Welcome to MTC
Rapid7 Managed Threat Complete (MTC)
Rapid7’s MTC is a single, integrated service that allows you to prepare for, detect, and respond to threats in your environment. MTC is delivered as a collaboration between Rapid7 and your team to accelerate your proactive, responsive, and strategic security maturity and extend your security operations by providing customized security guidance and hands-on 24x7x365 monitoring, threat hunting, incident response, and exposure management.
MTC has two service level offerings you may subscribe to: MTC Essential or MTC Advanced.
This Scope of Service will define the service delivery experience for both service levels (and delineate differences where applicable). Your signed quote will identify the subscription your organization has purchased.
The MTC team is composed of an Onboarding Success Manager, a Customer Advisor, a Security Operations Center (“SOC”) Tactical Operations team, SOC Pod, the Rapid7 Incident Response team, a Product Security Consultant, and an Advisory Security Consultant. Please view the MTC SOS for more details on the team members involved.
Customer Advisor Engagement
During the term of your MTC Advanced service, you will regularly engage with your CA. Your CA will be available to answer any questions about your MDR service, and advise you toward advancing your security maturity.
Your CA will be available during normal business hours by phone and email. During non-business hours, a member of the CA team will be on-call via the CA Hotline for urgent issues.
Outlined below are frequent interaction touchpoints that your team will have with your CA:
Inquiry Response Times Below are response times to inquiries from your team:
MTC service reports and deliverables are sent to customers via the secure file transfer system located in the Rapid7 Services Portal. You can view samples and excerpts from these reports for all MTC Deliverables. These include:
InsightIDR Event Sources
Rapid7 supports a wide range of security-relevant event sources, which can be configured in the ‘Event Sources’ page of InsightIDR.
Event source log data is stored in InsightIDR and available for search for thirteen months from the time of collection. We recommend that you onboard all supported event sources that are present within your in-scope environment. At a minimum, we strongly recommend you onboard the following event sources:
- For organizations that have Microsoft Windows domains, send the Windows Security event logs from each Microsoft Active Directory Domain Controller to InsightIDR – without this event source, many InsightIDR UBA detection rules will not be supported.
- For organizations that have Microsoft Windows domains, Microsoft Azure AD Domain Services, or Amazon AWS Domain Services, connect at least one LDAP event source for each domain– without this event source, Rapid7 MDR will not have vital contextual information about users in your environment.
- Connect all supported DHCP log sources to InsightIDR–without this event source, Rapid7 may not be able to accurately attribute network traffic to the appropriate assets in your environment.
- Connect all supported network logs - DNS, firewall, VPN, and Web Proxy - to InsightIDR, particularly network devices at your internet ingress and egress points. Without these event sources, some InsightIDR UBA detection rules and all NBI (Network Based Indicator) ABA detection rules will not be supported. In addition, this data is leveraged by Rapid7 to further investigate suspicious or malicious activity in your environment.
- Connect all supported Cloud Services logs to InsightIDR. Without these event sources, some InsightIDR UBA and ABA detection rules will not be supported. In addition, this data is leveraged by Rapid7 to further investigate suspicious or malicious activity in your environment.
Rapid7 MDR leverages InsightIDR event sources as described below:
Real-time Detection These event sources are processed by our threat detection engine and may generate alerts that are reviewed by our 24x7x365 SOC (see the ‘Detection Rules’ page of InsightIDR for a list of all current detection rules, and see the ‘Detection Rules’ section below for more details about which detection rules are in-scope for the MDR service).
Threat Hunting Data from these event sources are aggregated and leveraged by analysts when performing threat hunts (see Threat Hunting for additional details).
Investigation Data from these event sources may be leveraged to accurately attribute other activity to an asset or user, and to provide other useful context data in the course of investigating alerts or performing incident response.
Detection Rules InsightIDR detection rules generate investigations based on activity from your configured event sources, the Insight Agent, and the Rapid7 Network Traffic Analysis (NTA) network sensor.
These detection rules are available in the ‘Detection Rules’ page of InsightIDR. These detection rules are grouped into the following detection libraries:
(2 - Future ‘third party alerts’ are now being developed as ABA detection rules, and as a result may be ‘in scope’ for MDR depending on their ‘responsibility’ attribute. 3 - Should you identify activity in these investigations that you believe is suspicious, please contact Rapid7 for further investigation and (if needed) incident response. Incidents discovered as a result of these investigations are eligible for MDR incident response as described in the Incident Response' section of the MTC SOS.)