Rapid7 Active Response
Rapid7 Active Response is an optional add-on to our Managed Detection and Response (MDR) service that enables our expert SOC analysts to respond directly to validated threats in your environment.
With Active Response, our analysts can isolate endpoints and disable compromised user accounts within minutes, limiting attacker dwell time and accelerating time to respond. To learn more about MDR Active Response, check out this video:
How it works
Here’s how Rapid7 Active Response works:
- During setup, you will install the required plugins, set up connections and provide a list of users and assets (such as critical servers, users, or devices) that you want excluded from quarantine actions. This way, we don’t treat your Domain Controller the same as a typical user.
- Active Response then uses the Rapid7 Insight Agent or VMware Carbon Black Response EDR to isolate threats by quarantining users or endpoints as early in the kill chain as possible, preventing malware propagation across your systems, lateral movement, or data exfiltration.
- The MDR team will send real-time updates to actions using your preferred communication methods as long as it is supported by Active Response.
- Throughout the containment process, you can accelerate or cancel containment actions before they run from your mobile or desktop devices via Slack.
Active Response Deployment Overview
Active Response Deployment Milestones are listed below:
The following sections contain installation and configuration instructions to guide you through the deployment process.
Covers eligibility requirements for Active Response and requirements for the Insight Agent.
Covers requirements and orchestrator deployment instructions.
Covers the plugin setup process, which is broken into 2 steps for a smoother experience.
Covers configuration details that you need to complete within Microsoft Office 365 to enable a connection with Insight products.
Provides a step-by-step walkthrough of the ChatOps configuration process.