Rapid7 Insight Threat Command

the rapid7 insight threat command connector facilitates the integration of rapid7's threat intelligence and alert management capabilities into the swimlane turbine platform rapid7 insight threat command is a powerful threat intelligence and response management platform that enables security teams to identify, investigate, and take action on threats this connector allows swimlane turbine users to automate the management of alerts, enrich indicators of compromise (iocs), and initiate takedown requests directly within the swimlane ecosystem by integrating with rapid7 insight threat command, users can streamline their security operations, enhance their threat intelligence capabilities, and accelerate incident response times, all from within the familiar swimlane interface limitations none to date prerequisites to effectively utilize the rapid7 insight threat command connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint for the rapid7 insight threat command api account id your unique identifier for accessing your rapid7 account api key a secure key generated within rapid7 for authenticating api requests supported versions this connector supports the latest version of the rapid7 insight threat command rest api additional docs for more information, refer to the https //docs rapid7 com/threat command/ configuration authentication methods rapid7 http basic authentication to authenticate with the rapid7 insight threat command api, you must use http basic authentication this method requires the following credentials username your rapid7 insight threat command api username password your corresponding password these credentials are mandatory and must be provided to successfully connect to the api ensure that your username and password are kept secure and not shared with unauthorized individuals capabilities the rapid7 insight threat command integration provides the following capabilities add manual alert assign alert close alert get alert get alert activity log get alert csv get alert's html content get alert image get alert report status get alert takedown status get alert whois file get alerts get ioc by value request ioc enrichment takedown request and so on configurations rapid7 http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password api key do not provide it base64 encoded, it will be encoded automatically along with the username string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add manual alert adds a manual alert to rapid7 insight threat command and returns the new alert id, requiring a json body input endpoint url /public/v1/data/alerts/add alert method put input argument name type required description images object optional parameter for add manual alert images files array optional parameter for add manual alert images files file string optional parameter for add manual alert images files file name string optional name of the resource founddate string optional date value details object optional parameter for add manual alert details title string optional parameter for add manual alert details description string optional parameter for add manual alert details type string optional type of the resource details subtype string optional type of the resource details severity string optional parameter for add manual alert details source object optional parameter for add manual alert details source type string optional type of the resource details source networktype string optional type of the resource details source url string optional url endpoint for the request details source date object optional date value input example {"json body" {"founddate" "2018 01 01","details" {"title" "api title","description" "api description","type" "exploitabledata","subtype" "vulnerabilityintechnologyinuse","severity" "high","source" {"type" "application store","networktype" "clearweb","url" "http //www blabla com","date"\ null}}}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 401,"response headers" {"date" "fri, 03 feb 2023 15 55 27 gmt","content length" "14","connection" "keep alive","set cookie" "env=production apiexternal; path=/; samesite=lax, dash version=6 59 2; path=/; s ","content security policy" "default src 'self';base uri 'self';block all mixed content;font src 'self' data ","x dns prefetch control" "off","expect ct" "max age=0","x frame options" "sameorigin","strict transport security" "max age=15724800; includesubdomains","x download assign alert assign an alert to a specific assignee in rapid7 insight threat command by using the alert's id and assigneeid endpoint url /public/v1/data/alerts/assign alert/{{id}} method patch input argument name type required description path parameters id string required parameters for the assign alert action assigneeid string optional the id of the assignee to assign the alert to ismssp boolean optional whether the assignee is an mssp input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"assigneeid" "string","ismssp"\ true} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} close alert closes a specified alert in rapid7 insight threat command by providing the alert id and a closure reason endpoint url /public/v1/data/alerts/close alert/{{alert id}} method patch input argument name type required description path parameters alert id string required parameters for the close