SOC Supported Third Party Security Tools
Rapid7 provides comprehensive support to customers by leveraging advanced tools and expert services to triage and investigate security events across endpoints, identity, network, and cloud environments. Our mission is to help customers achieve full visibility into their environments by ingesting third-party alerts, correlating them with our own where applicable, and focusing investigations on alerts that indicate significant security risks or threats.
Alerts from third-party security tools are integrated into SIEM (InsightIDR) by configuring the appropriate event sources. As with all event sources in SIEM (InsightIDR), Rapid7 assists with event source configuration but does not have control over potential disruptions in data flow from third-party tools to SIEM (InsightIDR). While such disruptions are not common, they can result in gaps in detection or services. Because these outages are often due to factors outside of Rapid7’s control, Rapid7 cannot be held responsible for disruptions in the flow of data from third parties.
Any custom alerts from a third party product, regardless of priority, will not be triaged by the Rapid7 MDR SOC. The Rapid7 SOC will triage, investigate, and respond to alerts the third party classifies with their top severity/priority at the time of ingestion to SIEM (InsightIDR). These alerts will be mapped to Rapid7’s “High” priority and will be subject to the same service level objectives as all other high priority alerts. Rapid7’s “Critical” priority is reserved for Rapid7 authored detections, and select third party detections that meet strict efficacy requirements. For clarification purposes, Rapid7’s service level objectives for any alert from a third party are based on the created time within SIEM (InsightIDR) and not the event time in the third party system.
Supported Third Party Security Tools
| Third Party | Category |
|---|---|
| AWS GuardDuty | Cloud |
| CrowdStrike Falcon | Endpoint |
| SentinelOne EDR | Endpoint |
| Microsoft Defender for Cloud | Cloud |
| Microsoft Defender for Endpoint | Endpoint |
| Microsoft Defender for Identity | Identity |
| Microsoft Defender for Cloud Apps | Cloud |
| Microsoft Defender for Office 365 | |
| Okta | Identity |
| Palo Alto Cortex XDR | Endpoint |
| Google SCC | Cloud |
We will update this table as SOC support for new tools are released.
The number of third-party products monitored by Rapid7 is determined by your service level.
- MTC Ultimate customers are entitled to monitoring for 4 third-party products, with the option to purchase additional monitoring if needed.
- MTC Advanced and MDR Elite customers are entitled to monitoring for 2 third-party products, with the option to purchase additional monitoring if needed.
- MTC Essential and MDR Essentials customers must purchase third-party product monitoring as an add-on.
Detection Strategy
Rapid7’s Detection Strategy dictates how we develop detections for first and third-party event sources. We focus on finding attacker behavior from Initial Access through Impact (prioritizing earlier stages) on servers, endpoints, networks, and cloud systems. Alerts created by our detections must provide sufficient context for an analyst to triage and investigate effectively.
Coverage of individual third-party event sources may vary depending on alert context, licensing considerations, and the MDR SOC’s scope (for example, vulnerability, containerized workloads), contextual/posture management-related detections are out of scope. If an alert would immediately require customer input to triage, the detection will be classified as Custom and Contextual. This includes but is not limited to OT/IOT, DLP, Insider Threat, and 3rd party alerts that would require access to the third-party console to view all necessary context.
Detection Rules
SIEM (InsightIDR) detection rules generate alerts based on activity from your configured event sources, the Insight Agent, and the Rapid7 Network Traffic Analysis (NTA) network sensor. Rapid7 regularly re-evaluates our detections for efficacy, accuracy, and efficiency for both you and our MDR SOC. At any time, Rapid7 may update any attribute of a non-customer authored detection including, but not limited to category, priority, or logic. Additionally, Rapid7 may retire a detection entirely if, based on customer-wide data review, it is determined that the detection is found to have low efficacy.
Event Source Development & Maintenance
Rapid7 is committed to the ongoing development and support of cloud-based event source technology. All new features are delivered exclusively to cloud-based integrations. Rapid7 will continue to support on-premises, collector-based event sources for use with SIEM (InsightIDR). However, future enhancements and long-term support efforts are focused on cloud-based integrations.
