Rapid7 InsightVM Integration
Customers who have Rapid7 installed in their environment require the ability to integrate it with LogRhythm NDR. This integration empowers LogRhythm NDR to investigate host/IP addresses associated with any security event. By automating the process of fetching vulnerability and asset information for a specific IP address/host through Rapid7 InsightVM, the need for manual and time-consuming look-ups is eliminated. Customers can leverage the combined power of LogRhythm NDR and Rapid7 for efficient and effective security analysis, providing an automated solution that enhances their ability to identify and respond to potential threats.
Feature Value
Integrating Rapid7 with LogRhythm NDR provides the following customer abilities and values:
| Feature | Value |
|---|---|
| Enhanced Vulnerability Management | Customers gain the ability to leverage Rapid7's vulnerability assessment capabilities within the LogRhythm platform. This integration provides a more comprehensive view of the organization's security posture by combining vulnerability data from Rapid7 with the other security information collected by LogRhythm NDR. |
| Centralized Security Management | LogRhythm NDR serves as a central hub for security operations. By adding Rapid7 credentials, customers can consolidate their vulnerability management efforts within the LogRhythm platform. This centralized approach streamlines the security management process, enabling more efficient monitoring, analysis, and response to vulnerabilities identified by Rapid7. |
| Improved Threat Detection and Response | The platform's ability to detect and respond to potential threats is enhanced. When the vulnerability data from Rapid7 is combined with other security event information, LogRhythm NDR can provide more accurate and comprehensive threat intelligence, enabling proactive threat hunting and faster incident response. |
| Time and Cost Efficiency | The need for manual data transfers or switching between different tools and interfaces is eliminated. This integration saves time and effort for security teams, allowing them to focus on analysis and remediation rather than managing multiple systems. It also helps optimize costs by leveraging existing investments in Rapid7 and LogRhythm technologies. |
Overall, this integration enhances vulnerability management, centralizes security operations, improves threat detection and response, and boosts time and cost efficiency. It provides customers with a more robust and efficient security solution.
Getting Started
Integrating Rapid7 with LogRhythm NDR
To add Rapid7 credentials in LogRhythm NDR, do the following:
- Log in to the LogRhythm NDR UI.
- Click the Settings tab.
- Click Vulnerability and then click Rapid7.
The Rapid7 page is displayed. Enter the Rapid7 credentials in the corresponding fields.
Field Description URL The URL link for Rapid7. Username The username for your Rapid7 account. Password The password for your Rapid7 account. To check if the credentials are correct, click the Test button.
If correct, a "Connection Success" message is displayed. If the credentials are not correct, a "Connection Failed" message appears indicating that the credentials should be verified and re-entered.Click the Update button to save the Rapid7 credentials.
Rapid7Investigator
Rapid7 Nexpose
Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, which includes discovery, detection, verification, risk classification, impact analysis, reporting, and mitigation. RAPID7 plays a very important and effective role in penetration testing and most penetrators use RAPID7.
Rapid7 includes six products, as follows:
- InsightIDR
- InsightConnect
- InsightVM
- InsightOps
- InsightAppSec
- Insight Cloud
Rapid7 InsightVM Features
The Rapid7 InsightVM tool has live vulnerability and endpoint analytics to remediate faster.
