Eligibility Requirements

Rapid7 Active Response requires that you have an orchestrator installed and activated if you want to leverage user containment via Active Directory. All other containment actions can be run in the cloud. Rapid7 supports the Endpoint Detection & Response (EDR) technologies listed below for isolating endpoints in your environment. You must ensure the selected EDR technology is deployed on all systems in your environment. Note that regardless of which EDR technology is used for Active Response, you must still deploy the Rapid7 InsightAgent to all endpoints (as described in the MDR and MTC Scope of Service). You must also have a valid MTC or MDR Elite license.

Check your eligibility

To be eligible for Active Response you must meet the requirements outlined on this page. If you have any questions about whether or not you are eligible, reach out to your Cybersecurity Advisor.

RequirementsDetails
General
  • You must be an MTC or MDR Elite customer.
  • You must have or be willing to have an Insight Orchestrator installed and activated if you want to leverage user containment via Active Directory.
  • You are running the Insight Agent on all assets in your environment.
  • If you are containing with a supported third party tool (VMWare Caron Black EDR, Carbon Black Cloud Standard, CrowdStrike Falcon, SentinelOne, or Microsoft Windows Defender ATP), they are on all covered assets and you have verified their current versions allow containment. Note: Carbon Black Cloud is not supported for multi-domain environments.
  • If you are containing with a supported third party tool, your organization will need to provide any requested forensic artifacts to the Rapid7 MDR team as we will no longer have connectivity to the asset once it is contained.
  • You may only utilize one tool for containment in the Active Response snippets.
Asset/ User ExclusionThe number of assets and/or users you want to exclude from quarantine actions does not exceed 1,000 total assets or 1,000 total users. For more information, see Prepare your Exclude Lists.
Windows OSYou are eligible whether or not you are using Group Policy Objects (GPO) to manage your Windows Firewall. If you are using GPO, please refer to the Insight Agent Requirements for configuration details. - The Insight Agent must be able to make changes to your Windows Firewall. If you are using a third-party product that restricts access to your Windows Firewall, please ensure changes to the Windows Firewall made by the Insight Agent are not overwritten by this third-party product.
Linux/Unix OSFor Mac OS systems, you must enable iptables to be eligible if you are using the Insight Agent to quarantine.
Mac OSFor Mac OS systems, you must enable iptables and PFTCL to be eligible if you are using the Insight Agent to quarantine.
UsersThe Insight Orchestrator will need to be able to communicate to the primary domain controllers in each LDAP domain you configure over port 389 or 636, depending on your LDAP plugin configuration.

If you are using a supported third-party EDR tool for quarantine (listed above) Refer to your third-party EDR tool’s documentation on the required settings to perform isolation actions.

Insight Agent Requirements

If you are using VMware Carbon Black EDR

Refer to VMware documentation to understand the required settings to perform isolation actions.

Linux/Unix Operating Systems

For Linux/Unix systems, you must enable iptables for Active Response.

Mac Operating Systems

For Mac OS systems, you must enable iptables and PFTCL for Active Response.

Windows Operating Systems

Required Windows Firewall Settings for Insight Agent Quarantine Actions

The required Firewall Group Policy settings for each Domain/Private/Public/Standard profile are as follows:

  • Firewall State - Not Configured or On
  • Allow local rule merge - Not Configured or Yes

You do not need to change the firewall settings for Inbound Connections or Outbound Connections. For more information, see Configure your Windows Firewall Service.

For additional information about system requirements, installing, and configuring the Insight Agent, see the Insight Agent Help Documentation.

Configure your Windows Firewall Service

Windows Firewall Service must be enabled and properly configured to ensure that the Insight Agent quarantine actions run successfully. If you have not used a Group Policy to configure Windows Firewall, the quarantine will succeed. However, if you have configured the Windows Firewall service using a Domain Group Policy and the Global Policy is configured to turn the service off, the Agent quarantine will fail. Use the tool you normally use to manage your global group policies to verify these settings for each Domain/Private/Public/Standard profile:

  • Firewall State - Not Configured or On
  • Allow local rule merge - Not Configured or Yes

The steps to configure Group Policy Management of Windows Firewall with Advanced Security and configure Group Policy Management of Windows Defender Firewall assume you are using the Microsoft Group Policy Management Console.

Configure Group Policy Management of Windows Firewall with Advanced Security

  1. Open the Group Policy Management Console. Find the policy that you use to apply settings for the Windows Firewall service in your organization and edit the policy.
  2. Click Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security Settings folder > Windows Firewall with Advanced Security Settings.
  3. Click Windows Firewall Properties.
  4. Verify that the Firewall state is set to Not Configured or On for each profile: Domain/Private/Public/Standard.
  5. Under Settings, click Customize.
  6. Verify that “Apply local firewall rules” is set to Not Configured or Yes.
    • Click Ok.
  7. Click Apply.

Configure Group Policy Management of Windows Defender Firewall

  1. Open the Group Policy Management Console.
  2. Click Policies > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain/Private/Public/Standard Profile.
  3. Click Windows Firewall: Protect all network connections.
  4. Ensure that either Not Configured or Enabled are selected.