active Response needs to run successfully.

These plugins are hosted in the Rapid7 Extension Library. Your next step is to install each plugin so you can access and configure them in Insight Connect. We recommend that you install all your plugins before creating your connections. You only need to install those optional plugins that you will be utilizing. After installation, your Customer Advisor will configure the HTTP Requests plugin on your behalf.

1. Active Directory LDAP
2. Microsoft Office 365 Email (Optional)
3. VMware Carbon Black EDR (Optional)
4. VMWare Carbon Black Cloud Standard
5. Crowdstrike Falcon
6. SentinelOne

1. Active Directory LDAP

This plugin enables Active Response to disable or enable users when the MDR team initiates a quarantine action. You will need the following connection information to set up this plugin:

• Host name and port number.
  • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Orchestrator and the LDAP server.
  • If you are just using LDAP, make sure to open port 389 between Orchestrator and LDAP server.
• Account credentials: this account will need the ability to query, enable, and disable for Active Response.

To install this plugin:

1. Open the Active Directory LDAP plugin in the Extension Library.
2. Click Install.

2. Microsoft Office 365 Email (Optional)

If you want to receive emails from the MDR team when they initiate a quarantine action on your behalf, install this plugin. The Microsoft Office 365 Plugin requires the following connection information:

• Your API secret key.
• The Tenant ID, or the ID of the directory that identifies the tenant.
• The App ID, which is the ID of the app that obtained the refresh token.

This plugin will require both a Sender address and a Recipient address from your instance. Ensure that the API you create has send as permissions for your Sender address. For detailed instructions, see Configure Microsoft Office 365.

To install this plugin:

1. Open the Microsoft Office 365 plugin in the Extension Library.
2. Click Install.

3. VMware Carbon Black EDR (Optional)

Required only if you are using the VMware Carbon Black EDR agent for Active Response Isolation.

• An API Key from VMware Carbon Black EDR.
• The base URL.

To install this plugin:

1. Open the VMware Carbon Black EDR plugin in the Extension Library.
2. Click Install.

4. VMWare Carbon Black Cloud Standard

Required only if you are using the VMware Carbon Black Cloud Standard agent for Active Response Isolation.

• An API Key from VMware Carbon Black Cloud Standard
• An API ID
• An Org Key
• The base URL

To install this plugin:

1. Open the VMware Carbon Black EDR plugin in the Extension Library.
2. Click Install.

5. Crowdstrike Falcon

Required only if you are using the Crowdstrike Falcon agent for Active Response Isolation.

• A Client Secret
• A Client ID
• The base URL

To install this plugin:

1. Open the Crowdstrike Falcon plugin in the Extension Library.
2. Click Install.

SentinelOne

Required only if you are using the SentinelOne agent for Active Response Isolation.

• An API key generated from a Service User (this user needs the ability to quarantine assets)
• The base URL

To install this plugin:

1. Open the SentinelOne plugin in the Extension Library.
2. Click Install.

Configure Microsoft Office 365

Configure the Microsoft Office 365 plugin if you want receive emails from the MDR team after they’ve initiated quarantine actions in your environment. This section covers the steps you must complete to enable communication between Active Response and Microsoft Office 365. Please click the links below in order to get more information on each step.

1. Collect Configuration Information
2. Create a New Key
3. Configure Application Permissions

Create Plugin Connections

Now that you’ve installed your plugins, you must configure connections.

Connections are individual instances of credentials and other parameters needed to authenticate InsightConnect to supported integrations or plugins. Credentials can be passwords, API keys, or other sensitive information, while other connection parameters can include data like IP addresses or port numbers. Active Response cannot run successfully if connections are configured improperly.

Follow the steps below to configure your plugin connections.

1. Add new connections
2. Active Directory LDAP Plugin
3. Microsoft Office 365 Email
4. VMware Carbon Black EDR
5. VMWare Carbon Black Cloud Standard
6. Crowdstrike Falcon
7. SentinelOne

1. Add new connections

You can add connections on the Connections tab of the Plugins & Tools page in InsightConnect. InsightConnect automically tests each connection that you create. Learn more here.

To create a connection:

1. From the InsightConnect left menu, click Settings > Plugins & Tools.

2. Click the Connections tab.

3. Click the Add Connection button.

2. Active Directory LDAP Plugin

Users in domains configured in a Parent/Child or Trust Relationship must be able to be managed by a single Domain User with permissions to enable and disable users across all domains. The time to replicate account changes across the organization depends on your configuration within Active Directory.

To set this up you’ll need:

• Host name and port number.
  • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Collector and the LDAP server.
  • If you are just using LDAP, make sure to open port 389 between Collector and LDAP server.
• Credentials entered in the DOMAIN\username format.

Create a connection:

1. In Connection Name, enter a name for your directory such as MDR Active Directory.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Active Directory LDAP.
4. Click the Choose a Credential field, and click Create New Credential.
   • Name your credential.
   • Enter the name of the Active Directory you want to grant the orchestrator access to. Make sure you enter your username in the DOMAIN\username format.
   • Enter the password of that directory.
   • Click Save.
5. Under Host, Enter the IP address of the server where the AD is hosted.
6. Enter the Port number:
   • If you are using an LDAP Server, enter 636.
   • If you are just using LDAP, enter 389.
7. Under Use SSL, select True for port 636 or False for port 389.
8. Under Chase Referrals, select True if Parent/Child or Trusted Domains are being managed. Otherwise, select False.
9. Click Save. If you don’t see the connection appear after you save it, refresh your screen.

3. Microsoft Office 365 Email (Optional)

This plugin enables the MDR team to send email notifications when they initiate quarantine actions on your behalf.

To set this up you’ll need:

• Your API secret key.
• The Tenant ID, or the ID of the directory that identifies the tenant.
• The App ID, which is the ID of the app that obtained the refresh token.

