Install Plugins

Plugins require connection information

We strongly recommend that you gather the connection information for each plugin prior to beginning your setup. We also recommend copying and pasting these values into a temporary document while you collect them, as you will need to enter them into InsightConnect later.

The following 4 plugins contain parameters, actions, and connections that Active Response needs to run successfully.

These plugins are hosted in the Rapid7 Extension Library. Your next step is to install each plugin so you can access and configure them in Insight Connect. We recommend that you install all your plugins before creating your connections. You can install plugins with a single click once you’re in the Extensions Library. After installation, your Customer Advisor will configure the HTTP Requests plugin on your behalf.

  1. Active Directory LDAP
  2. Microsoft Office 365 Email (Optional)
  3. Twilio (Optional)
  4. VMware Carbon Black EDR (Optional)

1. Active Directory LDAP

This plugin enables Active Response to disable or enable users when the MDR team initiates a quarantine action. You will need the following connection information to set up this plugin:

  • Host name and port number.
    • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Orchestrator and the LDAP server.
    • If you are just using LDAP, make sure to open port 389 between Orchestrator and LDAP server.
  • Administrative privileges.
  • NTLM authentication must be enabled in Active Directory. For more information, see https://www.windows-active-directory.com/tag/how-does-ntlm-authentication-work.

To install this plugin:

  1. Open the Active Directory LDAP plugin in the Extension Library.
  2. Click Install.

Active directory LDAP plugin

2. Microsoft Office 365 Email (Optional)

If you want to receive emails from the MDR team when they initiate a quarantine action on your behalf, install this plugin. The Microsoft Office 365 Plugin requires the following connection information:

  • Your API secret key.
  • The Tenant ID, or the ID of the directory that identifies the tenant.
  • The App ID, which is the ID of the app that obtained the refresh token.

You will also need to create a new key and configure some settings in your Azure portal in order to receive emails from the MDR team. For detailed instructions, see Configure Microsoft Office 365.

To install this plugin:

  1. Open the Microsoft Office 365 plugin in the Extension Library.
  2. Click Install.

Microsoft Office plugin

3. Twilio (Optional)

Twilio is a cloud communications platform for building SMS, voice, and messaging applications on an API built for global scale. With Active Response, this plugin allows the SOC to send you SMS messages when they take containment actions on your behalf.

This plugin is only required if you want to receive text message alerts from the SOC, and requires the following connection information:

  • The name of the orchestrator you installed on your network.
  • The Account SID and Account Token for your Twilio account.
  • Your Twilio phone number.

To install this plugin:

  1. Open the Twilio plugin in the Extension Library.
  2. Click Install.

Twilio plugin

4. VMware Carbon Black EDR (Optional)

Required only if you are using the VMware Carbon Black EDR agent. This plugin allows you to automate information collection, endpoint isolation, and hash blacklisting using the VMware Carbon Black EDR REST API.

  • An API Key from VMware Carbon Black EDR.
  • The base URL.

To install this plugin:

  1. Open the VMware Carbon Black EDR plugin in the Extension Library.
  2. Click Install.

VMware Carbon Black EDR plugin

Success! You installed your plugins!

Next, configure Microsoft Office 365 Email so you can receive email notifications from the Managed Services team.

Configure Microsoft Office 365

Configure the Microsoft Office 365 plugin if you want receive emails from the MDR team after they’ve initiated quarantine actions in your environment. This section covers the steps you must complete to enable communication between Active Response and Microsoft Office 365. Please click the links below in order to get more information on each step.

  1. Collect Configuration Information
  2. Create a New Key
  3. Configure Application Permissions

Create Plugin Connections

Now that you’ve installed your plugins, you must configure connections.

Connections are individual instances of credentials and other parameters needed to authenticate InsightConnect to supported integrations or plugins. Credentials can be passwords, API keys, or other sensitive information, while other connection parameters can include data like IP addresses or port numbers. Active Response cannot run successfully if connections are configured improperly.

Follow the steps below to configure your plugin connections.

  1. Gather your connection information
  2. Add new connections
  3. Active Directory LDAP Plugin
  4. Microsoft Office 365 Email
  5. Twilio (Optional)
  6. VMware Carbon Black EDR

1. Gather your connection information

The following section outlines configuration information you'll need to know when you create connections. We recommend that you take some time to locate your connection information, and copy and paste these values into a temporary document. You will need to enter them into InsightConnect when you create your connections for each plugin.

Plugin

Connection Requirements

Active Directory LDAP plugin

To create a connection for this plugin, you need to know:

Host name and port number.

- If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Orchestrator and the LDAP server.

- If you are just using LDAP, make sure to open port 389.

Credentials with administrative privileges.

