Managed Threat Complete Advanced: Quick Start Guide

Refer to this Quick Start Guide to learn how to you will partner with the Rapid7 team throughout the deployment process.

What is Managed Threat Complete Advanced?

Rapid7's Managed Threat Complete is an integrated product and services offering, which allows you to prepare for, detect, and respond to threats in your environment.

Managed Threat Complete Advanced builds on the Essential offering with additional services and reports to bring you more robust capabilities and partnership. The Advanced tier provides extra services offerings to enhance your experience with Rapid7.

Advanced products, services, reports, and notifications

These offerings are available with Managed Threat Complete Advanced:

Products you can use

Access these Rapid7 products on the Insight Platform:

Core products

ProductDescriptionLearn more
InsightIDRDetect and respond with InsightIDR, your security information and event management (SIEM) system for incident management, authentication monitoring, and endpoint visibility. All log sources from your environment are ingested into InsightIDR for monitoring.

Rapid7's Managed Detection and Response (MDR) service works directly in InsightIDR alongside your business, helping to secure your environment.		InsightIDR documentation
InsightVMManage vulnerabilities with InsightVM, a data-rich scanning tool that integrates data from Rapid7’s library of Nexpose vulnerability research, exploit knowledge from Metasploit, global attacker behavior, internet-wide scanning data, exposure analytics, and real-time reporting.InsightVM documentation
InsightConnectAutomate IT and security tasks with InsightConnect, a workflow builder that integrates with other Insight products to increase efficiency across your business. InsightConnect enables the integrations necessary for Active Response.InsightConnect documentation
Services teams you connect with

Collaborate with these Rapid7 resources to extend your security operations:

Customer Advisor Support Center

All customers can contact the Customer Advisor Support Center to quickly get help with common issues. The Customer Advisor Support Center can help with questions about security best practices and product functionality (for example, setting up Active Response for remote containment).

Managed Detection and Response Security Operations Center (MDR SOC)

The MDR SOC handles routine detection and response on behalf of your company, providing continuous security coverage. Working alongside your team in InsightIDR, the MDR SOC provides extra support for triaging alerts and responding to investigations. Learn more about Managed Detection and Response.

Incident Response Consultants

Rapid7's Incident Response Consultants are a dedicated group that lead incident response for complex or high-impact incidents in your environment. As experienced incident response professionals, this team also provides ongoing training and support to the MDR SOC.

All customers can contact the Incident Response Consultants for help with active incidents.

Threat Intelligence Detection and Engineering

As the first vulnerability management provider to become a CVE Numbering Authority, Rapid7 has a unique understanding of the modern threat landscape, including attackers' ability to compromise your environment. The Threat Intelligence Detection and Engineering team develops the detection mechanisms to uncover vulnerabilities, exploits, and attack campaigns in your environment.

Rapid7 Labs

Rapid7 Labs tracks adversaries, shares proprietary, curated intelligence and research, and builds trusted open-source communities. You can leverage the work done by Rapid7 Labs to stay up to date on the latest zero day vulnerabilities.

Dedicated Managed Detection and Response (MDR) Customer Advisor

The Customer Advisory team is your strategic partner who works with you—from initial technology deployment through incident response and ongoing security consultation—to guide your organization's security maturity. Throughout your Managed Threat Complete service term, your Customer Advisor (CA) will frequently communicate with your team to provide updates on service delivery, reporting, metrics, technology health, and to ensure Rapid7 is helping you address your security goals. Additionally, your CA will work closely with Rapid7’s MDR SOC team to understand and convey information relevant to any investigations and incidents.

Reports you can access

Your Rapid7 services teams generate these reports, which you can access through the Services Portal:

Core reports

ReportDescriptionExample
Security Posture Assessment ReportOnce the Insight Agent is deployed to at least 80% of the endpoints in your environment, Rapid7 evaluates potential attack paths and performs an overall security an assessment of your environment. This report provides remediation and mitigation recommendations to reduce risks.

