Rapid7 Active Response

Rapid7 Active Response is an optional add-on to our Managed Detection and Response (MDR) service that enables our expert SOC analysts to respond directly to validated threats in your environment.

Container Value Overview

With Active Response, our analysts can isolate endpoints and disable compromised user accounts within minutes, limiting attacker dwell time and accelerating time to respond. To learn more about MDR Active Response, check out this video:

How it works

Here’s how Rapid7 Active Response works:

  • During setup, you will install the required plugins, set up connections and provide a list of users and assets (such as critical servers, users, or devices) that you want excluded from quarantine actions. This way, we don’t treat your Domain Controller the same as a typical user.
  • Active Response then uses the Rapid7 Insight Agent or VMware Carbon Black Response EDR to isolate threats by quarantining users or endpoints as early in the kill chain as possible, preventing malware propagation across your systems, lateral movement, or data exfiltration.
  • The MDR team will send real-time updates to actions using your preferred communication methods as long as it is supported by Active Response.
  • Throughout the containment process, you can accelerate or cancel containment actions before they run from your mobile or desktop devices via Slack.

Active Response Deployment Overview

Active Response Deployment Milestones are listed below:

The following sections contain installation and configuration instructions to guide you through the deployment process.

Step

Content

Active Response Requirements

Covers eligibility requirements for Active Response and requirements for the Insight Agent.

Install an Orchestrator in your environment

Covers requirements and orchestrator deployment instructions.

Set Up your Plugins

Covers the plugin setup process, which is broken into 2 steps for a smoother experience.

1. Install your plugins
2. Configure connections

Every plugin has different connection requirements. You will need to prepare the required information before adding a new connection, but we’ll cover that later on.

Configure Microsoft Office 365 (Optional)

Covers configuration details that you need to complete within Microsoft Office 365 to enable a connection with Insight products.

Configure ChatOps

Provides a step-by-step walkthrough of the ChatOps configuration process.