Rapid7 Insight Threat Command

the rapid7 insight threat command connector facilitates the integration of rapid7's threat intelligence and alert management capabilities into the swimlane turbine platform rapid7 insight threat command is a powerful threat intelligence and response management platform that enables security teams to identify, investigate, and take action on threats this connector allows swimlane turbine users to automate the management of alerts, enrich indicators of compromise (iocs), and initiate takedown requests directly within the swimlane ecosystem by integrating with rapid7 insight threat command, users can streamline their security operations, enhance their threat intelligence capabilities, and accelerate incident response times, all from within the familiar swimlane interface limitations none to date prerequisites to effectively utilize the rapid7 insight threat command connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint for the rapid7 insight threat command api account id your unique identifier for accessing your rapid7 account api key a secure key generated within rapid7 for authenticating api requests supported versions this connector supports the latest version of the rapid7 insight threat command rest api additional docs for more information, refer to the rapid7 api documentation https //docs rapid7 com/threat command/ configuration authentication methods rapid7 http basic authentication to authenticate with the rapid7 insight threat command api, you must use http basic authentication this method requires the following credentials username your rapid7 insight threat command api username password your corresponding password these credentials are mandatory and must be provided to successfully connect to the api ensure that your username and password are kept secure and not shared with unauthorized individuals capabilities the rapid7 insight threat command integration provides the following capabilities add manual alert assign alert close alert get alert get alert activity log get alert csv get alert's html content get alert image get alert report status get alert takedown status get alert whois file get alerts get ioc by value request ioc enrichment takedown request and so on configurations rapid7 http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password api key do not provide it base64 encoded, it will be encoded automatically along with the username string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add manual alert adds a manual alert to rapid7 insight threat command and returns the new alert id, requiring a json body input endpoint url /public/v1/data/alerts/add alert method put input argument name type required description images object optional parameter for add manual alert files array optional parameter for add manual alert file string optional parameter for add manual alert file name string optional name of the resource founddate string optional date value details object optional parameter for add manual alert title string optional parameter for add manual alert description string optional parameter for add manual alert type string optional type of the resource subtype string optional type of the resource severity string optional parameter for add manual alert source object optional parameter for add manual alert type string optional type of the resource networktype string optional type of the resource url string optional url endpoint for the request date object optional date value output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 401, "response headers" { "date" "fri, 03 feb 2023 15 55 27 gmt", "content length" "14", "connection" "keep alive", "set cookie" "env=production apiexternal; path=/; samesite=lax, dash version=6 59 2; path=/; s ", "content security policy" "default src 'self';base uri 'self';block all mixed content;font src 'self' data ", "x dns prefetch control" "off", "expect ct" "max age=0", "x frame options" "sameorigin", "strict transport security" "max age=15724800; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "x permitted cross domain policies" "none", "referrer policy" "same origin", "x xss protection" "0", "surrogate control" "no store" }, "reason" "unauthorized", "response text" "accountexpired" } ] assign alert assign an alert to a specific assignee in rapid7 insight threat command by using the alert's id and assigneeid endpoint url /public/v1/data/alerts/assign alert/{{id}} method patch input argument name type required description id string required unique identifier assigneeid string required the id of the assignee to assign the alert to ismssp boolean optional whether the assignee is an mssp output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] close alert closes a specified alert in