Rapid7 initiates the incident response process if an active compromise occurs during the assessment, notifying your company.		Security posture assessment report
Monthly Service ReportThis report provides metrics and context about threat detection and incident response activities conducted during the previous month, along with information about the health of detection and response controls in your environment.February 2024 Service Report
Incident Response ReportsThis report details all incident management activities, key findings, the dates of attacker activity, and recommended corrective actions.Malicious executable incident

Advanced and Ultimate reports

ReportDescriptionExample
Detection and Response Readiness AssessmentFor this assessment, Rapid7 works with your team to enhance your existing incident response plan, improving collaboration with Rapid7's Incident Response team during a security event. Rapid7 might also recommend overall plan improvements to defend against today's cyber attacks.-
Critical Security Controls AssessmentFor this assessment, your MDR Customer Advisor works with you to create a roadmap towards improving your overall security program, based on the Center for Internet Security (CIS) - Critical Security Controls v8. The CIS Critical Security Controls is a prioritized set of best practices designed to mitigate the most prevalent system and network attacks and is often referenced by legal, regulatory, and policy frameworks.

This roadmap acts as a guide for monthly security posture review meetings and presents an opportunity for Rapid7's experts to collaborate with your team, strategically improving detection visibility and response capabilities.		Critical security controls assessment report
Service Update and Threat Briefing PresentationAs a Managed Threat Complete Advanced or Ultimate customer, you meet with your MDR Customer Advisor monthly. With your Customer Advisor, you'll review security activities and key metrics and identify actions that strengthen your security posture. Together, you'll also review your security program against Rapid7's critical controls framework to strategically improve your security maturity and your Customer Advisor will advise on future security projects, if requested.

This review might also offer measurements of security improvements you've made so far while collaborating with Rapid7, allowing you to demonstrate the value of Rapid7's Managed Threat Complete to executives.		Threat briefing and trend reporting presentation
Notifications you receive

Rapid7's products and services send you these notifications through email:

Other updates and communications

To receive updates for featured content, blogs, and product updates, adjust your Rapid7 communication preferences. You can also subscribe to the Rapid7 status page for notifications about maintenance and service degradation.

Emergent threat response notifications

NotificationDescriptionEmail information
Emergent Threat ResponseRapid7 notifies all Managed Services customers after discovering new Common Vulnerabilities and Exposures (CVEs). This notification includes known information about the CVE, steps to protect your environment, and updates on Rapid7's response.Subject: Includes the CVE name

Sender: emergent_threat_advisory@rapid7.com

Recipients: Rapid7's CVE distribution list (contact Rapid7 to make changes)

MDR SOC notifications

NotificationDescriptionEmail information
Incident NotificationsYour action is required.

Rapid7's MDR SOC notifies your company when an incident occurs in your environment. These notifications typically include evidence of the incident, impacted assets, remediation actions, a link to the InsightIDR investigation, and questions for your team.

For medium and high severity incidents, the MDR SOC also contacts designated contacts at your company by phone.

Take the recommended remediation actions and work with Rapid7 throughout the incident.		Subject: Rapid7 MDR [Priority] Incident: [Subject] - [Case Number]

Sender: managed@rapid7.com

Recipients: Your company's designated contacts for MDR SOC notifications (contact Rapid7 to make changes)
Investigation Requests for Information (RFIs)Your action is required.

Rapid7's MDR SOC sends these notifications when your company's input is needed on an investigation, for example, to confirm whether activity is expected.

Review the investigation details and respond to the request.		Subject: Rapid7 MDR RFI: [Subject] - [Case Number]

Sender: managed@rapid7.com

Recipients: Your company's designated contacts for MDR SOC notifications (contact Rapid7 to make changes)
Alert RFIsYour action is required.

Rapid7's MDR SOC sends these notifications to request your input on account management activity, authentication activity, cloud service activity, and third-party account leak alerts occurring in your environment. These alerts don't have the Rapid7 Managed label in InsightIDR, but the MDR SOC prioritizes them because of their high fidelity.

Review the alert details and open a case on the Customer Portal if MDR SOC investigation is required.

