SIEM (InsightIDR) Integration
Copy link

With the SIEM (InsightIDR) integration, a bidirectional relationship is created between Digital Risk Protection (Threat Command) and Rapid7 SIEM (InsightIDR).

This integration is available for users who have licenses for Digital Risk Protection (Threat Command) and for SIEM (InsightIDR). Users must also be migrated to the Rapid7 Insight Platform.

The integration is enabled within SIEM (InsightIDR), as described in the SIEM (InsightIDR) documentation. There is no need to install anything on the Digital Risk Protection (Threat Command) side.

The basis for the integration is the sending of open Digital Risk Protection (Threat Command) alerts to SIEM (InsightIDR) for ingestion and management. Each alert ingested creates an SIEM (InsightIDR) investigation. Alerts that were closed by a policy are not sent.

SIEM (InsightIDR) users can benefit from the following:

  • Pivot from SIEM (InsightIDR) investigation back to Digital Risk Protection (Threat Command) for alert remediation or to ask an analyst about an alert.
  • Tune Digital Risk Protection (Threat Command) policies from SIEM (InsightIDR) adjusting rule actions and priority and adding exceptions.
  • Determine which alert types and scenarios will be ingested into SIEM (InsightIDR).

The following points are relevant to this integration:

  • Closing an investigation in SIEM (InsightIDR) will close the Digital Risk Protection (Threat Command) alert (but not in the other direction).
  • Changes made to Digital Risk Protection (Threat Command) alerts after their initial creation will not be sent to SIEM (InsightIDR).

Copy link