- NTLM authentication enabled in Active Directory. For more information, see https://www.windows-active-directory.com/tag/how-does-ntlm-authentication-work.

Microsoft Office 365 Email plugin

For this plugin you need to know:

- Your API secret key.

- The Tenant ID, or the ID of the directory that identifies the tenant.

- The App ID, which is the ID of the app that obtained the refresh token.

VMware Carbon Black EDR plugin

This plugin is only required if you are using the VMware Carbon Black EDR agent. To create this connection you'll need:

- An API Key from VMware Carbon Black EDR.

- The base URL.

Twilio plugin (Optional)

This plugin is only required if you want to receive text message alerts from the SOC. To create this connection you'll need:

- The name of the orchestrator you installed on your network.

- The Account SID and Account Token for your Twilio account.

- Your Twilio phone number.

If you've gathered your connection information, you're ready to get started!

We’ll remind you of the required configuration information as you set up each connection.

2. Add new connections

You can add connections on the Connections tab of the Plugins & Tools page in InsightConnect. InsightConnect automically tests each connection that you create. Learn more here.

Check for extra spaces after pasting connection values

As you complete the following steps, you will need to paste values (such as an app ID) into specified fields in InsightConnect. After you paste a value, check to make sure no additional spaces or lines were added, as they will cause your connection to fail.

To create a connection:

  1. From the InsightConnect left menu, click Settings > Plugins & Tools. Insight Connect Settings

  2. Click the Connections tab. Insight Connect plugins

  3. Click the Add Connection button.

3. Active Directory LDAP Plugin

Users in domains configured in a Parent/Child or Trust Relationship must be able to be managed by a single Domain User with permissions to enable and disable users across all domains. The time to replicate account changes across the organization depends on your configuration within Active Directory.

To set this up you’ll need:

  • Host name and port number.
    • If you are using an LDAP Server, make sure that Port 636 (LDAPS) is open between the Collector and the LDAP server.
    • If you are just using LDAP, make sure to open port 389 between Collector and LDAP server.
  • Administrative credentials.
  • NTLM authentication enabled.
  • Credentials entered in the DOMAIN\username format.

Create a connection:

  1. In Connection Name, enter a name for your directory such as MDR Active Directory.
  2. Under the “Where would you like this connection to live?” field, select your orchestrator.
  3. Under Plugins, select Active Directory LDAP.
  4. Click the Choose a Credential field, and click Create New Credential.
    • Name your credential.
    • Enter the name of the Active Directory you want to grant the orchestrator access to. Make sure you enter your username in the DOMAIN\username format.
    • Enter the password of that directory.
    • Click Save.
  5. Under Host, Enter the IP address of the server where the AD is hosted.
  6. Enter the Port number:
    • If you are using an LDAP Server, enter 636.
    • If you are just using LDAP, enter 389.
  7. Under Use SSL, select True for port 636 or False for port 389.
  8. Under Chase Referrals, select True if Parent/Child or Trusted Domains are being managed. Otherwise, select False.
  9. Click Save. If you don’t see the connection appear after you save it, refresh your screen.

Active Directory LDAP connection

4. Microsoft Office 365 Email (Optional)

This plugin enables the MDR team to send email notifications when they initiate quarantine actions on your behalf.

To set this up you’ll need:

  • Your API secret key.
  • The Tenant ID, or the ID of the directory that identifies the tenant.
  • The App ID, which is the ID of the app that obtained the refresh token.

Create a connection:

  1. Enter a unique and easily identifiable connection name, such as MDR Email Alert.
  2. Under “Where will this connection live?” select your orchestrator.
  3. Click the Choose a Credential field, and click Create New Credential.
    • Name your credential.
    • Name the credential and paste the Azure Private Key Value in the Secret Key field.
    • Click Save.
  4. In the Tenant ID field, paste your Directory ID.
  5. In the App ID field, paste your App ID.
  6. Click Save. If you don’t see the connection appear after you save it, refresh your screen.

Microsoft Office 365 connection

5. Twilio (Optional)

This plugin enables the MDR team to send you text messages when they initiate quarantine actions in your environment.

You only need to complete this section if you want to receive text message alerts.

To set this up you’ll need to know:

  • The name of the orchestrator you installed on your network.
  • The Account SID and Account Token for your Twilio account.
  • Your Twilio phone number.

Create a connection:

  1. In Connection, enter a unique and easily identifiable connection name, such as MDR Text Alert.
  2. Select your organization’s orchestrator.
  3. Under Plugins, select Twilio.
  4. Select the Choose a Credential dropdown, and click Create New Credential.
    • Enter a name for your credential.
    • In the Username field, enter the Account SID.
    • In the Password field, enter the Account Token.
    • Click Save.
  5. Enter your Twilio Phone Number. Include the country code. For example: +17025678900
  6. Click Save. If you don’t see the connection appear after you save it, refresh your screen.