Rapid7 sends these notifications hourly, except for account leak alerts, which are sent daily.		Subject: MDR Notification: [Alert Type] - [Customer Name]

Sender: mdr_notifications@rapid7.com

Recipients: Your company's designated contacts for MDR SOC notifications (contact Rapid7 to make changes)
Services Portal ReportsRapid7 sends these notifications after adding a new document to your Services Portal, such as a report or announcement.Subject: Includes the report or announcement details

Sender: insight_noreply@rapid7.com

Recipients: Insight Platform users with access to the Services Portal and Services Portal Account Team users

InsightIDR product notifications

NotificationDescriptionEmail information
Basic Detection RulesInsightIDR sends these notifications when a basic detection rule (formerly known as a custom alert), triggers a detection in your environment.

The MDR SOC does not monitor basic detection rules.		Subject: [InsightIDR Basic Detection Rule Type and Name]

Sender: insight_noreply@rapid7.com

Recipients: Insight Platform users that you specify when configuring the basic detection rule

Core components

Each product and component of Managed Threat Complete must be set up and configured for your environment. Refer to the tables and links to other documentation for detailed instructions.

On-premise components

Use these on-premises components to take advantage of all that Managed Threat Complete has to offer. These components are installed on one or more machines in your environment:

ComponentDescriptionLearn more
Insight AgentThe Insight Agent is lightweight software you can install on supported assets—in the cloud or on-premises—to easily centralize and monitor data on the Insight Platform. The Insight Agent gives you endpoint visibility and detection by collecting live system information—including basic asset identification information, running processes, and logs—from your assets and sending this data back to the Insight Platform for analysis. The Insight Agent can be installed directly on Windows, Linux, or Mac assets. Each Insight Agent collects data only from the endpoint on which it is installed.Insight Agent documentation
CollectorThe Collector is the on-premises component of InsightIDR, or a machine on your network running Rapid7 software that either polls data or receives data from event sources and makes it available for InsightIDR analysis. An event source represents a single device that sends logs to the Collector.Collector documentation
Scan EngineScan Engines are the workhorses of the scanning process and operate solely at the discretion of the Security Console. They are responsible for discovering assets during a scan, checking them for vulnerabilities, and assessing their level of policy compliance (if your selected scan template is configured to do so).Scan Engine documentation
Security ConsoleInsightVM utilizes the Security Console for on-premises vulnerability scanning and system management. The Security Console core features allow you to identify risk in your environment, organize your devices, and prioritize remediation.Security Console documentation
Scan AssistantThe Scan Assistant provides you with a secure alternative for authenticated scans that utilizes elliptic curve asymmetric encryption (ECDSA) and advanced encryption standard (AES) to form a trusted secure channel between the Scan Assistant and the Scan Engine. You can deploy the Scan Assistant with a public certificate in your environment, which allows the Scan Engine to receive a private certificate.Scan Assistant documentation
Insight OrchestratorThe Insight Orchestrator is a server in your network or cloud environment that integrates your tools and systems with InsightConnect. When a workflow is running, the Insight Cloud keeps the overall workflow logic and data that is generated from each step. When a step is set to run on an Orchestrator, the Insight Cloud delivers the input data and action instructions to the Orchestrator. The Orchestrator executes the action and passes the data output back up to the Insight Cloud. The Insight Cloud then proceeds to the next step in the workflow.Insight Orchestrator documentation

Cloud components

Use these cloud components to take advantage of all that Managed Threat Complete has to offer:

ComponentDescriptionLearn more
Insight AgentThe Insight Agent is lightweight software you can install on supported assets—in the cloud or on-premises—to easily centralize and monitor data on the Insight Platform. The Insight Agent gives you endpoint visibility and detection by collecting live system information—including basic asset identification information, running processes, and logs—from your assets and sending this data back to the Insight Platform for analysis. The Insight Agent can be installed directly on Windows, Linux, or Mac assets. Each Insight Agent collects data only from the endpoint on which it is installed.Insight Agent documentation
Insight PlatformThe Rapid7 Insight Platform is your base within the ecosystem of Rapid7 cloud products and services. It provides a centralized location for administrative functions and makes navigating the Insight product suite simple and easy. Once the Insight Agent is deployed across your environment, the Insight Agent send monitoring data to the Insight Platform.Insight Platform documentation
Event sourcesTo send log events in InsightIDR, you can either forward them from a Security Information and Event Management system (SIEM) or you can collect the log events directly from the event sources. It is also possible to combine these methods—you can forward some event types from the SIEM and then send the remaining ones directly.Event source documentation

Plan for deployment

To get started with Managed Threat Complete, you must plan for deployment. During this stage, you'll meet your Rapid7 team, collaborate with them on your Onboarding Success Plan, and begin deploying Insight Agents to your environment. Once you complete this stage, you will have successfully installed, configured, and deployed the software solutions to meet your needs.

