Rapid7 Active Response
Rapid7 Active Response is an optional add-on to our Managed Detection and Response (MDR) service that enables our expert SOC analysts to respond directly to validated threats in your environment.
With Active Response, our analysts can isolate endpoints and disable compromised user accounts within minutes, limiting attacker dwell time and accelerating time to respond. To learn more about MDR Active Response, check out this video:
How it works
Here’s how Rapid7 Active Response works:
- During setup, you will install the required plugins, set up connections and provide a list of users and assets (such as critical servers, users, or devices) that you want excluded from quarantine actions. This way, we don’t treat your Domain Controller the same as a typical user.
- Active Response then uses the Rapid7 Insight Agent or supported Third Party EDR (Carbon Black Cloud, SentinelOne, and Crowdstrike Falcon) to isolate threats by quarantining users or endpoints as early in the kill chain as possible, preventing malware propagation across your systems, lateral movement, or data exfiltration.
- The MDR team will send real-time updates to actions using your preferred communication methods as long as it is supported by Active Response.
- Throughout the containment process, you can accelerate or cancel containment actions before they run from your mobile or desktop devices via Slack (Optional).
Active Response Deployment Overview
Active Response Deployment Milestones are listed below:
The following sections contain installation and configuration instructions to guide you through the deployment process.
|Active Response Requirements||Covers eligibility requirements for Active Response and requirements for the Insight Agent.|
|Install an Orchestrator in your environment||Covers requirements and orchestrator deployment instructions.|
|Set Up your Plugins||Covers the plugin setup process, which is broken into 2 steps for a smoother experience. |
1. Install your plugins
2. Configure connections
Every plugin has different connection requirements. You will need to prepare the required information before adding a new connection, but we’ll cover that later on.
|Configure Microsoft Office 365 (Optional)||Covers configuration details that you need to complete within Microsoft Office 365 to enable a connection with Insight products.|
|Configure ChatOps (Optional)||Provides a step-by-step walkthrough of the ChatOps (Slack) configuration process. ChatOps is not required.|