Install Plugins

The following 6 plugins contain parameters, actions, and connections that Active Response needs to run successfully.

These plugins are hosted in the Rapid7 Extension Library. Your next step is to install each plugin so you can access and configure them in Insight Connect. We recommend that you install all your plugins before creating your connections. You only need to install the optional plugins that you will utilize. After installation, your Customer Advisor will configure the HTTP Requests plugin on your behalf. View the list of available plugins:

• Active Directory LDAP
• VMWare Carbon
• Crowdstrike Falcon
• SentinelOne
• Cisco Secure Endpoint
• Microsoft Windows Defender
• Microsoft Azure AD

Active Directory LDAP

This plugin enables Active Response to disable or enable users when the MDR team initiates a quarantine action. You will need the following connection information to set up this plugin:

• Host name and port number
  • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Orchestrator and the LDAP server.
  • If you are just using LDAP, make sure to open port 389 between Orchestrator and LDAP server.
• Account credentials: this account will need the ability to query, enable, and disable for Active Response.

To install this plugin:

1. Open the Active Directory LDAP plugin in the Extension Library.
2. Select Install.

VMWare Carbon Black Cloud Standard

These items are required if you are using the VMware Carbon Black Cloud Standard agent for Active Response Isolation.

• An API Key from VMware Carbon Black Cloud Standard
• An API ID
• An Org Key
• The base URL

To install this plugin:

1. Open the VMware Carbon Black EDR plugin in the Extension Library.
2. Select Install.

Crowdstrike Falcon

These items are required if you are using the Crowdstrike Falcon agent for Active Response Isolation.

• A Client Secret
• A Client ID
• The base URL

To install this plugin:

1. Open the Crowdstrike Falcon plugin in the Extension Library.
2. Select Install.

SentinelOne

These items are required if you are using the SentinelOne agent for Active Response Isolation.

• An API key generated from a Service User (this user needs the ability to quarantine assets)
• The base URL

To install this plugin:

1. Open the SentinelOne plugin in the Extension Library.
2. Select Install.

Cisco Secure Endpoint

These items are required if you are using the Cisco Secure Endpoint agent for Active Response Isolation.

• An API key generated from a Service User (this user needs the ability to quarantine assets)
  • Cisco Client ID
  • Cisco Secure Endpoint Secret Key with Read and Write permissions
  • API URL based on your region:
    • North America: https://api.amp.cisco.com/v3
    • Asia Pacific, Japan, and China: https://api.apjc.amp.cisco.com/v3
    • Europe: https://api.eu.amp.cisco.com/v3

To install this plugin:

1. Open the Cisco Secure Endpoint plugin in the Extension Library.
2. Select Install.

Microsoft Windows Defender ATP

These items are required if you are using the Microsoft Windows Defender ATP agent for Active Response Isolation.

To install this plugin:

1. Open the Microsoft Windows Defender ATP plugin in the Extension Library.
2. Select Install.

Microsoft Azure AD (Entra ID)

These items are required if you are using the Azure AD agent for Active Response Isolation.

• Azure AD App Registration
• Secret Key
• Application ID
• Tenant ID
• Admin permissions

To install this plugin:

1. Open the Azure AD Admin plugin in the Extension Library.
2. Select Install.

Create Plugin Connections

Now that you’ve installed your plugins, you must configure connections.

Connections are individual instances of credentials and other parameters needed to authenticate InsightConnect to supported integrations or plugins. Credentials can be passwords, API keys, or other sensitive information, while other connection parameters can include data like IP addresses or port numbers. Active Response cannot run successfully if connections are configured improperly.

Follow these steps to configure your plugin connections.

Add new connections

You can add connections on the Connections tab of the Plugins & Tools page in InsightConnect. InsightConnect automatically tests each connection that you create. Read our documentation to learn how to test a connection.

To create a connection:

1. From the InsightConnect left menu, select Settings > Plugins & Tools.
2. Select the Connections tab.
3. Select the Add Connection button.

Active Directory LDAP Plugin

Users in domains configured in a Parent/Child or Trust Relationship must be able to be managed by a single Domain User with permissions to enable and disable users across all domains. The time to replicate account changes across the organization depends on your configuration within Active Directory.

To set this up you’ll need:

• Host name and port number
  • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Collector and the LDAP server.
  • If you are just using LDAP, make sure to open port 389 between Collector and LDAP server.
• Credentials entered in the DOMAIN\username format.