alert action reason string optional response reason phrase freetext string optional parameter for close alert ishidden boolean optional unique identifier rate number optional parameter for close alert input example {"json body" {"reason" "falsepositive","freetext" "comments ","ishidden"\ true,"rate" 5},"path parameters" {"alert id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} get alert retrieves detailed information for a specific alert in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/get complete alert/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier founddate string date value details object output field details details title string output field details title details type string type of the resource details subtype string type of the resource details severity string output field details severity details tags array output field details tags details tags name string name of the resource details tags createdby string output field details tags createdby details tags id string unique identifier details source object output field details source details source type string type of the resource details source networktype string type of the resource details source url string url endpoint for the request details source date string date value details images array output field details images details description string output field details description assignees array output field assignees assets array output field assets assets type string type of the resource assets value string value for the parameter takedownstatus string status value output example {"status code" 200,"response headers" {"date" "mon, 27 mar 2023 21 50 27 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","set cookie" "env=production apiexternal; path=/; samesite=lax, dash version=6 61 1; path=/; s ","content security policy" "default src 'self';base uri 'self';block all mixed content;font src 'self' data ","x dns prefetch control" "off","expect ct" "max age=0","x frame options" "sameorigin","strict transport se get alert activity log retrieve the activity log for a specific alert in rapid7 insight threat command using the alert's unique identifier endpoint url /public/v1/data/alerts/activity log/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert activity log action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response array output field response response type string type of the resource response initiator string output field response initiator response createddate string date value response updatedate string date value response id string unique identifier response additionalinformation object output field response additionalinformation response additionalinformation remediationblocklistupdate array date value response additionalinformation asktheanalyst object output field response additionalinformation asktheanalyst response additionalinformation asktheanalyst replies array output field response additionalinformation asktheanalyst replies response additionalinformation mail object output field response additionalinformation mail response additionalinformation mail replies array output field response additionalinformation mail replies response readby array output field response readby response subtypes array type of the resource output example {"status code" 200,"reason" "ok","headers"\ null,"response" \[{"type" "alertread","initiator" "5b1641983a21b34c6d6e6197","createddate" "2018 01 01t13 09 39 305z","updatedate" "2018 01 01t13 09 39 305z"," id" "5b1641a53a21b34c6d6e6198","additionalinformation" {},"readby" \[],"subtypes" \[]}]} get alert csv retrieve a detailed csv file for an alert from rapid7 insight threat command using the provided alert id endpoint url /public/v1/data/alerts/csv file/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert csv action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase file object file file file name string name of the resource file file string output field file file output example {"status code" 200,"response headers" {"pjsc billing credit cost" "0 000131835","pjsc billing elapsedms" "1754","pjsc billing bytes" "252,335","pjsc billing proxy ingress bytes" "0","pjsc billing proxy ingress cost" "0","pjsc billing total credits remaining" "0 048495298","pjsc billing daily subscription credits remaining" "0 047495298","pjsc billing prepaid credits remaining" "0 001","local address" "190 195 70 130","pjsc backend id" "1 727r","pjsc content status code" "200","pjsc content name" get alert's html content retrieve the html content of an alert using its unique identifier from rapid7 insight threat command endpoint url /public/v1/data/alerts/website html/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert's html content action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response response websitetext string output field response websitetext response websitehtml string output field response websitehtml output example {"status code" 200,"reason" "ok","headers"\ null,"response" {"websitetext" "website text","websitehtml" "website html"}} get alert image retrieves the image for a specific alert from rapid7 insight threat command using the provided unique alert id endpoint url /public/v1/data/alerts/alert image/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert image action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase file object file file file name string name of the resource file file string output field file file output example {"status code" 200,"response headers" {"pjsc billing credit cost" "0 000131835","pjsc billing elapsedms" "1754","pjsc billing bytes" "252,335","pjsc billing proxy ingress bytes" "0","pjsc billing proxy ingress cost" "0","pjsc billing total credits remaining" "0 048495298","pjsc billing daily subscription credits remaining" "0 047495298","pjsc billing prepaid credits remaining" "0 001","local address" "190 195 70 130","pjsc backend id" "1 727r","pjsc content status code" "200","pjsc content name" get alert report status retrieve the current status of a specific alert report in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/report status/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert report status action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response array output field response response value string value for the parameter response googlewebrisk object output field response googlewebrisk response googlewebrisk status string status value response phishtank object output field response phishtank response phishtank status string status value output example {"status code" 200,"reason" "ok","headers"\ null,"response" \[{"value" "example org","googlewebrisk" {},"phishtank" {}}]} get alert takedown status retrieve the takedown status of an alert by its unique identifier in rapid7 insight threat command endpoint url /public/v1/data/alerts/takedown status/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert takedown status action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response string output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" "requested"} get alert whois file retrieve the whois text file for a specific phishing alert in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/whois file/{{id}} method get input argument name type required description path parameters id string required parameters for the get alert whois file action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase file object file file file name string name of the resource file file string output field file file output example {"status code" 200,"response headers" {"pjsc billing credit cost" "0 000131835","pjsc billing elapsedms" "1754","pjsc billing bytes" "252,335","pjsc billing proxy ingress bytes" "0","pjsc billing proxy ingress cost" "0","pjsc billing total credits remaining" "0 048495298","pjsc billing daily subscription credits remaining" "0 047495298","pjsc billing prepaid credits remaining" "0 001","local address" "190 195 70 130","pjsc backend id" "1 727r","pjsc content status code" "200","pjsc content name" get alerts retrieves all alerts from rapid7 insight threat command, offering a detailed perspective on potential security threats endpoint url /public/v1/data/alerts/alerts list method get input argument name type required description parameters alert type array optional parameters for the get alerts action parameters assigned string optional parameters for the get alerts action parameters found date from number optional parameters for the get alerts action parameters found date to number optional parameters for the get alerts action parameters has indicators boolean optional parameters for the get alerts action parameters is closed string optional parameters for the get alerts action parameters is flagged string optional parameters for the get alerts action parameters matched asset value array optional parameters for the get alerts action parameters network type array optional parameters for the get alerts action parameters remediation status array optional parameters for the get alerts action parameters severity array optional parameters for the get alerts action parameters source date from number optional parameters for the get alerts action parameters source date to number optional parameters for the get alerts action parameters source type array optional parameters for the get alerts action input example {"parameters" {"alert type" \["phishing"],"assigned" "assigned","found date from" 0,"found date to" 1633047102456,"has indicators"\ false,"is closed" "closed","is flagged" "flagged","matched asset value" \["example com"],"network type" \["darkweb"],"remediation status" \["inprogress","pending"],"severity" \["low"],"source date from" 1633047083142,"source date to" 1633047102456,"source type" \["application store"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "mon, 27 mar 2023 21 42 26 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","set cookie" "env=production apiexternal; path=/; samesite=lax, dash version=6 61 1; path=/; s ","content security policy" "default src 'self';base uri 'self';block all mixed content;font src 'self' data ","x dns prefetch control" "off","expect ct" "max age=0","x frame options" "sameorigin","strict transport se get ioc by value retrieve details for a specific indicator of compromise (ioc) by its value in rapid7 insight threat command, with the required iocvalue parameter endpoint url /public/v3/iocs/ioc by value method get input argument name type required description parameters iocvalue string required ioc value input example {"parameters" {"iocvalue" "google com"}} output parameter type description status code number http status code of the response reason