Install Plugins

For Active Response to run successfully, you must install and configure one or more plugins, each of which contains important parameters, actions, and connections.

You can access the plugins for Active Response from the Rapid7 Extension Library . It is advisable to install all of the plugins you need first, and then create your connections.

The plugins that are available for Active Response are:

• Active Directory LDAP
• Microsoft Azure AD (Entra ID)
• VMware Carbon Black Cloud Standard
• Crowdstrike Falcon
• SentinelOne
• Cisco Secure Endpoint
• Microsoft Defender For Endpoint
• Palo Alto Cortex

Create Plugin Connections

After you’ve installed your plugins, you must configure connections. Connections are individual instances of credentials and other parameters that are needed to authenticate Automation (InsightConnect) to the supported integrations or plugins.

Credentials can be passwords, API keys, or other sensitive information, and connection parameters can include data such as IP addresses or port numbers.

If you need to use Active Directory LDAP User Disablement, a Local Orchestrator Connection is required; this provides the connection between your Orchestrator and the LDAP Server. You add Local Orchestrator connections by navigating to Automation > Connections and selecting Add Connection.

Cloud Connections, which make up the majority of Active Response-related actions, do not require a Local Orchestrator and can instead use the Cloud Orchestrator.

Automation (InsightConnect) automatically tests each connection that you create. Read about how to test a connection .

As you complete the steps to create a connection, you will need to paste values (such as an app ID) into specified fields in Automation (InsightConnect). After you paste a value, ensure no additional spaces or lines were added, as this will cause your connection to fail.

To create a connection for Local Orchestrator to be used with Active Directory LDAP:

1. From the Command Platform left menu, select Automation > Connections.
2. Click Add Connection.

To create a connection for the Cloud Orchestrator:

1. Create an investigation in SIEM (InsightIDR).
2. Add an asset to the investigation.
3. Using the Response Actions showing as three dots, select the desired action.
4. Configure the related connection within Automation (InsightConnect).

Active Directory LDAP

This plugin enables Active Response to disable or enable users when the MDR team initiates a quarantine action. You will need the following connection information to set up this plugin:

• Host name and port number
  • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Orchestrator and the LDAP server.
  • If you are just using LDAP, make sure to open port 389 between Orchestrator and LDAP server.
• Account credentials: this account will need the ability to query, enable, and disable for Active Response.
• Credentials entered in the DOMAIN\username format.

To install this plugin:

1. Open the Active Directory LDAP plugin in the Extension Library.
2. Select Install.

Microsoft Azure AD (Entra ID)

These items are required if you are using the Azure AD agent for Active Response Isolation.

• Azure AD App Registration
• Secret Key
• Application ID
• Tenant ID
• Admin permissions

To install this plugin:

1. Open the Azure AD Admin  plugin in the Extension Library.
2. Select Install.

Learn more about Azure sessions and disabling Users in Azure AD .

VMWare Carbon Black Cloud Standard

These items are required if you are using the VMware Carbon Black Cloud Standard agent for Active Response Isolation.

• An API Key from VMware Carbon Black Cloud Standard
• An API ID
• An Org Key
• The base URL

To install this plugin:

1. Open the VMware Carbon Black EDR plugin in the Extension Library.
2. Select Install.

To enable and disable users across all domains, users in domains that are configured in a Parent/Child or Trust Relationship must be able to be managed by a single Domain User with permissions. The time to replicate account changes across the organization depends on your configuration within Active Directory.

To create a connection:

1. In the Connection Name field, enter a name for your directory, such as “MDR Active Directory”.
2. In the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Active Directory LDAP.
4. Select Choose a Credential > Create New Credential:
   • Name your credential.
   • Enter the name of the Active Directory you want to grant the orchestrator access to. Make sure you enter your username in the DOMAIN\username format.
   • Enter the password of that directory.
   • Click Save.
5. Under Host, enter the IP address of the server where the AD is hosted.
6. Enter the Port number:
   • If you are using an LDAPS server, enter 636.
   • If you are using an LDAP server, enter 389.
7. Under Use SSL, select True for port 636 or False for port 389.
8. Under Chase referrals, select True if Parent/Child or Trusted Domains are being managed. Otherwise, select False.
9. Click Save. If you do not see the connection appear after you save it, refresh your browser window.

VMware Carbon Black Cloud Standard

These items are required if you are using the VMware Carbon Black Cloud Standard agent for Active Response Isolation.