| Feature | Value |
|---|---|
| Lightweight Endpoint Agent | Automatically collects data from all endpoints. |
| Real Risk Prioritization | Backed up by threat feeds and business context, InsightVM lets the security manager prioritize vulnerabilities the way attackers do. |
| Cloud and Virtual Infrastructure Assessment | InsightVM integrates with cloud services and virtual infrastructure to make sure that your technology is configured securely and that you do not miss any new devices that are brought online. |
| Container Security | InsightVM integrates with your CI/CD tools, public container repositories, and private repositories to assess container images for vulnerabilities during the build process. |
| Live Dashboards | A snapshot of your risk at a particular time is unclickable and instantly out of date. InsightVM Live Dashboards are live and interactive. Custom cards and full dashboards can be created easily for anyone. |
| Attack Surface Monitoring with Project Sonar | InsightVM directly integrates with Project Sonar, a Rapid7 research project that regularly scans the public internet to gain insights into global exposure to common vulnerabilities. This establishes confidence that you have a pulse on all of your external assets, both known and unknown. |
| Policy Assessment | Once you have assessed your risk posture, you can take clear and actionable steps to compliance. To go a step further, Custom Policy Builder allows you to modify existing benchmarks or create new policies from scratch. |
Rapid7Investigator Service
The Rapid7Investigator service works by leveraging the Rapid7 InsightVM capabilities to assess the vulnerability of internal destination IP addresses associated with security events.
| Service | Description |
|---|---|
| Input Topics | The service receives input from Kafka topics, specifically KafkaTopicCaseUpdates and KafkaTopicIncidentUpdates. These topics contain relevant information about security cases and incidents. |
| IOAs (Indicators of Attack) Processing | The service processes the IOAs associated with the cases/incidents. It focuses on extracting the IP addresses related to these IOAs. |
| Internal IP Address Verification | For each IOA, the service verifies if the IP address is internal and if it belongs to the organization's internal network. This step helps filter out external IP addresses that do not require investigation. |
| Rapid7 Investigation | Once an internal IP address is identified, the service initiates an investigation using Rapid7 InsightVM. It performs a lookup in the Rapid7 database to gather comprehensive vulnerability and asset information specific to that IP address. |
| Vulnerability Analysis and Assessment | By retrieving the vulnerability and asset information, the service enables efficient vulnerability analysis. It assists in determining the security posture of the IP address, allowing organizations to proactively identify and address potential vulnerabilities. |
| Output Topic | The service generates output in the form of KafkaTopicIoas, where the processed IOAs with relevant information and vulnerability details are published. This topic can be consumed by downstream systems or utilized for further analysis and incident response. |
The Rapid7Investigator service must be used as part of the organization's security operations workflow. It enhances the investigation process by automating the assessment of internal IP addresses for vulnerabilities using Rapid7 InsightVM. It enables proactive vulnerability management by helping organizations identify and address potential risks efficiently. The service can also be integrated into security incident response platforms, SIEM systems, or other security management tools to streamline and enhance the investigation and response to security events.
Rapid7 InsightVM Rest APIs Used
Rest API | Method | Description |
|---|---|---|
/api/3/assets | GET | Returns all assets for which you have access. |
| /api/3/assets/{id}/vulnerabilities | GET | Retrieves all vulnerability findings on an asset. A finding may be invulnerable if all instances have exceptions applied. |
| /api/3/vulnerabilities/{id} | GET | Returns the details for a vulnerability. |
| /api/3/assets/{id}/services/{protocol}/{port}/vulnerabilities | GET | Retrieves the vulnerabilities present in a service running on an asset. A finding may be invulnerable if all instances on the service have exceptions applied. |
Functionality
Some of the major functionalities include the following:
- The Rapid7Investigator service enhances security operations by assessing the vulnerability of internal IP addresses associated with security events.
- It utilizes the Rapid7 InsightVM tool to perform comprehensive look-ups and retrieve vulnerability and asset information specific to the IP addresses.
- This functionality enables efficient vulnerability analysis and proactive identification of potential risks.
- This service processes IOAs from the input Kafka topics, verifies if IP addresses are internal, and generates output with vulnerability details and posts it to KafkaTopicIoas kafka topic.
- It should be integrated into existing security workflows to streamline investigations and improve incident response capabilities.
- This seamless integration enables real-time assessment of vulnerability status, empowering organizations to promptly identify and address potential security risks for internal IP addresses within their network infrastructure.
Rapid7 Button in Case/Incident Details page
The Rapid7 button on the Case/Incident details page provides a summarized display of the Rapid7 look-up information.