string response reason phrase value string value for the parameter type string type of the resource severity string output field severity status string status value score number score value whitelisted string output field whitelisted firstseen string output field firstseen lastseen string output field lastseen lastupdate string date value geolocation string output field geolocation reportedfeeds array output field reportedfeeds reportedfeeds id string unique identifier reportedfeeds name string name of the resource reportedfeeds confidencelevel number unique identifier tags array output field tags relatedmalwares array output field relatedmalwares relatedcampaigns array output field relatedcampaigns relatedthreatactors array output field relatedthreatactors output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"value" "example com","type" "domains","severity" "high","status" "active","score" 100,"whitelisted" "false","firstseen" "2020 01 01t20 01 27 344z","lastseen" "2020 01 30t16 18 51 148z","lastupdate" "2020 02 21t23 00 51 268z","geolocation" "us","reportedfeeds" \[{}],"tags" \["mytag 1"],"relatedmalwares" \["doppeldridex","dridex"],"relatedcampaigns" \["solarwinds"],"relatedthreatactors" \["doppelspider"]}} request ioc enrichment retrieve comprehensive enrichment data for a specified indicator of compromise (ioc) from rapid7 insight threat command endpoint url /public/v1/iocs/enrich/{{iocvalue}} method get input argument name type required description path parameters iocvalue string required ioc value supported ioc types domains, urls, ip addresses, and file hashes any other type will cause a response with "status" failed input example {"path parameters" {"iocvalue" "google com"}} output parameter type description status code number http status code of the response reason string response reason phrase originalvalue string value for the parameter status string status value data object response data data value string response data data type string response data data isknownioc boolean response data data whitelisted boolean response data data status string response data data tags array response data data systemtags array response data data sources array response data data severity object response data data severity value string response data data severity score number response data data relatedmalwares array response data data relatedthreatactors array response data data relatedhashes object response data data relatedhashes downloaded array response data data relatedhashes communicating array response data data relatedhashes referencing array response data data relatedcampaigns array response data data dnsrecords array response data data dnsrecords value string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"originalvalue" "securitywap com","status" "done","data" {"value" "securitywap com","type" "domains","isknownioc"\ false,"whitelisted"\ false,"status" "active","tags" \[],"systemtags" \[],"sources" \[],"severity" {},"relatedmalwares" \[],"relatedthreatactors" \[],"relatedhashes" {},"relatedcampaigns" \[],"dnsrecords" \[],"subdomains" \[]}}} takedown request initiate a takedown request for an alert using the specified alert id in rapid7 insight threat command endpoint url /public/v1/data/alerts/takedown request/{{alert id}} method patch input argument name type required description path parameters alert id string required parameters for the takedown request action target string optional parameter for takedown request shouldclosealertaftersuccess boolean optional whether the operation was successful input example {"json body" {"target" "website","shouldclosealertaftersuccess"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} unassign alert releases the assignment of a specified alert in rapid7 insight threat command using the alert's unique id endpoint url /public/v1/data/alerts/unassign alert/{{id}} method patch input argument name type required description path parameters id string required parameters for the unassign alert action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} response headers header description example access control expose headers http response header access control expose headers www authenticate,server authorization alt svc http response header alt svc h3=" 443 "; ma=2592000,h3 29=" 443 "; ma=2592000 cache control directives for caching mechanisms no store, no cache, must revalidate, proxy revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 793c59d46a9500d7 gru connection http response header connection keep alive content disposition http response header content disposition filename="www google com jpeg" content encoding http response header content encoding gzip content length the length of the response body in bytes 14 content security policy http response header content security policy default src 'self';base uri 'self';block all mixed content;font src 'self' data fonts gstatic com hotjar com hotjar io;img src 'self' data blob http //www google analytics com pendo io hotjar com hotjar io pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com res cloudinary com;object src 'none';script src 'self' 'unsafe eval' 'sha256 +ghdaarohaf9ypkombr7fz6z0f3uo2olnn/jrgpn1xc=' 'sha256 lkxiq5tgr1gqv3bzy/pzul0jofmgwvedezwozo9pqu0=' 'sha256 7fi6evdhesl/8ls4hh5dfslizjmho99ejdfcpr7ivvu=' 'sha256 lmputditnwpmywmvawvlzccd11w34blwbebvhhp8xo0=' 