• An API Key from VMware Carbon Black Cloud Standard
• An API ID
• An Org Key
• The base URL

To install this plugin:

1. Open the VMware Carbon Black EDR plugin in the Extension Library.
2. Click Install.

You only need to install this plugin if you are using VMware Carbon Black Cloud Standard for asset containment.

To set this up you’ll need:

• An API Key
• An API ID
• An organization key
• The base URL

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Cloud Standard.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select VMware Carbon Black Cloud.
4. Select the Choose a credential dropdown and select Create New Credential.
   • Name the credential and enter the VMware Carbon Black Cloud Standard API Key.
   • Select Save.
5. Enter the API ID.
6. Enter the Org Key.
7. Enter the URL.
8. Select Save.

VMware Carbon Black EDR

You only need to install this plugin if you are using VMware Carbon Black EDR for asset containment.

To set this up you’ll need:

• An API Key from VMware Carbon Black EDR
• The base URL

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Response.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select VMware Carbon Black EDR.
4. Select the Choose a credential dropdown and select Create New Credential.
   • Name the credential and enter the Cb Response Secret Key.
   • Select Save.
5. Enter the URL.
6. In SSL Verify, select true or false.
7. Select Save.

Crowdstrike Falcon

These items are required if you are using the Crowdstrike Falcon agent for Active Response Isolation:

• A Client Secret
• A Client ID
• The base URL
• Permissions for the API should be:
  • Hosts - Read/Write
  • Quarantined Files - Write

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR CS Falcon.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Crowdstrike Falcon.
4. Select the Choose a credential dropdown and select Create New Credential.
   • Name the credential and enter the secret key from Palo Alto Cortex XDR.
   • Select Save.
5. Enter the Client ID.
6. Enter the Base URL.
7. Select Save.

To install this plugin:

1. Open the Crowdstrike Falcon  plugin in the Extension Library.
2. Select Install.

SentinelOne

These items are required if you are using the SentinelOne agent for Active Response Isolation:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
• The base URL

To install this plugin:

1. Open the SentinelOne  plugin in the Extension Library.
2. Select Install.

You only need to install this plugin if you are using SentinelOne for asset containment.

API Permissions needed:

• Disable Network
• Enable Network

Create a connection:

1. In ‘Create a new Connection’, select the SentinelOne Plugin.
2. In Connection Name, enter a unique and easily identifiable name, such as MDR SentinelOne.
3. Under the “Where would you like this connection to live?” field, select your orchestrator.
   • Select the Choose a credential dropdown, and select Create New Credential.
   • Name the credential.
   • Enter the API Key generated from the SentinelOne Service User.
   • Select Save.
4. Choose the User Type as ‘Service User’.
5. Enter the Base URL.
6. Select Save.

Cisco Secure Endpoint

These items are required if you are using the Cisco Secure Endpoint agent for Active Response Isolation:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
  • Cisco Client ID
  • Cisco Secure Endpoint Secret Key with Read and Write permissions
  • API URL based on your region:
    • North America: https://api.amp.cisco.com/v3 
    • Asia Pacific, Japan, and China: https://api.apjc.amp.cisco.com/v3 
    • Europe: https://api.eu.amp.cisco.com/v3 

To install this plugin:

1. Open the Cisco Secure Endpoint  plugin in the Extension Library.
2. Select Install.

You only need to install this plugin if you are using Cisco Secure Endpoint for asset containment.

Create a connection:

To set up Cisco Secure Endpoint as part of your Active Response integration, follow these steps:

1. Configure a Response Action:
   • Navigate to your SIEM (InsightIDR) instance and follow the steps to configure a new response action.
   • Choose the option to Quarantine Host and select Cisco Secure Endpoint as the tool to perform the action.
2. Set Up the Cisco Secure Endpoint Connection:
   • In the Snippet Setup Wizard, either select an existing Cisco Secure Endpoint connection or choose to create a new connection.
   • To create a new connection, input your Cisco Client ID, Secret Key, and the appropriate API URL for your region to establish the connection.
3. Configure Asset Exclusion:
   • During the setup, you will be prompted to configure the Asset Exclusion step.
   • Select + New Global Artifact from Schema to create a list where you can populate endpoint names.
   • When the workflow runs, if an endpoint name exists in the global artifact, it will be excluded from the isolation process.
4. Publish the Snippet:
   • Once all configurations are complete, publish the Snippet.
   • You have now successfully implemented the on-demand response action using Cisco Secure Endpoint.