Your actions

Complete these steps:

  1. Deploy your first Insight Agent. The Insight Agent gives you endpoint visibility and detection by collecting live system information—including basic asset identification information, running processes, and logs—from your assets and sending this data back to the Insight Platform for analysis. Refer to the Insight Agent documentation for instructions.
  2. Provide input on your Onboarding Success Plan. After you receive your Onboarding Success Plan from Rapid7, review it to understand its scope. Share any feedback or adjustments with Rapid7 to ensure that you and your partners are aligned on your onboarding goals and how success will be measured.
Rapid7 actions

Rapid7 completes these action items:

  1. Introduce your Rapid7 team. You can expect your Rapid7 Account Executive (AE) to contact you with an official welcome email, which your Customer Success Manager (CSM) is copied on. From this welcome email, you schedule a kickoff call with your Rapid7 team, including your AE, CSM, and Sales Engineer (SE). As a Managed Threat Complete customer, you have access to these Rapid7 resources.
  2. Refine your Onboarding Success Plan. Your Rapid7 team documents your goals for Managed Threat Complete in an Onboarding Success Plan. Your CSM may already understand your goals and metrics for success based on conversations with other members of your Rapid7 team, but you can collaborate with your CSM to refine the Onboarding Success Plan together.
  3. Schedule services. You can expect an email from your Rapid7 CSM to schedule enablement sessions. The topics of these sessions are:
    • Managed Detection and Response Session 1 - Insight Platform setup; validate network sensor; Orchestrator overview.
    • Managed Detection and Response Session 2 - Event source setup; validate deception technology (review and discussion); review InsightIDR settings.
    • Active Response Session - Configure response actions for LDAP user containment; configure response actions for endpoint containment.
    • InsightVM Session - Implement hosted console configuration or review existing InsightVM console to determine the best migration process to execute.

Begin initiation

Begin initiating Managed Threat Complete in your environment with the action items below. During this stage, you'll deploy more Insight Agents in your environment, attend the Incident Response Planning Workshop, and connect with the Customer Advisor Support Center.

Your actions

Complete these steps:

  1. Deploy more Insight Agents in your environment. Refer to the Insight Agent documentation for instructions. To gain full visibility of your environment, an Insight Agent must be present on every asset in your environment.
  2. Watch the Service Launch video. The Service Launch video is available at: https://engage.rapid7.com/viewer/660fff85b6882eee29d3fca6
  3. Watch the Incident Response Planning Workshop video. The video is available at: https://academy.rapid7.com/mtc-essentials-webinar-incident-response-planning-workshop
  4. Familiarize yourself with the Customer Advisor Support Center (CASC). All customers can contact the CASC to quickly get help with common issues. The CASC can help with questions about security best practices and product functionality (for example, setting up Active Response for remote containment).
Rapid7 actions

Rapid7 completes these action items:

  1. Begin continuously monitoring assets with the Insight Agent. With the Insight Agent deployed on your assets, you gain access to all relevant security information about your endpoints. Refer to the Insight Agent documentation to learn more about how the Insight Agent works.
  2. Investigate alerts, validate incidents, and eliminate false positives. During this step, your Rapid7 team reviews the alerts in your environment to determine if they require further investigation or if they are false positives. This validation is essential for Rapid7 to establish your environment's baseline activity.

Prepare your environment

Prepare your environment for full use of Managed Threat Complete with the action items below. During this stage, you'll review the Managed Threat Complete handbook, execute any change control requirements in your environment, and setup servers for the core components of the Insight Platform.