Create a connection:

1. Enter a unique and easily identifiable connection name, such as MDR Email Alert.
2. Under “Where will this connection live?” select your orchestrator.
3. Click the Choose a Credential field, and click Create New Credential.
   • Name your credential.
   • Name the credential and paste the Azure Private Key Value in the Secret Key field.
   • Click Save.
4. In the Tenant ID field, paste your Directory ID.
5. In the App ID field, paste your App ID.
6. Click Save. If you don’t see the connection appear after you save it, refresh your screen.

4. VMware Carbon Black EDR

To set this up you’ll need:

• An API Key from VMware Carbon Black EDR.
• The base URL.

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Response.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select VMware Carbon Black EDR.
4. Select the Choose a credential dropdown, and click Create New Credential.
   • Name the credential and enter the Cb Response Secret Key.
   • Click Save.
5. Enter the URL.
6. In SSL Verify, select true or false.
7. Click Save.

5. VMWare Carbon Black Cloud Standard

To set this up you’ll need:

• An API Key
• An API ID
• An organization key
• The base URL

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Cloud Standard.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select VMware Carbon Black Cloud.
4. Select the Choose a credential dropdown, and click Create New Credential.
   • Name the credential and enter the VMWare Carbon Black Cloud Standard API Key.
   • Click Save.
5. Enter the API ID
6. Enter the Org Key
7. Enter the URL
8. Click Save.

6. Crowdstrike Falcon

To set this up you’ll need:

• A Secret Key
• A client ID
• The Base URL
• Permissions for the API should be
  • Hosts - Read/Write
  • Quarantined Files - Write

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR CS Falcon.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Crowdstrike Falcon.
4. Select the Choose a credential dropdown, and click Create New Credential.
   • Name the credential and enter the secret key from the Crowdstrike Falcon console
   • Click Save
5. Enter the Client ID
6. Enter the Base URL
7. Click Save

7. SentinelOne

To set this up you’ll need:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
• The Base URL

Create a connection:

1. In ‘Create a new Connection’, select the SentinelOne Plugin
2. In Connection Name, enter a unique and easily identifiable name, such as MDR SentinelOne.
3. Under the “Where would you like this connection to live?” field, select your orchestrator
   • Select the Choose a credential dropdown, and click Create New Credential
   • Name the credential
   • Enter the API Key generated from the SentinelOne Service User
   • Click Save
4. Choose the User Type as ‘Service User’
5. Enter the Base URL
6. Click Save

Configure your Slack Workspace

In InsightConnect, ChatOps steps are automated tools that interact with your chat apps. The Rapid7 InsightConnect Slack App allows you to use ChatOps actions with your Slack workspaces. ChatOps is a required component of Active Response, as it enables our MDR team to send you Slack notifications and provides you with the ability to cancel or undo quarantine actions. Rapid7 ChatOps currently only supports Slack.

If you do not already have Slack installed, go to https://slack.com/, select the Slack plan you want, and complete the installation steps provided by Slack.

1. Configure Slack Workspace
2. Find a Slack Administrator
3. Install the InsightConnect Slack App
4. Invite the InsightConnect Chatbot to your Slack Workspace
5. Add a Workspace from the ChatOps Manager

Configure Slack Workspace

To set this up you’ll need:

• Administrative privileges to your organization’s Slack workspace.

Find a Slack Administrator

If you’re not an administrator of your organization’s Slack workspace, contact one to approve the Rapid7 InsightConnect app. You won’t be able to configure a ChatOps step until the app is approved for other users in your workspace.

3 ways to find your Slack Administrator

1. To find your Slack administrators from a web browser, log into your Slack account at https://slack.com/signin, then visit https://.slack.com/account/workspace-settings#admins
2. To find your Slack administrators from Slack for desktop, click on the workspace name in the top left corner to open the settings menu, then click Customize Slack. This will open your organization’s Slack settings in a browser window. Now visit https://.slack.com/account/workspace-settings#admins.
3. Alternatively, navigate to the administrators page in your Slack settings with these steps:
   1. Click on Customize Slack as previously instructed.
   2. In the browser window that opens, click Menu in the top left corner, then About this workspace.
   3. Click on the Admins & Owners tab.
   4. Note the Slack username and email address of your workspace admins, then provide them with the administrator setup instructions in an email or Slack message.

Install the InsightConnect Slack App

One of your organization’s Slack administrators should follow these instructions to approve the Rapid7 InsightConnect app for your workspace.

To set up the Rapid7 InsightConnect Slack App for your organization’s workspace:

1. Navigate to it in the Slack App Directory in your Slack settings, or click here for a direct link. Click the Install link and then click the Approve button.
2. In a web browser, navigate to the App Manager in your Slack settings. The URL should be something like: https://YOUR-WORKSPACE-URL.slack.com/apps/manage.
3. Locate “Rapid7 InsightConnect” under the “Restricted Apps” section, then click the Approve button for the Rapid7 InsightConnect Slack App. This enables other users in your organization to configure your workspace.
4. Let your team know when you’ve approved the app for their use.

Invite the InsightConnect Chatbot to your Slack Workspace

1. Create a new channel called, MDR Active Response. Your CA will use this channel for Slack notifications.
2. Enter @InsightConnect Bot in the Message field of your new channel to Invite the InsightConnect Chatbot

Add a Workspace from the ChatOps Manager

To add a new workspace to InsightConnect from the ChatOps manager:

1. In InsightConnect, click Settings > Plugins & Tools.
2. Click the ChatOps tab.
3. Click the Add Slack Workspace button. The Slack installation page will open.
4. Click Authorize. You’ll be notified if the installation was successful.
5. Return to InsightConnect and refresh the window. The newly added workspace will display.