InsightIDR Integration

With the InsightIDR integration, a bidirectional relationship is created between Threat Command and Rapid7 InsightIDR.

This integration is available for users who have licenses for Threat Command and for InsightIDR. Users must also be migrated to the Rapid7 Insight Platform.

The integration is enabled within InsightIDR, as described in the InsightIDR documentation. There is no need to install anything on the Threat Command side.

The basis for the integration is the sending of open Threat Command alerts to InsightIDR for ingestion and management. Each alert ingested creates an InsightIDR investigation. Alerts that were closed by a policy are not sent.

InsightIDR users can benefit from the following:

  • Pivot from InsightIDR investigation back to Threat Command for alert remediation or to ask an analyst about an alert.
  • Tune Threat Command policies from within InsightIDR by adjusting rule actions and priority and adding exceptions.
  • Determine which alert types and scenarios will be ingested into InsightIDR.

The following points are relevant to this integration:

  • Closing an investigation in InsightIDR will close the Threat Command alert (but not in the other direction).
  • Changes made to Threat Command alerts after their initial creation will not be sent to InsightIDR.