Leveraging Cisco Secure Endpoint with Active Response

With Cisco Secure Endpoint configured, you can now manually execute host isolation during an investigation, or allow Rapid7’s MDR SOC Analysts to take action on your behalf if you have opted into Active Response. This integration ensures that you can continue using your preferred security tools while enhancing your incident response capabilities with Rapid7’s expertise.

Microsoft Defender For Endpoint

These items are required if you are using the Microsoft Defender For Endpoint agent for Active Response Isolation.

To install this plugin:

1. Open the Microsoft Defender For  plugin in the Extension Library.
2. Select Install.

You only need to install this plugin if you are using Microsoft Defender For Endpoint for asset containment.

To set this up you’ll need:

• Microsoft Defender license
• Windows Defender Advanced Threat Protection application credentials

The application registration will need the appropriate api permissions, and app roles required to look up an Asset, isolate an asset, and remove an asset from isolation. Please see the Microsoft link  to identify proper scoping.

Create a connection:

Learn more about application set up and assigning permissions for Microsoft Defender .

Microsoft Azure AD (Entra ID)

These items are required if you are using the Azure AD agent for Active Response Isolation:

• Azure AD App Registration
• Secret Key
• Application ID
• Tenant ID
• Admin permissions

To install this plugin:

1. Open the Azure AD Admin  plugin in the Extension Library.
2. Select Install.

Learn more about Azure sessions and disabling Users in Azure AD .

Palo Alto Cortex XDR

These items are required if you are using the Cortex XDR plugin for Active Response Isolation or other endpoint actions.

• Cortex XDR API Key — Generated when creating a new API key in Cortex XDR.
• API Key ID — The numerical ID for the API key (visible in the API Keys table in Cortex XDR settings).
• Security Level — The security level of the key (choose between Advanced or Standard).
• Cortex XDR API URL — The base API URL for your Cortex XDR tenant, for example: https://api-example.xdr.us.paloaltonetworks.com/ 

Required Role Permissions:

• Endpoints → Endpoint Administration
• Incident Response → Action Center → Isolate

To install this plugin:

1. Open the Palo Alto Cortex XDR  plugin in the Extension Library.
2. Select Install.

You only need to install this plugin if you are using Palo Alto Cortex XDR for asset containment.

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Palo Alto Cortex XDR.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Palo Alto Cortex XDR.
4. Select the Choose a credential dropdown and select Create New Credential.
   • Name the credential and enter the secret key from the Palo Alto Cortex console.
   • Select Save.
5. Enter the Secret Key.
6. Enter the API Key ID.
7. Enter the API Security Level.
8. Enter the API URL.

Active Directory LDAP Plugin

Users in domains configured in a Parent/Child or Trust Relationship must be able to be managed by a single Domain User with permissions to enable and disable users across all domains. The time to replicate account changes across the organization depends on your configuration within Active Directory.

To set this up you’ll need:

• Host name and port number
  • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Collector and the LDAP server.
  • If you are just using LDAP, make sure to open port 389 between Collector and LDAP server.
• Credentials entered in the DOMAIN\username format.

Create a connection:

1. In Connection Name, enter a name for your directory, such as MDR Active Directory.
2. In the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Active Directory LDAP.
4. Select Choose a Credential, and select Create New Credential.
   • Name your credential.
   • Enter the name of the Active Directory you want to grant the orchestrator access to. Make sure you enter your username in the DOMAIN\username format.
   • Enter the password of that directory.
   • Select Save.
5. Under Host, Enter the IP address of the server where the AD is hosted.
6. Enter the Port number:
   • If you are using an LDAP Server, enter 636.
   • If you are just using LDAP, enter 389.
7. Under Use SSL, select True for port 636 or False for port 389.
8. Under Chase Referrals, select True if Parent/Child or Trusted Domains are being managed. Otherwise, select False.
9. Select Save. If you don’t see the connection appear after you save it, refresh your screen.

VMware Carbon Black Cloud Standard

You only need to install this plugin if you are using VMware Carbon Black Cloud Standard for asset containment.

To set this up you’ll need:

• An API Key
• An API ID
• An organization key
• The base URL

Create a connection:

9. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Cloud Standard.
10. Under the “Where would you like this connection to live?” field, select your orchestrator.
11. Under Plugins, select VMware Carbon Black Cloud.
12. Select the Choose a credential dropdown, and select Create New Credential.
    • Name the credential and enter the VMware Carbon Black Cloud Standard API Key.
    • Select Save.
13. Enter the API ID
14. Enter the Org Key
15. Enter the URL
16. Select Save.

