View IOCs and CVEs with Rapid7 Extend

Extend comprises two synergetic parts:

  • Summary window with enrichment data and additional actions.
  • On-page highlights and enrichment data.

Extend works very similarly for IOCs and CVEs. In the following sections, we will point out the differences, when applicable.

View IOCs and CVEs

Extend behavior is determined by the default scraping method. It is recommended to enable the Always on mode.
You can change that default, as described in Change default Extend scraping method.


  • Rapid7 Extend must be installed.
  • To view IOCs, you must have a subscription to the Threat Command TIP module and a subscription to Extend.
  • To view CVEs, you must have a subscription to the Threat Command Vulnerability Risk Analyzer module and a subscription to Extend.
  • You must be able to log in to the Threat Command.

To view IOCs and CVEs in the Extend summary window:

When scraping is in the Always on mode, the Extend summary window is shown for every web page that you visit. If Extend is in the Scan on demand mode, follow the procedure below to display the Extend summary window.

  1. From a Chrome browser, visit any web page.
  2. From the Chrome menu, click temporary placeholder.
    The web page is scraped and the Extend summary window is displayed over the web page:
    temporary placeholdertemporary placeholder

About highlighting

If Highlight indicators on the page is selected, those indicators that are already present in the Threat Command are highlighted. You can toggle this setting from the summary window.

Highlighted page entries include an severity indicator. You can click an entry to see more details about it. (If the entry is not highlighted, clicking it will cause the default page action.)

Only indicators that are IOCs are highlighted, subject to the following:

  • If the domain is an IOC, but the subdomain is not, only the domain is highlighted.
  • If only the subdomain is an IOC, then only the subdomain is highlighted.
  • If both the domain and the subdomain are IOCs, then only the subdomain is highlighted. Not sure about this?

Using the Extend summary window

The Extend summary window shows all the entries that were found on the page (maximum of 300). If an entry is on the page more than once, it is listed in the summary window only once.
The top line displays the total amount of entries (indicators and CVEs) that were scraped from the page. For those entries that are already present in the Threat Command, severity and additional enrichment data are available.

temporary placeholder

The entry details are presented in order of severity, highest severity first.

Once a page has been scraped, you can do the following activities in the Extend summary window:

To do thisUse this part of the window
Filter the presented entriesClick a filter button.
In this page, for example, to see only the domains. clicktemporary placeholder. 1 domain is of the highest severity.
Toggle whether web page entries are highlightedClick Highlight indicators on the page.
IOCs and CVEs from the Threat Command are now highlighted. Note that highlighted entries, aside from being easier to see, can also be clicked to view additional data.
Change the default scanning methodClick the settings gear, make the change, then click Done.
See the summary of entriesSee the details section. This section is described fully in Using the details section of the Extend Summary window. Each entry is listed only once, even though it may be on the web page multiple times.
Add the entry to the Threat CommandClick temporary placeholder.
An IOC will be added to the Browser Extension feed, as a document in the TIP Sources page. You can use that feed in IOC policies just like any other feed.
A CVE will be added to the Threat Command Vulnerabilities Risk Analyzer (VRA).
If the IOC or CVE is already present in the Threat Command (either as an IOC in a feed or as a CVE in the account), the + is not displayed.
Investigate an IOCClick temporary placeholder.
The IOC is searched for in the Investigation module. This option is available for IOCs, only.
See a CVE in the VRA pageClicktemporary placeholder
The CVE is searched for in theVulnerability Risk Analyzermodule. This option is available for CVEs, only.
View entry detailsClick temporary placeholder.
The entry enrichment details are displayed. These are the same details that are displayed if you click the highlighted entry on the web page.
temporary placeholder

Using the details section of the Extend summary window

The summary window lists all entries found on the web page. Those entries that already exist in the Threat Command have additional information displayed:

  • Severity
    Each entry is coded with its severity (for IOCs: High, Medium, or Low; for CVEs: Critical, High, Medium, or Low). For entries that are not in the Threat Command, the severity is N/A.

  • Enrichment data
    For existing entries, click temporary placeholder to see the enrichment data from Threat Command.
    temporary placeholder
    The details for an IOC entry may include the following:

    • Tags
      System tags are shown in green; user tags in blue.
    • First seen and last seen
      When the IOC was seen.
    • Reporting feeds
      From which Threat Command feeds this IOC was found.
    • Related malware or threat actors
      To which malware or threat actors the IOC is related
    • Triggered alert
      If the IOC related to an alert in the Threat Command Threat Command, that alert header is displayed. To see the alert in the Alerts page, click temporary placeholder. In addition, from the IOCs page, you can filter by Intelligence feed+

    The details for a CVE entry may include the following:

    • Vendor & product
      The CPE to  which the CVE relates.
    • NVD publish date and CVSS score
      Information from NVD
    • Rapid7 score
      The severity score from Rapid7
    • Overall mentions
      The amount of times in which this CVE is mentioned.
    • Last mentioned and First mentioned
      When the CVE was last seen and first seen
    • Exploit available
      Whether an exploit is available for this CVE.
  • If an IOC has been correlated in an integrated Splunk or Azure Sentinel app, it will be marked as “Found in your environment.”

  • If a CVE has an exploit, it will be marked as "Exploit available."