Rapid7 Threat Command App for Elastic SIEM

This section describes the Rapid7 Threat Command App for Elastic SIEM. You can see all setup, troubleshooting, and other technical information in the Elastic SIEM documentation.

This integration enables users to retrieve IOCs (Indicator of Compromises), organization-specific Threat Command alerts, and CVEs (Common Vulnerabilities and Exposures). Furthermore, the correlation between data collected from the Rapid7 Threat Command platform (IOCs and CVEs) and the user's environment helps to identify threats. Rapid7 Threat Command platform gives protectors the tools and clarity they need to assess their attack surface, detect suspicious behavior, and respond and remediate quickly with intelligent automation.

Data streams

The Rapid7 Threat Command integration collects these types of data:

  • IOC Uses the REST API to retrieve indicators from the Rapid7 Threat Command platform.
  • Alert Uses the REST API to retrieve alerts from the Rapid7 Threat Command platform.
  • Vulnerability Uses the REST API to retrieve CVEs from the Rapid7 Threat Command platform.


You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your own hardware.

This package requires at least a Platinum level subscription to use drill-downs and alert actions. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding.

See the Elastic documentation to check requirements for Transforms and Actions and Connectors.

Before you can use the external app with Threat Command you need to add the app.

Add external app

Before using an external app, you must add it. There are two parts to adding an app:

  • Your admin must enable the app for you to add.
  • After that, you add the external app.

To add an external app:

  1. From the main menu, select Automation > Integrations.
  2. From the Integrations page, click External.
    temporary placeholder
  3. Click Add new device.
  4. Select the Device type.
    A default name is added. If the external device to add isn't displayed, ask your admin to enable it for you.
  5. Click Add.

The new device is added.

Filtering IOCs

In order to filter the results based on severity and type, one can make use of IOC Severities and IOC Types parameters:

  • Allowed values for IOC Severities: High, Medium, Low, PendingEnrichment.
  • Allowed values for IOC Types: IpAddresses, Urls, Domains, Hashes, Emails.

Filtering Alerts

In order to filter the results based on severity, type, and status, one can make use of Alert Severities, Alert Types, Fetch Closed Alerts parameters:

  • Allowed values for Alert Severities: High, Medium, Low.
  • Allowed values for Alert Types: AttackIndication, DataLeakage, Phishing, BrandSecurity, ExploitableData, vip.

Note: Individual policies need to be configured to retrieve both Closed and Open alerts.

Filtering Vulnerabilities

In order to filter the results based on severity, one can make use of the Vulnerability Severities parameter:

  • Allowed values for Vulnerability Severities: Critical, High, Medium, Low.

Click on Add row to filter out data using multiple values of the parameter.

Retention policy

Retention policy is used to retire data older than the default period. Refer to the Elastc Retention Policy page for more information.

The following table indicates the retention period for each data stream. Users can update the retention period once transform is configured:

Data streamRetention period
IOC60 days
Alert180 days
Vulnerability180 days


  1. IOC API fetches IOCs within the past six months. Hence, indicators from the most recent six months can be collected.
  2. For prebuilt Elastic rules, you can not modify most settings. Create a duplicate rule to change any parameter.