Palo Alto Cortex XDR

You only need to install this plugin if you are using Palo Alto Cortex XDR for asset containment. To set this up you’ll need:

• A Secret Key
• The API URL
• The API Security Level
• Permissions for the API should be
• Incident Response
  • Action Center View Edit
  • Isolate
• Endpoints
  • Endpoints Administrations View

Palo Alto Cortex XDR Integration Guide

Create a connection:

1. In Connection Name, enter a unique and easily identifiable name, such as MDR Palo Alto Cortex XDR.
2. Under the “Where would you like this connection to live?” field, select your orchestrator.
3. Under Plugins, select Palo Alto Cortex XDR.
4. Select the Choose a credential dropdown, and select Create New Credential.
   • Name the credential and enter the secret key from the console.
   • Select Save.
5. Enter the Secret Key.
6. Enter the API Key ID.
7. Enter the API Security Level.
8. Enter the API URL.

SentinelOne

You only need to install this plugin if you are using SentinelOne for asset containment.

To set this up you’ll need:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
• The Base URL

Create a connection:

1. In ‘Create a new Connection’, select the SentinelOne Plugin
2. In Connection Name, enter a unique and easily identifiable name, such as MDR SentinelOne.
3. Under the “Where would you like this connection to live?” field, select your orchestrator
   • Select the Choose a credential dropdown, and select Create New Credential
   • Name the credential
   • Enter the API Key generated from the SentinelOne Service User
   • Select Save
4. Choose the User Type as ‘Service User’
5. Enter the Base URL
6. Select Save

Cisco Secure Endpoint

You only need to install this plugin if you are using Cisco Secure Endpoint for asset containment.

To set this up you’ll need:

• An API key generated from a Service User (this user needs the ability to quarantine assets)
  • Cisco Client ID
  • Cisco Secure Endpoint Secret Key with Read and Write permissions
  • API URL based on your region:
    • North America: https://api.amp.cisco.com/v3 
    • Asia Pacific, Japan, and China: https://api.apjc.amp.cisco.com/v3 
    • Europe: https://api.eu.amp.cisco.com/v3 

Create a connection:

To set up Cisco Secure Endpoint as part of your Active Response integration, follow these steps:

1. Configure a Response Action:
   • Navigate to your SIEM (InsightIDR) instance and follow the steps to configure a new response action.
   • Choose the option to Quarantine Host and select Cisco Secure Endpoint as the tool to perform the action.
2. Set Up the Cisco Secure Endpoint Connection:
   • In the Snippet Setup Wizard, either select an existing Cisco Secure Endpoint connection or choose to create a new connection.
   • To create a new connection, input your Cisco Client ID, Secret Key, and the appropriate API URL for your region to establish the connection.
3. Configure Asset Exclusion:
   • During the setup, you will be prompted to configure the Asset Exclusion step.
   • Select + New Global Artifact from Schema to create a list where you can populate endpoint names.
   • When the workflow runs, if an endpoint name exists in the global artifact, it will be excluded from the isolation process.
4. Publish the Snippet:
   • Once all configurations are complete, publish the Snippet.
   • You have now successfully implemented the on-demand response action using Cisco Secure Endpoint.

Leveraging Cisco Secure Endpoint with Active Response

With Cisco Secure Endpoint configured, you can now manually execute host isolation during an investigation, or allow Rapid7’s MDR SOC Analysts to take action on your behalf if you have opted into Active Response. This integration ensures that you can continue using your preferred security tools while enhancing your incident response capabilities with Rapid7’s expertise.

Microsoft Defender For Endpoint

You only need to install this plugin if you are using Microsoft Defender For Endpoint for asset containment.

To set this up you’ll need:

• Microsoft Defender license
• Windows Defender Advanced Threat Protection application credentials

The application registration will need the appropriate api permissions, and app roles required to look up an Asset, isolate an asset, and remove an asset from isolation.

Create a connection:

Learn more about application set up and assigning permissions for Microsoft Defender .

Microsoft Azure AD (Entra ID)

You only need to install this plugin if you are using Azure AD for asset containment.

To set this up you’ll need:

• Azure AD App Registration
• Secret Key
• Application ID
• Tenant ID
• Admin permissions

Learn more about Azure sessions and disabling Users in Azure AD.