Create a connection:

1. In Connection Name, enter a name for your directory, such as MDR Active Directory.
2. In the Where would you like this connection to live? field, select your orchestrator.
3. Under Plugins, select Active Directory LDAP.
4. Select Choose a Credential, and select Create New Credential.
   • Name your credential.
   • Enter the name of the Active Directory you want to grant the orchestrator access to. Make sure you enter your username in the DOMAIN\username format.
   • Enter the password of that directory.
   • Select Save.
5. Under Host, Enter the IP address of the server where the AD is hosted.
6. Enter the Port number:
   • If you are using an LDAP Server, enter 636.
   • If you are just using LDAP, enter 389.
7. Under Use SSL, select True for port 636 or False for port 389.
8. Under Chase Referrals, select True if Parent/Child or Trusted Domains are being managed. Otherwise, select False.
9. Select Save. If you don’t see the connection appear after you save it, refresh your screen.

VMware Carbon Black EDR

To set this up you’ll need:

• An API Key from VMware Carbon Black EDR.
• The base URL.

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Response.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select VMware Carbon Black EDR.
4. Select the Choose a credential dropdown, and select Create New Credential.
   • Name the credential and enter the Cb Response Secret Key.
   • Select Save.
5. Enter the URL.
6. In SSL Verify, select true or false.
7. Select Save.

VMWare Carbon Black Cloud Standard

To set this up you’ll need:

• An API Key
• An API ID
• An organization key
• The base URL

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Cloud Standard.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select VMware Carbon Black Cloud.
4. Select the Choose a credential dropdown, and select Create New Credential.
   • Name the credential and enter the VMWare Carbon Black Cloud Standard API Key.
   • Select Save.
5. Enter the API ID
6. Enter the Org Key
7. Enter the URL
8. Select Save.

Crowdstrike Falcon

To set this up you’ll need:

• A Secret Key
• A client ID
• The Base URL
• Permissions for the API should be
  • Hosts - Read/Write
  • Quarantined Files - Write

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR CS Falcon.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Crowdstrike Falcon.
4. Select the Choose a credential dropdown, and select Create New Credential.
   • Name the credential and enter the secret key from the Crowdstrike Falcon console
   • Select Save
5. Enter the Client ID
6. Enter the Base URL
7. Select Save

SentinelOne

To set this up you’ll need:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
• The Base URL

Create a connection:

1. In ‘Create a new Connection’, select the SentinelOne Plugin
2. In Connection Name, enter a unique and easily identifiable name, such as MDR SentinelOne.
3. Under the “Where would you like this connection to live?” field, select your orchestrator
   • Select the Choose a credential dropdown, and select Create New Credential
   • Name the credential
   • Enter the API Key generated from the SentinelOne Service User
   • Select Save
4. Choose the User Type as ‘Service User’
5. Enter the Base URL
6. Select Save

Cisco Secure Endpoint

To set this up you'll need:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
  • Cisco Client ID
  • Cisco Secure Endpoint Secret Key with Read and Write permissions
  • API URL based on your region:
    • North America: https://api.amp.cisco.com/v3
    • Asia Pacific, Japan, and China: https://api.apjc.amp.cisco.com/v3
    • Europe: https://api.eu.amp.cisco.com/v3

Create a connection:

To set up Cisco Secure Endpoint as part of your Active Response integration, follow these steps:

1. Configure a Response Action:
   • Navigate to your InsightIDR instance and follow the steps to configure a new response action.
   • Choose the option to Quarantine Host and select Cisco Secure Endpoint as the tool to perform the action.
2. Set Up the Cisco Secure Endpoint Connection:
   • In the Snippet Setup Wizard, either select an existing Cisco Secure Endpoint connection or choose to create a new connection.
   • To create a new connection, input your Cisco Client ID, Secret Key, and the appropriate API URL for your region to establish the connection.
3. Configure Asset Exclusion:
   • During the setup, you will be prompted to configure the Asset Exclusion step.
   • Select + New Global Artifact from Schema to create a list where you can populate endpoint names.
   • When the workflow runs, if an endpoint name exists in the global artifact, it will be excluded from the isolation process.
4. Publish the Snippet:
   • Once all configurations are complete, publish the Snippet.
   • You have now successfully implemented the on-demand response action using Cisco Secure Endpoint.

Leveraging Cisco Secure Endpoint with Active Response

With Cisco Secure Endpoint configured, you can now manually execute host isolation during an investigation, or allow Rapid7’s MDR SOC Analysts to take action on your behalf if you have opted into Active Response. This integration ensures that you can continue using your preferred security tools while enhancing your incident response capabilities with Rapid7’s expertise.

Microsoft Windows Defender ATP

To set this up you'll need:

• Microsoft Defender license
• Windows Defender Advanced Threat Protection application credentials

The application registration will need the appropriate api permissions, and app roles required to look up an Asset, isolate an asset, and remove an asset from isolation. Please see the Microsoft link to identify proper scoping.

Create a connection:

Learn more about application set up and assigning permissions for Microsoft Defender.

Microsoft Azure AD (Entra ID)

To set this up you'll need:

• Azure AD App Registration
• Secret Key
• Application ID
• Tenant ID
• Admin permissions

Learn more about Azure sessions and disabling Users in Azure AD.