Some event sources will remain collector-based by design, particularly those supporting on-premises technologies where a cloud-to-cloud connection is not possible. When a cloud-to-cloud connection is available, Rapid7 strongly recommends using it instead of the collector-based method to ensure access to the latest functionality, improved performance, and optimal coverage.
Alert Categories
Managed Alerts: Created and monitored by the Rapid7 SOC (Security Operations Center) as part of managed services such as MDR (Managed Detection and Response). These alerts typically cover high- and critical-priority detections from both Rapid7 native (first-party) sources and supported third-party event sources.
The Rapid7 SOC is responsible for triaging and responding to these alerts. In SIEM (InsightIDR), they are labeled as “Rapid7 Managed.” Customers can work with their Cybersecurity Advisor to tune these alerts; however, investigation and response are handled by Rapid7.
Custom Alerts: User-defined within SIEM (InsightIDR) and are typically created when built-in or managed alerts do not meet specific requirements. These alerts can be configured to monitor for specific patterns, inactivity, or changes in the environment.
Customers are responsible for reviewing and taking action on these alerts, often through the Request for Information (RFI) process. The Rapid7 SOC does not monitor or respond to custom alerts; responsibility for triage and response rests entirely with the customer.
Contextual Alerts: A subset of alerts that require additional information or organizational context that only the customer can provide (for example, certain user behavior analytics detections). The Rapid7 SOC does not have access to this context, so these alerts are not fully managed.
Managed Info Alerts: Provides telemetry and contextual information that may be useful during an investigation but are not, on their own, indicative of malicious behavior. They are stored within the SIEM (InsightIDR) for reference by the Rapid7 SOC and are not actively triaged.
Alert Priority
Inherited Priority: The priority level for a Rapid7 detection is sourced from the vendor’s determination in the event payload.
Dynamic Priority: For entitled MDR customers, responsibility for alerts with an inherited priority of High or Critical is transferred to the Rapid7 SOC for triage and response.
Bidirectional Alert Synchronization & Enhanced Context
Bidirectional alert synchronization (sync) addresses the challenge of switching between security tools by enabling unified alert triage across your ecosystem. When enabled, alert status changes are automatically reflected across both Rapid7 SIEM (InsightIDR) and the connected third-party platform. This helps maintain alert status consistency across tools and streamlines incident response workflows.
Note: Bidirectional sync & enhanced context is only available for Microsoft Defender products via the Microsoft Security event source. Additional event sources will be included as we expand coverage capabilities.
With bidirectional alert sync:
- Alert statuses are synchronized across systems:
- Closing an alert in SIEM (InsightIDR) also closes the corresponding alert in the third-party platform.
- Closing an alert in the third-party platform closes the corresponding alert in SIEM (InsightIDR).
- Reopening an alert in SIEM (InsightIDR) reopens the alert in the third-party platform.
- Reopening an alert in the third-party platform after it has been closed in SIEM (InsightIDR) will not reopen the alert in SIEM (InsightIDR) to be reworked
- Maintain alert status across platforms, reducing context switching and manual effort.
Bidirectional alert sync is an optional feature recommended for an optimal customer experience. It is available for supported and entitled product monitoring, with coverage selection remaining at the customer’s discretion. To enable bidirectional alert sync, permissions must be configured in both Rapid7 SIEM (InsightIDR) and the third-party platform.
- Refer to the third-party product documentation for configuration details and required permissions.
- Select the Enable bidirectional alert sync checkbox when configuring the event source in SIEM (InsightIDR).
- Work with your Cybersecurity Advisor to ensure proper configuration and preferred selections are in place.
Enhanced alert context builds on bidirectional sync by enriching third-party alerts with additional evidence and related entities directly within SIEM (InsightIDR). This includes visibility into key elements such as process trees, machines, users, files, and IPs, eliminating the need to pivot between tools. By centralizing enriched alert details into a single source of truth and maintaining consistency across platforms, analysts can triage faster, reduce duplicate effort, and improve overall SOC efficiency while providing greater transparency to customers.