rapid7 insight threat command by providing the alert id and a closure reason endpoint url /public/v1/data/alerts/close alert/{{alert id}} method patch input argument name type required description alert id string required unique identifier reason string required response reason phrase freetext string optional parameter for close alert ishidden boolean optional unique identifier rate number optional parameter for close alert output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] get alert retrieves detailed information for a specific alert in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/get complete alert/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier founddate string date value details object output field details title string output field title type string type of the resource subtype string type of the resource severity string output field severity tags array output field tags name string name of the resource createdby string output field createdby id string unique identifier source object output field source type string type of the resource networktype string type of the resource url string url endpoint for the request date string date value images array output field images description string output field description assignees array output field assignees assets array output field assets type string type of the resource value string value for the parameter takedownstatus string status value example \[ { "status code" 200, "response headers" { "date" "mon, 27 mar 2023 21 50 27 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "set cookie" "env=production apiexternal; path=/; samesite=lax, dash version=6 61 1; path=/; s ", "content security policy" "default src 'self';base uri 'self';block all mixed content;font src 'self' data ", "x dns prefetch control" "off", "expect ct" "max age=0", "x frame options" "sameorigin", "strict transport security" "max age=15724800; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "x permitted cross domain policies" "none", "referrer policy" "same origin", "x xss protection" "0" }, "reason" "ok", "json body" { " id" "621530e534928c87fd0a0469", "founddate" "2022 02 22t18 52 21 463z", "details" {}, "assignees" \[], "assets" \[], "takedownstatus" "notsent", "isflagged" false, "updatedate" "2022 09 12t21 38 10 866z", "relatediocs" \[], "relatedthreatids" \[], "closed" {} } } ] get alert activity log retrieve the activity log for a specific alert in rapid7 insight threat command using the alert's unique identifier endpoint url /public/v1/data/alerts/activity log/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response array output field response type string type of the resource initiator string output field initiator createddate string date value updatedate string date value id string unique identifier additionalinformation object output field additionalinformation remediationblocklistupdate array date value asktheanalyst object output field asktheanalyst replies array output field replies mail object output field mail replies array output field replies readby array output field readby subtypes array type of the resource example \[ { "status code" 200, "reason" "ok", "headers" null, "response" \[ {} ] } ] get alert csv retrieve a detailed csv file for an alert from rapid7 insight threat command using the provided alert id endpoint url /public/v1/data/alerts/csv file/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase file object file file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "pjsc billing credit cost" "0 000131835", "pjsc billing elapsedms" "1754", "pjsc billing bytes" "252,335", "pjsc billing proxy ingress bytes" "0", "pjsc billing proxy ingress cost" "0", "pjsc billing total credits remaining" "0 048495298", "pjsc billing daily subscription credits remaining" "0 047495298", "pjsc billing prepaid credits remaining" "0 001", "local address" "190 195 70 130", "pjsc backend id" "1 727r", "pjsc content status code" "200", "pjsc content name" "www google com jpeg", "pjsc content url" "http //www google com/", "pjsc content page exec last waited on" "waitinterval(1000) not yet met still need to wait 43", "pjsc content done detail" "{\\"reason\\" \\"match donewhen {\\\\\\"event\\\\\\" \\\\\\"domready\\\\\\"}\\",\\"statuscode\\" 200}" }, "reason" "ok", "response text" "\ufffd\ufffd\ufffd\ufffd\u0000\u0010jfif\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0001\u0000\u0000\ufffd\ufffd\u0002(icc profile\u0000\u0001\u0001\u0000\u0000\u0002\u0018\u0000\u0000\u0000\u0000\u00040\u0000\u0000mntrrgb xyz \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000acsp\u0000\u0000 " } ] get alert's html content retrieve the html content of an alert using its unique identifier from rapid7 insight threat command endpoint url /public/v1/data/alerts/website html/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response websitetext string output field websitetext websitehtml string output field websitehtml example \[ { "status code" 200, "reason" "ok", "headers" null, "response" { "websitetext" "website text", "websitehtml" "website html" } } ] get alert image retrieves the image for a specific alert from rapid7 insight threat command using the provided unique alert id endpoint url /public/v1/data/alerts/alert image/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase file object file file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "pjsc billing credit cost" "0 000131835", "pjsc billing elapsedms" "1754", "pjsc billing bytes" "252,335", "pjsc billing proxy ingress bytes" "0", "pjsc billing proxy ingress cost" "0", "pjsc billing total credits remaining" "0 048495298", "pjsc billing daily subscription credits remaining" "0 047495298", "pjsc billing prepaid credits remaining" "0 001", "local address" "190 195 70 130", "pjsc backend id" "1 727r", "pjsc content status code" "200", "pjsc content name" "www google com jpeg", "pjsc content url" "http //www google com/", "pjsc content page exec last waited on" "waitinterval(1000) not yet met still need to wait 43", "pjsc content done detail" "{\\"reason\\" \\"match donewhen {\\\\\\"event\\\\\\" \\\\\\"domready\\\\\\"}\\",\\"statuscode\\" 200}" }, "reason" "ok", "response text" "\ufffd\ufffd\ufffd\ufffd\u0000\u0010jfif\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0001\u0000\u0000\ufffd\ufffd\u0002(icc profile\u0000\u0001\u0001\u0000\u0000\u0002\u0018\u0000\u0000\u0000\u0000\u00040\u0000\u0000mntrrgb xyz \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000acsp\u0000\u0000 " } ] get alert report status retrieve the current status of a specific alert report in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/report status/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response array output field response value string value for the parameter googlewebrisk object output field googlewebrisk status string status value phishtank object output field phishtank status string status value example \[ { "status code" 200, "reason" "ok", "headers" null, "response" \[ {} ] } ] get alert takedown status retrieve the takedown status of an alert by its unique identifier in rapid7 insight threat command endpoint url /public/v1/data/alerts/takedown status/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response string output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" "requested" } ] get alert whois file retrieve the whois text file for a specific phishing alert in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/whois file/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase file object file file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "pjsc billing credit cost" "0 000131835", "pjsc billing elapsedms" "1754", "pjsc billing bytes" "252,335", "pjsc billing proxy ingress bytes" "0", "pjsc billing proxy ingress cost" "0", "pjsc billing total credits remaining" "0 048495298", "pjsc billing daily subscription credits remaining" "0 047495298", "pjsc billing prepaid credits remaining" "0 001", "local address" "190 195 70 130", "pjsc backend id" "1 727r", "pjsc content status code" "200", "pjsc content name" "www google com jpeg", "pjsc content url" "http //www google com/", "pjsc content page exec last waited on" "waitinterval(1000) not yet met still need to wait 43", "pjsc content done detail" "{\\"reason\\" \\"match donewhen {\\\\\\"event\\\\\\" \\\\\\"domready\\\\\\"}\\",\\"statuscode\\" 200}" }, "reason" "ok", "response text" "\ufffd\ufffd\ufffd\ufffd\u0000\u0010jfif\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0001\u0000\u0000\ufffd\ufffd\u0002(icc profile\u0000\u0001\u0001\u0000\u0000\u0002\u0018\u0000\u0000\u0000\u0000\u00040\u0000\u0000mntrrgb xyz \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000acsp\u0000\u0000 " } ] get alerts retrieves all alerts from rapid7 insight threat command, offering a detailed perspective on potential security threats endpoint url /public/v1/data/alerts/alerts list method get input argument name type required description alert type array optional type of the resource assigned string optional parameter for get alerts found date from number optional parameter for get alerts found date to number optional parameter for get alerts has indicators boolean optional parameter for get alerts is closed string optional parameter for get alerts is flagged string optional parameter for get alerts matched asset value array optional value for the parameter network type array optional type of the resource remediation status array optional status value severity array optional parameter for get alerts