Eligibility Requirements

Rapid7 Active Response requires that you have an orchestrator installed and activated, an agent (either the Insight Agent or VMware Carbon Black EDR) deployed, and a valid license for Insight Connect.

Check your eligibility

To be eligible for Active Response you must meet the requirements outlined on this page. If you have any questions about whether or not you are eligible, reach out to your Customer Advisor.

RequirementsDetails
General
  • You must be an MDR Elite customer.
  • You must have or willing to have an Insight Orchestrator installed and activated.
  • You are running the Insight Agent version 3.0.4 or higher on all assets in the environment.
  • If you are containing with a supported third party tool (VMWare Caron Black EDR, Carbon Black Cloud Standard, Crowdstrike Falcon, or SentinelOne), they are on all covered assets and you have verified their current versions allow containment.
  • If you are containing with a supported third party tool, your organization will need to provide any requested forensic artifacts to the Rapid7 MDR team as we will no longer have connectivity to the asset once it is contained.
  • You may only utilize one tool for containment in the Active Response workflows.
  • Asset/ User ExclusionThe number of assets and/or users you want to exclude from quarantine actions does not exceed 1,000 total assets or 1,000 total users. For more information, see Prepare your Exclude Lists.
    Windows OSYou are eligible whether or not you are using Group Policy Objects (GPO) to manage your Windows Firewall. If you are using GPO, please refer to the Insight Agent Requirements for configuration details. - The Insight Agent must be able to make changes to your Windows Firewall. If you are using a third-party product that restricts access to your Windows Firewall, please ensure changes to the Windows Firewall made by the Insight Agent are not overwritten by this third-party product.
    Linux/Unix OSFor Mac OS systems, you must enable iptables to be eligible if you are using the Insight Agent to quarantine.
    Mac OSFor Mac OS systems, you must enable iptables and PFTCL to be eligible if you are using the Insight Agent to quarantine.
    UsersThe Insight Orchestrator will need to be able to communicate to the primary domain controllers in each LDAP domain you configure over port 389 or 636, depending on your LDAP plugin configuration.

    If you are using a supported third-party EDR tool for quarantine (listed above) Refer to your third-party EDR tool’s documentation on the required settings to perform isolation actions.

    Insight Agent Requirements

    If you are using VMware Carbon Black EDR

    Refer to VMware documentation to understand the required settings to perform isolation actions.

    Linux/Unix Operating Systems

    For Linux/Unix systems, you must enable iptables for Active Response.

    Mac Operating Systems

    For Mac OS systems, you must enable iptables and PFTCL for Active Response.

    Windows Operating Systems

    Required Windows Firewall Settings for Insight Agent Quarantine Actions

    The required Firewall Group Policy settings for each Domain/Private/Public/Standard profile are as follows:

    • Firewall State - Not Configured or On
    • Allow local rule merge - Not Configured or Yes

    You do not need to change the firewall settings for Inbound Connections or Outbound Connections. For more information, see Configure your Windows Firewall Service.

    For additional information about system requirements, installing, and configuring the Insight Agent, see the Insight Agent Help Documentation.

    Configure your Windows Firewall Service

    Windows Firewall Service must be enabled and properly configured to ensure that the Insight Agent quarantine actions run successfully. If you have not used a Group Policy to configure Windows Firewall, the quarantine will succeed. However, if you have configured the Windows Firewall service using a Domain Group Policy and the Global Policy is configured to turn the service off, the Agent quarantine will fail. Use the tool you normally use to manage your global group policies to verify these settings for each Domain/Private/Public/Standard profile:

    • Firewall State - Not Configured or On
    • Allow local rule merge - Not Configured or Yes

    The steps to configure Group Policy Management of Windows Firewall with Advanced Security and configure Group Policy Management of Windows Defender Firewall assume you are using the Microsoft Group Policy Management Console.

    Configure Group Policy Management of Windows Firewall with Advanced Security

    1. Open the Group Policy Management Console. Find the policy that you use to apply settings for the Windows Firewall service in your organization and edit the policy.
    2. Click Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security Settings folder > Windows Firewall with Advanced Security Settings.
    3. Click Windows Firewall Properties.
    4. Verify that the Firewall state is set to Not Configured or On for each profile: Domain/Private/Public/Standard.
    5. Under Settings, click Customize.
    6. Verify that “Apply local firewall rules” is set to Not Configured or Yes.
      • Click Ok.
    7. Click Apply.

    Configure Group Policy Management of Windows Defender Firewall

    1. Open the Group Policy Management Console.
    2. Click Policies > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain/Private/Public/Standard Profile.
    3. Click Windows Firewall: Protect all network connections.
    4. Ensure that either Not Configured or Enabled are selected.