Twilio connection

6. VMware Carbon Black EDR

You only need to install this plugin if you are using VMware Carbon Black EDR.

To set this up you’ll need:

  • An API Key from VMware Carbon Black EDR.
  • The base URL.

Create a connection:

  1. In Connection Name, enter a unique and easily identifiable name, such as MDR Cb Response.
  2. Under the “Where would you like this connection to live?” field, select your orchestrator.
  3. Under Plugins, select VMware Carbon Black EDR.
  4. Select the Choose a credential dropdown, and click Create New Credential.
    • Name the credential and enter the Cb Response Secret Key.
    • Click Save.
  5. Enter the URL.
  6. In SSL Verify, select true or false.
  7. Click Save.

VMware Carbon Black EDR connection

Congrats, you've installed your plugins!

Next, configure your slack workspace.

Configure your Slack Workspace

In InsightConnect, ChatOps steps are automated tools that interact with your chat apps. The Rapid7 InsightConnect Slack App allows you to use ChatOps actions with your Slack workspaces. ChatOps is a required component of Active Response, as it enables our MDR team to send you Slack notifications and provides you with the ability to cancel or undo quarantine actions. Rapid7 ChatOps currently only supports Slack.

A user from your organization must install Slack in your environment

While Rapid7 Customer Advisors are happy assist with Active Response deployments, they cannot install Slack in your environment. You should work with an IT Administrator from your organization to complete this section.

If you do not already have Slack installed, go to https://slack.com/, select the Slack plan you want, and complete the installation steps provided by Slack.

  1. Configure Slack Workspace
  2. Find a Slack Administrator
  3. Install the InsightConnect Slack App
  4. Invite the InsightConnect Chatbot to your Slack Workspace
  5. Add a Workspace from the ChatOps Manager

Configure Slack Workspace

To set this up you’ll need:

  • Administrative privileges to your organization’s Slack workspace.

Find a Slack Administrator

If you’re not an administrator of your organization’s Slack workspace, contact one to approve the Rapid7 InsightConnect app. You won’t be able to configure a ChatOps step until the app is approved for other users in your workspace.

3 ways to find your Slack Administrator

  1. To find your Slack administrators from a web browser, log into your Slack account at https://slack.com/signin, then visit https://.slack.com/account/workspace-settings#admins
  2. To find your Slack administrators from Slack for desktop, click on the workspace name in the top left corner to open the settings menu, then click Customize Slack. This will open your organization’s Slack settings in a browser window. Now visit https://.slack.com/account/workspace-settings#admins.
  3. Alternatively, navigate to the administrators page in your Slack settings with these steps:
    1. Click on Customize Slack as previously instructed.
    2. In the browser window that opens, click Menu in the top left corner, then About this workspace.
    3. Click on the Admins & Owners tab.
    4. Note the Slack username and email address of your workspace admins, then provide them with the administrator setup instructions in an email or Slack message.

Install the InsightConnect Slack App

One of your organization’s Slack administrators should follow these instructions to approve the Rapid7 InsightConnect app for your workspace.

To set up the Rapid7 InsightConnect Slack App for your organization’s workspace:

  1. Navigate to it in the Slack App Directory in your Slack settings, or click here for a direct link. Click the Install link and then click the Approve button.
  2. In a web browser, navigate to the App Manager in your Slack settings. The URL should be something like: https://YOUR-WORKSPACE-URL.slack.com/apps/manage.
  3. Locate “Rapid7 InsightConnect” under the “Restricted Apps” section, then click the Approve button for the Rapid7 InsightConnect Slack App. This enables other users in your organization to configure your workspace.
  4. Let your team know when you’ve approved the app for their use.

Invite the InsightConnect Chatbot to your Slack Workspace

  1. Create a new channel called, MDR Active Response. Your CA will use this channel for Slack notifications.
  2. Enter @InsightConnect Bot in the Message field of your new channel to Invite the InsightConnect Chatbot

Add a Workspace from the ChatOps Manager

To add a new workspace to InsightConnect from the ChatOps manager:

  1. In InsightConnect, click Settings > Plugins & Tools. Insight Connect Settings
  2. Click the ChatOps tab. Insight Connect plugins
  3. Click the Add Slack Workspace button. The Slack installation page will open.
  4. Click Authorize. You’ll be notified if the installation was successful.
  5. Return to InsightConnect and refresh the window. The newly added workspace will display.

You're ready to prepare your exclude list.

To get started, go to Prepare your Exclude List.