source date from number optional parameter for get alerts source date to number optional parameter for get alerts source type array optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "mon, 27 mar 2023 21 42 26 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "set cookie" "env=production apiexternal; path=/; samesite=lax, dash version=6 61 1; path=/; s ", "content security policy" "default src 'self';base uri 'self';block all mixed content;font src 'self' data ", "x dns prefetch control" "off", "expect ct" "max age=0", "x frame options" "sameorigin", "strict transport security" "max age=15724800; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "x permitted cross domain policies" "none", "referrer policy" "same origin", "x xss protection" "0" }, "reason" "ok", "json body" \[ "621530b1faeaecc0f1cf476c", "621530e534928c87fd0a0469" ] } ] get ioc by value retrieve details for a specific indicator of compromise (ioc) by its value in rapid7 insight threat command, with the required iocvalue parameter endpoint url /public/v3/iocs/ioc by value method get input argument name type required description iocvalue string required ioc value output parameter type description status code number http status code of the response reason string response reason phrase value string value for the parameter type string type of the resource severity string output field severity status string status value score number score value whitelisted string output field whitelisted firstseen string output field firstseen lastseen string output field lastseen lastupdate string date value geolocation string output field geolocation reportedfeeds array output field reportedfeeds id string unique identifier name string name of the resource confidencelevel number unique identifier tags array output field tags relatedmalwares array output field relatedmalwares relatedcampaigns array output field relatedcampaigns relatedthreatactors array output field relatedthreatactors example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "value" "example com", "type" "domains", "severity" "high", "status" "active", "score" 100, "whitelisted" "false", "firstseen" "2020 01 01t20 01 27 344z", "lastseen" "2020 01 30t16 18 51 148z", "lastupdate" "2020 02 21t23 00 51 268z", "geolocation" "us", "reportedfeeds" \[], "tags" \[], "relatedmalwares" \[], "relatedcampaigns" \[], "relatedthreatactors" \[] } } ] request ioc enrichment retrieve comprehensive enrichment data for a specified indicator of compromise (ioc) from rapid7 insight threat command endpoint url /public/v1/iocs/enrich/{{iocvalue}} method get input argument name type required description iocvalue string required ioc value supported ioc types domains, urls, ip addresses, and file hashes any other type will cause a response with "status" failed output parameter type description status code number http status code of the response reason string response reason phrase originalvalue string value for the parameter status string status value data object response data value string value for the parameter type string type of the resource isknownioc boolean output field isknownioc whitelisted boolean output field whitelisted status string status value tags array output field tags systemtags array output field systemtags sources array output field sources severity object output field severity value string value for the parameter score number score value relatedmalwares array output field relatedmalwares relatedthreatactors array output field relatedthreatactors relatedhashes object output field relatedhashes downloaded array output field downloaded communicating array output field communicating referencing array output field referencing relatedcampaigns array output field relatedcampaigns dnsrecords array output field dnsrecords value string value for the parameter example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "originalvalue" "securitywap com", "status" "done", "data" {} } } ] takedown request initiate a takedown request for an alert using the specified alert id in rapid7 insight threat command endpoint url /public/v1/data/alerts/takedown request/{{alert id}} method patch input argument name type required description alert id string required unique identifier target string optional parameter for takedown request shouldclosealertaftersuccess boolean optional whether the operation was successful output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] unassign alert releases the assignment of a specified alert in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/unassign alert/{{id}} method patch input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] response headers header description example access control expose headers http response header access control expose