Remediate an Alert
With the Threat Command module, you can perform the following forms of external alert remediation :
- Takedown - Request that Rapid7 contact the content provider and act on your behalf to remove the threat from the web. Remediated alerts can be closed automatically; by default, they remain open.
- Report - For URLs and domains, request that Rapid7 sends threat information to Google Web Risk or PhishTank. This can warn others of the potential danger of those indicators of compromise (IOCs).
Internal remediation is accomplished by sharing IOCs with internal security devices, in the following way:
- Blocklist - Rapid7 adds IOCs related to a threat to an internal blocklist which can be fed to internal security devices with the Threat Command Automation module.
- A blocklist remediation can be performed immediately, so it can be used as a temporary remediation effort until a takedown request is complete. Similarly, if takedown evidence is not available, a blocklist remediation can mitigate the issue. For a quick guide, see Blocklist Remediation.
This video provides an overview of the remediation process:
Before initiating a remediation request
Before initiating a remediation request, the following issues must be addressed:
Admin users must complete the following:
- Upload company trademarks, power of attorney, and letter of authorization to the Threat Command > Configurations > Remediation tab. This video provides an overview of letters of authorization (LOA) and how to provide them to Rapid7:
- Purchase takedown credits. You can see the balance of credits in the Remediation panel or in the Settings > Subscription page (for admin users only).
Ensure that the alert is a candidate for remediation. If the remediation options are present in the alert, it can be remediated. For the full list, see the Remediation matrix.
To remediate alerts that are not in Threat Command, contact Customer Support.Some remediation requests must be accompanied by indisputable evidence before the registrar proceeds with them. Evidence can be uploaded in TXT, MSG, EML, or MBOX formats. For example, to request a takedown for a suspicious domain, the user must supply the original phishing email, sent from the suspicious domain, complete with the email headers (not simply a screenshot).
For full information, see the Evidence Best Practice Guidelines.
If indisputable evidence is not available, see what other mitigation options are available at Additional Monitoring and Protection Steps.
To perform remediations, see takedown remediation,report remediation, or blocklist remediation.
You can view all remediation requests and remediable alerts in the Remediations page.
Remediation matrix
The following tables describe the available forms of remediation.
The supported table also details each form of alert and its remediation options and requirements:
Supported remediation scenarios
Source | Scenarios | Required to prove abuse (at least one) otherwise they will not respond to the remediation request. | Prerequisites(source policy may change, and other documents may be asked for as the request progresses) |
---|---|---|---|
Apple App Store | - Fake application - Malicious application | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Application stores | - Fake application - Malicious application | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Confidential documents | - Per case and vendor | ||
Domain | See Phishing - domain | ||
eBay | - Product for sale | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Etsy | - Profile - Product for sale | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
- Group - Job scam - Profile - Post - Company page - VIP profile - Community page | The source requires that at least one of the following must have been abused: - Company registered logo - Company name The source requires that at least one of the following must have been abused: - VIP name - VIP photo - Company registered logo - Company name Facebook does not support takedowns of community pages | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. VIP ID is required, either of these options: 1. One Government ID (driver's license, national identity card, passport, or birth certificate) that includes the VIP name and date of birth or VIP name and photo. 2. Two non-government IDs (student card, library card, refugee card, employment verification, diploma, or loyalty card) that both include the VIP name. At least one of the IDs must also include the VIP date of birth or photo. In addition to the ID documents, a signed letter of authorization (LOA) must be present in the Configurations page. | |
Fake job offer | - Per case and vendor | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Flickr | - Page - Photo | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
GitHub | Repository or file that contains: - Copyrighted code - Leaked credentials - Malicious code | The source requires that at least one of the following must have been abused: 1. Access credentials, such as user name, together with a password, or other credentials that can grant access to your organization's server, network, or domain. 2. AWS tokens and other similar access credentials that grant access to a third party on your behalf. You must be able to show that the token belongs to you. 3. Documentation (such as network diagrams or architecture) that poses a specific security risk for your company. 4. Information related to, and posing a security risk to, you as an individual (such as Social Security Number or other government ID numbers). | Include as much detail as possible, including specific lines and URLs. When reporting a repository, include the URL of the lowest level (such as a file URL, not a repository URL). Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Google Play | - Fake application - Malicious application | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. The LOA must not have an expiration date. |
Google Plus | - Profile | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
- Profile - Post - VIP profile | The source requires that at least one of the following must have been abused: - Company registered logo - Company name The source requires that at least one of the following must have been abused: - VIP's name - VIP's photo - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. VIP ID is required, either of these options: 1. One Government ID (driver's license, national identity card, passport, or birth certificate) that includes the VIP name and date of birth or VIP name and photo. 2. Two non-government IDs (student card, library card, refugee card, employment verification, diploma, or loyalty card) that both include the VIP name. At least one of the IDs must also include the VIP date of birth or photo. In addition to the ID documents, a signed letter of authorization (LOA) must be present in the Configurations page. | |
