Eligibility Requirements

Rapid7 Active Response requires that you have an orchestrator installed and activated, an agent (either the Insight Agent or VMware Carbon Black EDR) deployed, and a valid license for Insight Connect.

Check your eligibility

To be eligible for Active Response you must meet the requirements outlined on this page. If you have any questions about whether or not you are eligible, reach out to your Customer Advisor.

Requirement

Details


General


- You must be an MDR Elite customer.

- You must have or willing to have an Insight Orchestrator installed and activated.

- Your organization must be currently using or willing to install Slack. For information about our plans to support additional collaboration tools, contact your Customer Advisor.

- You are running the Insight Agent version 3.0.4 or higher, or the latest version of VMware Carbon Black EDR.


Asset Exclusion


- The number of assets you want to exclude from quarantine actions does not exceed 1,000. For more information, see Prepare your Exclude Lists.


Windows OS


- You are eligible whether or not you are using Group Policy Objects (GPO) to manage your Windows Firewall. If you are using GPO, please refer to the Insight Agent Requirements for configuration details.

- The Insight Agent must be able to make changes to your Windows Firewall. If you are using a third-party product that restricts access to your Windows Firewall, please ensure changes to the Windows Firewall made by the Insight Agent are not overwritten by this third-party product.


Linux/Unix OS


- For Linux/Unix systems, you must enable iptables to be eligible for Active Response.


Mac OS


- For Mac OS systems, you must enable iptables and PFTCL to be eligible for Active Response.


Users


- Users in domains configured in a Parent/Child or Trust Relationship must be able to be managed by a single Domain User with permissions to enable and disable users across all domains. The time to replicate account changes across the organization depends on your configuration within Active Directory. Additionally, the Insight Orchestrator will need to be able to communicate to the primary domain controllers in each LDAP domain over port 389 or 636 depending on your LDAP plugin configuration.

- The number of users you want to exclude from quarantine actions does not exceed 1,000. For more information, see Prepare your Exclude Lists.

Before continuing, ensure you have read and understood the eligibility requirements.

Insight Agent Requirements

If you are using VMware Carbon Black EDR

Refer to VMware documentation to understand the required settings to perform isolation actions.

The Insight Agent is lightweight software you can install on supported assets—in the cloud or on-premises—to easily centralize and monitor data on the Insight platform. The Insight Agent gives you endpoint visibility and detection by collecting live system information—including basic asset identification information, running processes, and logs—from your assets and sending this data back to the Insight platform for analysis. When used with Rapid7 Active Response, the Insight Agent provides coverage for Windows and Linux assets. Each Insight Agent only collects data from the endpoint on which it is installed.

Linux/Unix Operating Systems

For Linux/Unix systems, you must enable iptables for Active Response.

Mac Operating Systems

For Mac OS systems, you must enable iptables and PFTCL for Active Response.

Windows Operating Systems

Required Windows Firewall Settings for Insight Agent Quarantine Actions

The required Firewall Group Policy settings for each Domain/Private/Public/Standard profile are as follows:

  • Firewall State - Not Configured or On
  • Allow local rule merge - Not Configured or Yes

You do not need to change the firewall settings for Inbound Connections or Outbound Connections. For more information, see Configure your Windows Firewall Service.

For additional information about system requirements, installing, and configuring the Insight Agent, see the Insight Agent Help Documentation.

Configure your Windows Firewall Service

Windows Firewall Service must be enabled and properly configured to ensure that the Insight Agent quarantine actions run successfully. If you have not used a Group Policy to configure Windows Firewall, the quarantine will succeed. However, if you have configured the Windows Firewall service using a Domain Group Policy and the Global Policy is configured to turn the service off, the Agent quarantine will fail. Use the tool you normally use to manage your global group policies to verify these settings for each Domain/Private/Public/Standard profile:

  • Firewall State - Not Configured or On
  • Allow local rule merge - Not Configured or Yes

The steps to configure Group Policy Management of Windows Firewall with Advanced Security and configure Group Policy Management of Windows Defender Firewall assume you are using the Microsoft Group Policy Management Console.

Configure Group Policy Management of Windows Firewall with Advanced Security

  1. Open the Group Policy Management Console. Find the policy that you use to apply settings for the Windows Firewall service in your organization and edit the policy.
  2. Click Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security Settings folder > Windows Firewall with Advanced Security Settings.
  3. Click Windows Firewall Properties.
  4. Verify that the Firewall state is set to Not Configured or On for each profile: Domain/Private/Public/Standard.
  5. Under Settings, click Customize.
  6. Verify that “Apply local firewall rules” is set to Not Configured or Yes.
    • Click Ok.
  7. Click Apply.

Configure Group Policy Management of Windows Defender Firewall

  1. Open the Group Policy Management Console.
  2. Click Policies > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain/Private/Public/Standard Profile.
  3. Click Windows Firewall: Protect all network connections.
  4. Ensure that either Not Configured or Enabled are selected.