headers www authenticate,server authorization alt svc http response header alt svc h3=" 443 "; ma=2592000,h3 29=" 443 "; ma=2592000 cache control directives for caching mechanisms no cache cf cache status http response header cf cache status dynamic cf ray http response header cf ray 793c59d46a9500d7 gru connection http response header connection keep alive content disposition http response header content disposition filename="www google com jpeg" content encoding http response header content encoding gzip content length the length of the response body in bytes 14 content security policy http response header content security policy default src 'self';base uri 'self';block all mixed content;font src 'self' data fonts gstatic com hotjar com hotjar io;img src 'self' data blob www google analytics com http //www google analytics com pendo io hotjar com hotjar io pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com res cloudinary com;object src 'none';script src 'self' 'unsafe eval' 'sha256 +ghdaarohaf9ypkombr7fz6z0f3uo2olnn/jrgpn1xc=' 'sha256 lkxiq5tgr1gqv3bzy/pzul0jofmgwvedezwozo9pqu0=' 'sha256 7fi6evdhesl/8ls4hh5dfslizjmho99ejdfcpr7ivvu=' 'sha256 lmputditnwpmywmvawvlzccd11w34blwbebvhhp8xo0=' 'sha256 d6uhp5hse2iyixquei4d/nrjdj/p9fzfcu8mcimc7vk=' 'sha256 9tti1c5jn4zruq7dbgweqln2xmlyqyf1jshjccbubzi=' 'sha256 3/vkuilpehxv7lhltcv73w5pw3gi3fb1a4+fdwlb1si=' 'sha256 y/mg5zcrm9ejueoi9nwz0ad809+q9erxkhh8/s2ukeu=' 'sha256 0dadbyrbdiuetjxobwknkhbf5zdb0ojin52kbeagxom=' www recaptcha net http //www recaptcha net www gstatic com http //www gstatic com www gstatic cn http //www gstatic cn www google analytics com http //www google analytics com pendo io pendo io static storage googleapis com pendo eu static storage googleapis com pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com hotjar com hotjar io;style src 'self' 'unsafe inline' fonts googleapis com pendo io pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com https //cdn rawgit com/google/code prettify/master/loader/prettify css https //cdn rawgit com/google/code prettify/master/loader/prettify css https //cdn jsdelivr net/gh/google/code prettify\@master/loader/prettify css https //cdn jsdelivr net/gh/google/code prettify\@master/loader/prettify css https //cdn jsdelivr net/npm/@mdi/font\@latest/css/materialdesignicons min css;frame src https //cdn jsdelivr net/npm/@mdi/font\@latest/css/materialdesignicons min css;frame src 'self' pendo io hotjar com hotjar io www recaptcha net;frame ancestors http //www recaptcha net;frame ancestors 'self' pendo io;child src 'self' pendo io;connect src 'self' blob r7ops com rapid7 com docs google com stats g doubleclick net sentry io hotjar com hotjar io wss\ // hotjar com fonts gstatic com hotjar com hotjar io www google analytics com http //www google analytics com pendo io pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com res cloudinary com www recaptcha net http //www recaptcha net www gstatic com http //www gstatic com www gstatic cn http //www gstatic cn pendo io static storage googleapis com pendo eu static storage googleapis com fonts googleapis com https //cdn rawgit com/google/code prettify/master/loader/prettify css https //cdn rawgit com/google/code prettify/master/loader/prettify css https //cdn jsdelivr net/gh/google/code prettify\@master/loader/prettify css https //cdn jsdelivr net/gh/google/code prettify\@master/loader/prettify css https //cdn jsdelivr net/npm/@mdi/font\@latest/css/materialdesignicons min css https //cdn jsdelivr net/npm/@mdi/font\@latest/css/materialdesignicons min css content type the media type of the resource image/jpeg date the date and time at which the message was originated fri, 03 feb 2023 15 55 27 gmt etag an identifier for a specific version of a resource w/"37 iyltfxri3i6creirp3vv2mzcv5s" expect ct http response header expect ct max age=0 expires the date/time after which the response is considered stale 0 local address http response header local address 190 195 70 130 pjsc backend id http response header pjsc backend id 1 727r pjsc billing bytes http response header pjsc billing bytes 252,335 pjsc billing credit cost http response header pjsc billing credit cost 0 000131835 pjsc billing daily subscription credits remaining http response header pjsc billing daily subscription credits remaining 0 047495298 pjsc billing elapsedms http response header pjsc billing elapsedms 1754 pjsc billing prepaid credits remaining http response header pjsc billing prepaid credits remaining 0 001 pjsc billing proxy ingress bytes http response header pjsc billing proxy ingress bytes 0 pjsc billing proxy ingress cost http response header pjsc billing proxy ingress cost 0 pjsc billing total credits remaining http response header pjsc billing total credits remaining 0 048495298