- Employee - Company page - VIP Profile | The source requires that at least one of the following must have been abused: - Company registered logo - Company name The source requires that at least one of the following must have been abused: - VIP's name - VIP's photo - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. | |
Pastebin | - Copyrighted work - Leaked credentials - Confidential documents | The source requires that at least one of the following must have been abused: - Company registered logo - Company name - Sensitive company information (access credentials - passwords, emails, BIN number, etc.) - Leaked secrets, source code, or documents | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Paste sites | - Per case and vendor | ||
Phishing domain | - Phishing domain | Registrar policy requires one of the following: 1. The original phishing email that was sent by the suspicious domain, together with the full email headers. To create that in a way that mseets their strict requirements, following the description in Evidence Best Practice Guidelines. This is the best evidence. 2. A malware scan that shows this domain's association with malicious activity. This may be accepted. 3. Smishing SMS. This is supported by some registrars. The registrar may require the original phishing email in some cases; malware analysis or smishing SMS is not always sufficient. | The original phishing email, together with the full email headers, is a code snippet that contains details that are essential to authenticate an email message. The original email in EML, MSG, or MBOX format OR the email headers in TXT format indicate that the email was sent from this domain. Screenshots and PDF files can be altered, which is why the registrar does not accept those formats. |
Phishing website | - Phishing website | The source requires that at least one of the following must have been abused: - Company registered logo - Company name - Company information (addresses, contact details) - Similarity to the company website | Each vendor has different requirements. Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
- Account | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. | |
- User | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. | |
Scribd | - Account - Post | The source requires that at least one of the following must have been abused: - Company registered logo - Company name The source requires that at least one of the following must have been abused: - Company registered logo - Company name - Sensitive company information (access credentials - passwords, emails, BIN number, etc.) - Leaked secrets, source code, or documents | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Studylib | - Copyrighted work - Leaked credentials - Confidential documents | The source requires that at least one of the following must have been abused: - Company registered logo - Company name - Sensitive company information (access credentials - passwords, emails, BIN number, etc.) - Leaked secrets, source code, or documents | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Suspicious email address (Gmail, Outlook, etc.) | - Phishing email | Email vendors require this information before they will consider to takedown an email address: The original spam email that was sent, together with the full email headers. To create that in a way that meets their strict requirements, following the description in Evidence Best Practice Guidelines. | The original phishing email, together with the full email headers, is a code snippet that contains details that are essential to authenticate an email message. The original email in EML, MSG, or MBOX format OR the email headers in TXT format indicate that the email was sent from this domain. Screenshots and PDF files can be altered, which is why the registrar does not accept those formats. |
Telegram | - Channel - Group - User - Bot | Telegram requires the proof of abuse of both the company registered trademark AND company name (one is not adequate). **Telegram policy protects the content of messages inside a group or channel, so those are not sufficient proof of abuse.** | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Telegram | - Private channel - Private group - Specific message | Telegram does not support takedowns. | |
Tiktok | - Page | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Tumblr | - Page - Profile | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
- Profile (company page) - VIP Profile - Tweet | The source requires that at least one of the following must have been abused: - Company registered logo - Company name The source requires that at least one of the following must have been abused: - VIP's name - VIP's photo - Company registered logo - Company name Twitter does not support takedowns of tweets. | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. VIP passport or driver's license must be submitted, and a signed letter of authorization (LOA) must be present in the Configurations page before initiating the remediation. | |
Veoh | - Video - Account | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Vimeo | - Video - Account | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
VirusTotal | - Copyrighted work - Leaked credentials - Confidential documents | The source requires that at least one of the following must have been abused: - Company registered logo - Company name - Sensitive company information (access credentials - passwords, emails, BIN number, etc.) - Leaked secrets, source code, or documents | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
VK | - Profile - Page | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Website | See Phishing - website | ||
- Profile - Page | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. | |
YouTube | - Channel - Video | The source requires that at least one of the following must have been abused: - Company registered logo - Company name | Remediation is more likely to succeed if both the company Registered Trademark and a signed letter of authorization (LOA) are present in the Configurations page before initiating the remediation. |
Non-supported remediation scenarios
These scenarios are not supported:
Platform | Unsupported specific scenario |
---|---|
Brand reputation | Rapid7 does not handle takedown requests related to brand reputation if they are not related to phishing activities nor violate our terms of service. Examples of non-supported scenarios: Reviews, Adult content, Illegal content |
Reseller websites | Rapid7 does not handle takedown requests related to websites where our customers’ products are being resold legally or legitimately if there is no evidence provided of a security risk (e.g., phishing, etc.). |
Dark web | All threats |
S3 bucket Amazon | All bucket types |
Line platform | All types |
Dark web | All types |
Douyin | All types |
Kumu platform | All types |
Pccid.io | All types |
xdocs.p | All types |
Pastehub | All types |