Your actions

Complete these steps:

  1. Read the Managed Threat Complete deployment handbook. You will receive the Managed Threat Complete deployment handbook in your welcome email from Rapid7.
  2. Get change control approval. Follow any required change control processes in your environment to secure approval so that you can make the required network configuration changes. Change control approvals will vary based on your environment, but may pertain to firewall rules and service accounts.
  3. Provision servers for Collectors, Scan Engines, and the Insight Orchestrator. You must configure a dedicated server for each Collector, Scan Engine, and Insight Orchestrator that you deploy in your environment. Refer to the requirements for each component:
  4. Complete firewall rules. You must configure your firewall based on the requirements for each component. Refer to the documentation:
  5. Set up a service account. To begin collecting log data, refer to the InsightIDR documentation for instructions on how to set up a service account.

Implement solutions

Implement Rapid7's Managed Threat Complete products with the action items below. During this stage, you'll partner with Rapid7 to configure InsightIDR, InsightVM, InsightConnect, and Active Response.

Shared actions

Complete these actions alongside your Rapid7 team:

  1. Configure InsightIDR. Follow the instructions in the InsightIDR Ultimate Quick Start Guide to set up InsightIDR.
  2. Configure the InsightVM hosted console. The Managed Operations team will build out the console for you. Your Rapid7 team will provide instructions and lead you through this configuration process.
  3. Set up the InsightConnect Orchestrator and Active Response. Follow the InsightConnect documentation to install and activate the Orchestrator. The Managed Operations team will help you set up Active Response. Review the Active Response 2.0 requirements and the on demand response actions.
  4. Verify that all Insight product configurations follow best practices. If you have already configured these Insight products, confirm with your Rapid7 team that each of the configurations are working as expected. Your Product Security Consultant can help you verify that your Insight products are set up for success.

Continue monitoring

Your Rapid7 team now monitors your environment going forward. During this stage, Rapid7 assess your security posture, performs hypothesis-driven threat hunts, and creates Monthly Service Reports.

Rapid7 actions

Rapid7 completes these action items:

  1. Continuously monitor your environment. With a global services organization headquartered in Washington, DC, Rapid7 prides itself on recruiting and retaining top talent from some of the most elite intelligence agencies and cyber hubs in the world. These security experts work as an extension of your teams. Rapid7 offers close collaboration and coaching for companies that seek a deeply engaged partnership, but can also take control for companies that need immediate support quickly. Our expert SOC team of detection and response analysts monitors your environment for malicious activity, investigates incidents, and responds to threats. This always-on SOC keeps their eyes on your environment around the clock, allowing your team to focus on other strategic security initiatives, while Rapid7 triages and investigates on your behalf. If something happens, Rapid7 seamlessly pivots over into incident response.
  2. Assess your security posture. To build the foundation for your security program and relationship with Rapid7, Rapid7 creates a Security Posture Assessment report, which hunts for potential avenues for a future breach and assess your current security posture. The report provides remediation and mitigation recommendations to reduce risks, as well as critical insights and benchmarks for your current security program. If the Security Posture Assessment finds that there is an active compromise, the incident response process will be initiated immediately. Note that the Security Posture Assessment is performed only once the Insight Agent is deployed to 80% or more of your environment.
  3. Perform hypothesis-driven threat hunts. Your Rapid7 team conducts human-led threat hunts across your environment as new Threat Third Parties (TTPs) emerge. With access to thousands of customer environments, a security research team, and open source communities, Rapid7 stays ahead of attacker behavior as new breach techniques emerge. Typically, these hunts happen multiple times a month. If a breach is detected during a hunt, Rapid7 will immediately pivot into incident response. Additionally, as Rapid7 teams note emerging TTPs and conduct hunts across customer environments, Rapid7 writes new detections for all customers (MDR, Managed Threat Complete, and InsightIDR).
  4. Create ongoing reports. Your Rapid7 team creates a Monthly Service Report that provides metrics and context about threat detection and incident response activities conducted in the previous month, along with information about the health of detection and response controls in your environment.
  5. Validate solution implementation. Your Rapid7 team will confirm that all parts of the Managed Threat Complete offering are working as expected—from your point of view as a customer, and our point of view as your security operations center. Once validated, your onboarding is complete.