Rapid7 InsightIDR V2 Connector

the rapid7 insightidr v2 connector integrates with swimlane turbine to automate and orchestrate security operations tasks it enables users to efficiently manage investigations, queries, alerts, and threat intelligence workflows through seamless api interactions with the insightidr platform prerequisites to use this connector, ensure you have the following prerequisites configured api key authentication url the base endpoint url for the rapid7 insightidr api api key a valid api key provided by rapid7 to authenticate api requests capabilities the rapid7 insightidr v2 connector supports the following actions assign user to investigation bulk close investigations create a saved query create investigation delete a saved query get investigation get product list alerts by investigation list alerts investigation list all saved queries list investigations retrieve evidence for alert run saved query search investigations set disposition investigation set priority investigation set status investigation update investigation asset setup to configure the connector’s asset, locate the region for your account by logging into your insightidr instance the region is embedded in the domain of your dashboard url example if your url is https //us2 idr insight rapid7 com , then us2 is your region value rapid7 insightidr v2 asset the configuration requires a url and an api key the url we used was https //us api insight rapid7 com rapid7 insightidr v2 http asset if you plan to use the http connector to connect to rapid7 insightidr then you need to create a new http api key authentication asset and configure it to put the api key in the header with a key name of x api key like this rapid7 insightidr v2 preview in the instance we were working with the prospect had gotten rapid7 to enable some new features that were not part of the standard api calls as a result we had to use the http asset to connect to rapid7 this also required us to add a key of accept version with a value of strong force preview to the custom header like this you can also see the url format that we used to access evidence for a specific alert in this example when this system was created we were using soc solution with the oscf format so aside from reformatting the payload to be oscf compliant, there were not many modifications made to soc solution or the case and incident management application in the first screenshot below you can see where we added a couple of modified widgets to show the rapid7 evidence on the case and incident management tab in the second screenshot you can see the extra ‘support’ fields that we added to the support tab to hold the rapid7 evidence used by the widgets applets for both of these sections are attached actions setup some actions require a threat key if you do not already have a threat to manage, follow rapid7’s instructions to create one for actions with datetime fields, you may use any valid datetime format notes for more information, refer to the insightidr rest api documentation https //docs rapid7 com/insightidr/insightidr rest api/