'sha256 d6uhp5hse2iyixquei4d/nrjdj/p9fzfcu8mcimc7vk=' 'sha256 9tti1c5jn4zruq7dbgweqln2xmlyqyf1jshjccbubzi=' 'sha256 3/vkuilpehxv7lhltcv73w5pw3gi3fb1a4+fdwlb1si=' 'sha256 y/mg5zcrm9ejueoi9nwz0ad809+q9erxkhh8/s2ukeu=' 'sha256 0dadbyrbdiuetjxobwknkhbf5zdb0ojin52kbeagxom=' http //www recaptcha net http //www gstatic com http //www gstatic cn http //www google analytics com pendo io pendo io static storage googleapis com pendo eu static storage googleapis com pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com hotjar com hotjar io;style src 'self' 'unsafe inline' fonts googleapis com pendo io pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com https //cdn rawgit com/google/code prettify/master/loader/prettify css https //cdn jsdelivr net/gh/google/code prettify\@master/loader/prettify css https //cdn jsdelivr net/npm/@mdi/font\@latest/css/materialdesignicons min css;frame src 'self' pendo io hotjar com hotjar io http //www recaptcha net;frame ancestors 'self' pendo io;child src 'self' pendo io;connect src 'self' blob r7ops com rapid7 com docs google com stats g doubleclick net sentry io hotjar com hotjar io wss\ // hotjar com fonts gstatic com hotjar com hotjar io http //www google analytics com pendo io pendo static 6269273820233728 storage googleapis com pendo eu static 6269273820233728 storage googleapis com res cloudinary com http //www recaptcha net http //www gstatic com http //www gstatic cn pendo io static storage googleapis com pendo eu static storage googleapis com fonts googleapis com https //cdn rawgit com/google/code prettify/master/loader/prettify css https //cdn jsdelivr net/gh/google/code prettify\@master/loader/prettify css https //cdn jsdelivr net/npm/@mdi/font\@latest/css/materialdesignicons min css content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated mon, 27 mar 2023 21 50 27 gmt etag an identifier for a specific version of a resource w/"37 iyltfxri3i6creirp3vv2mzcv5s" expect ct http response header expect ct max age=0 expires the date/time after which the response is considered stale 0 local address http response header local address 190 195 70 130 pjsc backend id http response header pjsc backend id 1 727r pjsc billing bytes http response header pjsc billing bytes 252,335 pjsc billing credit cost http response header pjsc billing credit cost 0 000131835 pjsc billing daily subscription credits remaining http response header pjsc billing daily subscription credits remaining 0 047495298 pjsc billing elapsedms http response header pjsc billing elapsedms 1754 pjsc billing prepaid credits remaining http response header pjsc billing prepaid credits remaining 0 001 pjsc billing proxy ingress bytes http response header pjsc billing proxy ingress bytes 0 pjsc billing proxy ingress cost http response header pjsc billing proxy ingress cost 0 pjsc billing total credits remaining http response header pjsc billing total credits remaining 0 048495298 pjsc content done detail http response header pjsc content done detail {"reason" "match donewhen {"event" "domready"}","statuscode" 200 } pjsc content event phase http response header pjsc content event phase "load" pjsc content name http response header pjsc content name www google com jpeg pjsc content page exec last waited on http response header pjsc content page exec last waited on waitinterval(1000) not yet met still need to wait 43 pjsc content resource aborted http response header pjsc content resource aborted 0 pjsc content resource active http response header pjsc content resource active 0 pjsc content resource complete http response header pjsc content resource complete 13 pjsc content resource failed http response header pjsc content resource failed 0 pjsc content resource late http response header pjsc content resource late 0 pjsc content status code http response header pjsc content status code 200 pjsc content url http response header pjsc content url http //www google com/ pragma http response header pragma no cache referrer policy http response header referrer policy same origin server information about the software used by the origin server cloudflare set cookie http response header set cookie env=production apiexternal; path=/; samesite=lax, dash version=6 61 1; path=/; samesite=lax strict transport security http response header strict transport security max age=15724800; includesubdomains surrogate control http response header surrogate control no store transfer encoding http response header transfer encoding chunked vary http response header vary origin,accept encoding via http response header via 1 1 google x content type options http response header x content type options nosniff x dns prefetch control http response header x dns prefetch control off x download options http response header x download options noopen x frame options http response header x frame options sameorigin x permitted cross domain policies http response header x permitted cross domain policies none x request account name http response header x request account name swimlane nfr x request route param http response header x request route param 621530e534928c87fd0a0469 x request route path http response header x request route path /public/v1/data/alerts/get complete alert x username http response header x username swimlane nfr x xss protection http response header x xss protection 0