Integrate Devices
Copy link

The Rapid7 Digital Risk Protection (Threat Command) Automation and Threat Intelligence (Intelligence Hub) modules streamline the threat remediation process by identifying and taking down internal and external threats.

Digital Risk Protection (Threat Command) delivers:

  • Early warnings of hacking efforts and fraudulent attacks targeting a specific user or individual company, via a sophisticated cyber-intelligence platform.
  • Tailored intelligence by scanning a wide range of sources (such as: the clear web, dark web, cyber-crime forums, IRC channels, social media, app stores, and paste sites) and provides near-real-time alerts regarding cyber-threats.

Every indicator of compromise (IOC) is examined to validate its severity and context. The outcome is a tailor-made list of indicators that can be shared with security information and event management (SIEM) devices.

For example, by pushing IOCs to a security device, you can protect employees and customers by automatically blocking email messages sent from malicious IP addresses and domains. Rapid7 sends the IOCs to the device’s anti-spam service, and the IOCs are immediately added to the blocked senders list.

For customer on-premises devices, the Digital Risk Protection (Threat Command) virtual appliance connects the IOCs Management module running in the Digital Risk Protection (Threat Command) cloud to the security or monitoring devices that protect your organizational network. The IOCs Management module in the cloud aggregates IOCs, acquired from Digital Risk Protection (Threat Command) alerts, Rapid7 analyst research, third-party intelligence feeds, customer documents and emails, and more.

For customer cloud devices, the appliance is not necessary, as all communication takes place in the cloud.

Devices can be updated with IOCs using the following methods:

  • Pull - The device pulls IOCs from Digital Risk Protection (Threat Command).

  • Push - Digital Risk Protection (Threat Command) pushes IOCs to the device.

The device itself defines the method (push or pull) as well as whether communication is using the virtual appliance or with the Digital Risk Protection (Threat Command) cloud.

The following process describes how Digital Risk Protection (Threat Command) pushes IOCs to an anti-spam blocklist on a cloud device:

  1. Digital Risk Protection (Threat Command) identifies IOCs from the Digital Risk Protection (Threat Command) Tailored Threat Intelligence (Intelligence Hub), and optionally from public and private feeds on the internet.
  2. IOCs are stored in the Digital Risk Protection (Threat Command) cloud.
  3. Digital Risk Protection (Threat Command) enriches the IOCs in the cloud, to get as much information about threat actors, malware, and campaigns as possible, to provide maximum benefit to the client.
  4. Within Digital Risk Protection (Threat Command), the client determines which IOCs are sent to their device.
  5. The client integrates their device with Digital Risk Protection (Threat Command), via the cloud interface and/or the Digital Risk Protection (Threat Command) virtual appliance.
  6. The Digital Risk Protection (Threat Command) cloud integration server connects to the client device account.
  7. The Digital Risk Protection (Threat Command) cloud server pushes new IOCs to the client anti-spam blocklist on their device.

Integration with devices
Copy link

To successfully configure integration with a security device, you need to complete the following steps:

  1. Add a device with the virtual appliance or the cloud.
  2. Create an IOC group that will share IOCs with the device.
  3. Copy the URL of the IOC group to the device manager and perform additional configuration, as necessary.

This section describes steps 1 and 3.

Creating an IOC group (step 2) is described in the “Automate Internal Remediation” section of the  Digital Risk Protection (Threat Command) User Guide.*

Integration support list
Copy link

The following table lists the supported cloud and on-premises devices:

Device typeDeviceMinimum VersionIOC share methodCredentials
CloudArcSight REST6.11PullN/A
Carbon Black ResponsePull
Check PointR80.xPull
Cisco FirepowerPull
CrowdStrike Falcon InsightPush
Fortinet FortiGate6.2Pull
Fortinet FortiSIEMPull
LogRhythm (SIEM)Pull
McAfee ESM (SIEM)Pull
Microsoft Azure SentinelPull
Microsoft Office 365Push
MISPPull
Palo Alto PanoramaPull
Splunk Enterprise Security7.0PullN/A
TAXII server
On-PremisesArcSight REST6.11PullN/A
Carbon Black Response6.1PullN/A
Check PointR80.xPush - SSH (22)Admin user with BASH as default shell (IOCs are pushed through SSH)
Cisco FirePower6.4.0PullN/A
FireEye Endpoint Security (HX series)PushUser with API permissions (either the role of API Analyst or API Admin).
Fortinet FortiGate6.2Pull
Fortinet FortiManager5.4.xPush - HTTPS (443)Admin user
Fortinet FortiSIEM5.2PullN/A
IBM Qradar7.3.xPush- HTTPS (443) Push - syslog (514/UDP) is required to share Digital Risk Protection (Threat Command) alerts.Admin user
LogRhythm (SIEM)7.2.3Pull (TAXII) Port 9000
McAfee ESM (SIEM)PullN/A
Microsoft Active DirectoryWindows Server 2012Query Domain Controller (QDC) - over LDAP (389/TCP) or LDAPS (636/TCP)Domain user
Palo Alto Firewall7.1PullN/A
Palo Alto PanoramaPull
Splunk Enterprise Security7.0Pull For the TAXII integration, port 9000 is required.
Splunk Standalone6.5.3Push - 8089 Push – HEC (8088/TCP by default) is required to share Digital Risk Protection (Threat Command) alerts.User with Read/Write access to the Rest API
Symantec ProxySG6.6.4.xPullN/A
Websense8.5Push - TCP 15873API account
Zscaler Internet Access (ZIA)Push – HTTPS (443)Console user and API key

In addition, the following external apps are supported:

  • IntSights App for Splunk
  • IntSights App for Splunk
  • IntSights App for Splunk SOAR
  • ServiceNow Security App
  • ServiceNow ITSM App
  • IntSights App for IBM Qradar
  • Rapid7 Digital Risk Protection (Threat Command) App for Elastic SIEM