Integrate Devices
The Rapid7 Threat Command Automation and TIP modules streamline the threat remediation process by identifying and taking down internal and external threats.
Threat Command delivers:
- Early warnings of hacking efforts and fraudulent attacks targeting a specific user or individual company, via a sophisticated cyber-intelligence platform.
- Tailored intelligence by scanning a wide range of sources (such as: the clear web, dark web, cyber-crime forums, IRC channels, social media, app stores, and paste sites) and provides near-real-time alerts regarding cyber-threats.
Every indicator of compromise (IOC) is examined to validate its severity and context. The outcome is a tailor-made list of indicators that can be shared with security information and event management (SIEM) devices.
For example, by pushing IOCs to a security device, you can protect employees and customers by automatically blocking email messages sent from malicious IP addresses and domains. Rapid7 sends the IOCs to the device’s anti-spam service, and the IOCs are immediately added to the blocked senders list.
For customer on-premises devices, the Threat Command virtual appliance connects the IOCs Management module running in the Threat Command cloud to the security or monitoring devices that protect your organizational network. The IOCs Management module in the cloud aggregates IOCs, acquired from Threat Command alerts, Rapid7 analyst research, third-party intelligence feeds, customer documents and emails, and more.
For customer cloud devices, the appliance is not necessary, as all communication takes place in the cloud.
Devices can be updated with IOCs using the following methods:
Pull - The device pulls IOCs from Threat Command.
Push - Threat Command pushes IOCs to the device.
The device itself defines the method (push or pull) as well as whether communication is using the virtual appliance or with the Threat Command cloud.
The following process describes how Threat Command pushes IOCs to an anti-spam blocklist on a cloud device:
- Threat Command identifies IOCs from the Threat Command Tailored Intelligence Platform (TIP), and optionally from public and private feeds on the internet.
- IOCs are stored in the Threat Command cloud.
- Threat Command enriches the IOCs in the cloud, to get as much information about threat actors, malware, and campaigns as possible, to provide maximum benefit to the client.
- Within Threat Command, the client determines which IOCs are sent to their device.
- The client integrates their device with Threat Command, via the cloud interface and/or the Threat Command virtual appliance.
- The Threat Command cloud integration server connects to the client device account.
- The Threat Command cloud server pushes new IOCs to the client anti-spam blocklist on their device.
Integration with devices
To successfully configure integration with a security device, you need to complete the following steps:
- Add a device with the virtual appliance or the cloud.
- Create an IOC group that will share IOCs with the device.
- Copy the URL of the IOC group to the device manager and perform additional configuration, as necessary.
This section describes steps 1 and 3.
Creating an IOC group (step 2) is described in the "Automate Internal Remediation" section of the Threat Command User Guide.
Integration support list
The following table lists the supported cloud and on-premises devices:
| Device type | Device | Minimum Version | IOC share method | Credentials |
|---|---|---|---|---|
| Cloud | ArcSight REST | 6.11 | Pull | N/A |
| Carbon Black Response | Pull | |||
| Check Point | R80.x | Pull | ||
| Cisco Firepower | Pull | |||
| CrowdStrike Falcon Insight | Push | |||
| Fortinet FortiGate | 6.2 | Pull | ||
| Fortinet FortiSIEM | Pull | |||
| LogRhythm (SIEM) | Pull | |||
| McAfee ESM (SIEM) | Pull | |||
| Microsoft Azure Sentinel | Pull | |||
| Microsoft Office 365 | Push | |||
| MISP | Pull | |||
| Palo Alto Panorama | Pull | |||
| Splunk Enterprise Security | 7.0 | Pull | N/A | |
| TAXII server | ||||
| On-Premises | ArcSight REST | 6.11 | Pull | N/A |
| Carbon Black Response | 6.1 | Pull | N/A | |
| Check Point | R80.x | Push - SSH (22) | Admin user with BASH as default shell (IOCs are pushed through SSH) | |
| Cisco FirePower | 6.4.0 | Pull | N/A | |
| FireEye Endpoint Security (HX series) | Push | User with API permissions (either the role of API Analyst or API Admin). | ||
| Fortinet FortiGate | 6.2 | Pull | ||
| Fortinet FortiManager | 5.4.x | Push - HTTPS (443) | Admin user | |
| Fortinet FortiSIEM | 5.2 | Pull | N/A | |
| IBM Qradar | 7.3.x | Push- HTTPS (443) Push - syslog (514/UDP) is required to share Threat Command alerts. | Admin user | |
| LogRhythm (SIEM) | 7.2.3 | Pull (TAXII) Port 9000 | ||
| McAfee ESM (SIEM) | Pull | N/A | ||
| Microsoft Active Directory | Windows Server 2012 | Query Domain Controller (QDC) - over LDAP (389/TCP) or LDAPS (636/TCP) | Domain user | |
| Palo Alto Firewall | 7.1 | Pull | N/A | |
| Palo Alto Panorama | Pull | |||
| Splunk Enterprise Security | 7.0 | Pull For the TAXII integration, port 9000 is required. | ||
| Splunk Standalone | 6.5.3 | Push - 8089 Push – HEC (8088/TCP by default) is required to share Threat Command alerts. | User with Read/Write access to the Rest API | |
| Symantec ProxySG | 6.6.4.x | Pull | N/A | |
| Websense | 8.5 | Push - TCP 15873 | API account | |
| Zscaler Internet Access (ZIA) | Push – HTTPS (443) | Console user and API key |
In addition, the following external apps are supported:
- IntSights App for Splunk
- IntSights App for Splunk
- IntSights App for Splunk SOAR
- ServiceNow Security App
- ServiceNow ITSM App
- IntSights App for IBM Qradar
- Rapid7 Threat Command App for Elastic SIEM