Smart SOAR Integration Spotlight: Rapid 7

Automated Incident Response with Rapid7 and Smart SOAR

Integration between platforms has become a necessity rather than a nice-to-have. Smart SOAR offers a single platform to act as the connective tissue between siloed point solutions that do not natively integrate with each other. Specifically, the collaboration between Smart SOAR and Rapid7 presents a significant advancement in automating security workloads. Smart SOAR offers three out-of-the-box integrations with key Rapid7 solutions:

  • InsightIDR
  • InsightVM
  • InsightVM Cloud

In this article, we will explore the specifics of these integrations and examine the operational advantages gained through the seamless interaction between Smart SOAR and Rapid7.

Rapid7 InsightIDR

This integration with Rapid7’s SIEM and XDR tool lets Smart SOAR users consolidate security alerts into a single platform, and keep the different alert queues in sync with bi-directional API calls.

To set up a connection, users input their Server URL and API Key:

Rapid7 InsightIDR API Key and Server URL input fields in Smart SOAR

Then, the list of five integration commands are available to use. These commands are:

  1. Fetch Event
  2. Fetch Incident
  3. List Investigation
  4. Set Investigation Status, and
  5. Close Investigation

The Fetch Event and Fetch Incident commands are used to ingest new alerts into Smart SOAR. Fetch commands run on a scheduled cadence, and send GET requests to Rapid7. New alerts found are stored as events or incidents inside of Smart SOAR. To learn more about the difference between the two, read this article on Smart SOAR’s two-tiered automation.

Rapid7 InsightVM

Smart SOAR supports both the on-premise and cloud variations of Rapid7’s vulnerability management solution, InsightVM. The connection parameters for InsightVM are Server URL, Username, Password, and API Version:

On-premise InsightVM Server URL, Username, Password, and API Version fields in Smart SOAR

 

For InsightVM Cloud, the connection parameters are Server URL, API Key, and API Version:

InsightVM Cloud Server URL, API Key, and API Version fields in Smart SOAR

Workflows using the InsightVM integration commands can assist with scheduled vulnerability monitoring and targeted asset vulnerability analysis.

Workflow 1: Scheduled Vulnerability Monitoring

This workflow is designed for organizations that are setting up their vulnerability management process or adding a new range of assets. It starts by listing available sites and scanning engines. Then, it initiates a site scan and monitors its status. Finally, a comprehensive scan report is generated and downloaded for analysis. Using Smart SOAR’s scheduled playbooks, this workflow can be run on a timed cadence, saving the need to reinstate this project throughout the year. This workflow provides a solid foundation for ongoing vulnerability management.

Workflow diagram illustrating the steps for Scheduled Vulnerability Monitoring using Smart SOAR and InsightVM

Workflow 2: Targeted Asset Vulnerability Analysis

When an asset is involved in a security alert, a comprehensive vulnerability analysis can be run on it using the InsightVM integration. In this workflow, asset IDs are assumed to be included in the original alert. Those IDs are used as inputs to create a new site with targeted assets. Then a scan is initiated on that site and, when it’s done, asset vulnerabilities are collected for review during the investigation.

Workflow diagram illustrating the steps for Targeted Asset Vulnerability Analysis using Smart SOAR and InsightVM

Takeaway

The integration between Smart SOAR and Rapid7 lets users automate scheduled vulnerability assessments and enrich security alerts with vulnerability data on affected assets. Typically these tasks would take hours of time throughout the year, however, much of the manual work can be automated completely. This removes possibility for errors when handling data and standardizes operating procedures.

Powering the World’s Best SecOps Teams

Get Started with D3 Security