Eligibility Requirements
Rapid7 Active Response requires that you have an orchestrator installed and activated, an agent (either the Insight Agent or VMware Carbon Black EDR) deployed, and a valid license for Insight Connect.
Check your eligibility
To be eligible for Active Response you must meet the requirements outlined on this page. If you have any questions about whether or not you are eligible, reach out to your Customer Advisor.
Requirement | Details |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Before continuing, ensure you have read and understood the eligibility requirements.
Insight Agent Requirements
If you are using VMware Carbon Black EDR
Refer to VMware documentation to understand the required settings to perform isolation actions.
The Insight Agent is lightweight software you can install on supported assets—in the cloud or on-premises—to easily centralize and monitor data on the Insight platform. The Insight Agent gives you endpoint visibility and detection by collecting live system information—including basic asset identification information, running processes, and logs—from your assets and sending this data back to the Insight platform for analysis. When used with Rapid7 Active Response, the Insight Agent provides coverage for Windows and Linux assets. Each Insight Agent only collects data from the endpoint on which it is installed.
Linux/Unix Operating Systems
For Linux/Unix systems, you must enable iptables for Active Response.
Mac Operating Systems
For Mac OS systems, you must enable iptables and PFTCL for Active Response.
Windows Operating Systems
Required Windows Firewall Settings for Insight Agent Quarantine Actions
The required Firewall Group Policy settings for each Domain/Private/Public/Standard profile are as follows:
- Firewall State - Not Configured or On
- Allow local rule merge - Not Configured or Yes
You do not need to change the firewall settings for Inbound Connections or Outbound Connections. For more information, see Configure your Windows Firewall Service.
For additional information about system requirements, installing, and configuring the Insight Agent, see the Insight Agent Help Documentation.
Configure your Windows Firewall Service
Windows Firewall Service must be enabled and properly configured to ensure that the Insight Agent quarantine actions run successfully. If you have not used a Group Policy to configure Windows Firewall, the quarantine will succeed. However, if you have configured the Windows Firewall service using a Domain Group Policy and the Global Policy is configured to turn the service off, the Agent quarantine will fail. Use the tool you normally use to manage your global group policies to verify these settings for each Domain/Private/Public/Standard profile:
- Firewall State - Not Configured or On
- Allow local rule merge - Not Configured or Yes
The steps to configure Group Policy Management of Windows Firewall with Advanced Security and configure Group Policy Management of Windows Defender Firewall assume you are using the Microsoft Group Policy Management Console.
Configure Group Policy Management of Windows Firewall with Advanced Security
- Open the Group Policy Management Console. Find the policy that you use to apply settings for the Windows Firewall service in your organization and edit the policy.
- Click Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security Settings folder > Windows Firewall with Advanced Security Settings.
- Click Windows Firewall Properties.
- Verify that the Firewall state is set to Not Configured or On for each profile: Domain/Private/Public/Standard.
- Under Settings, click Customize.
- Verify that “Apply local firewall rules” is set to Not Configured or Yes.
- Click Ok.
- Click Apply.
Configure Group Policy Management of Windows Defender Firewall
- Open the Group Policy Management Console.
- Click Policies > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain/Private/Public/Standard Profile.
- Click Windows Firewall: Protect all network connections.
- Ensure that either Not Configured or Enabled are selected.