Rapid7 InsightConnect SOAR Playbook Integration
Support Statement
This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.
Overview
Customers using Rapid7 InsightConnect can leverage SOAR customer playbooks that can be launched from InsightIDR investigations or directly from InsightConnect.
Limitations
HTTPS with unsigned certificates is the default configuration, and certificate checking has been disabled in this sample code.
Solution Overview
Superna Defender Zero Trust API is the cornerstone technology used to integrate with SOAR and XDR platforms. Automation begins with data that summarizes the threat and places that information into a security tool to be acted on by SecOps teams running playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers. InsightConnect integrates with InsightIDR and leverages Superna playbooks to automate data protection tasks within the context of the InsightIDR SOAR platform.
What Is Rapid7 InsightConnect?
A cloud-based SOAR built for security teams that need a solution to quickly detect and respond to threats in today's ever-evolving hybrid and multi-cloud IT environments.
Integration Architecture
Playbooks created inside InsightConnect can offer the following functionality:
- Create critical data snapshots from any investigation to protect data proactively
Solution Configuration in Rapid7 InsightConnect and Defender Zero Trust
Prerequisites
- Installed Superna Security Edition
- Eyeglass OS appliance version 15.5 — verify with
cat /etc/os-release - InsightConnect with an Orchestrator VM deployed on-premises
- InsightIDR Zero Trust Alert integration — mandatory
- License key for the Zero Trust API, or a Subscription license type
Create Workflows in Rapid7 InsightConnect
Configure an HTTP Connection and Add the HTTP Plugin
-
Click the Settings menu, then click Plugins.
-
Click Import Plugin, filter on
http, then click Install. -
Click the Configure button under the three-dot menu on the HTTP plugin.
-
Click Create New Connection and configure as follows:
- Select On Your Orchestrator
- Assign your on-premises Orchestrator
- Name the connection exactly:
Superna ZT Api
noteThe import function expects the credential to be created with this exact name.
-
Create credentials using the name
supernaapikey— the secret key is the API token created from the Eyeglass REST API token tab:- Log in to Eyeglass → Main Menu → Eyeglass REST API → Create Token button → copy the token value into the secret key field when creating the named credential
- Under the Secret section, enter
supernaapikey - Under Secret Key, enter the API token from the Eyeglass console, then click Save
-
In the Base URL section, configure as follows:
-
Enter the IP address of your Eyeglass VM with the following URL path (replace
x.x.x.xwith a DNS name that resolves on the Orchestrator VM or the IP address of the Eyeglass VM):https://x.x.x.x/sera/v2/ransomware/criticalpaths -
Change Authentication Type to custom and paste the following JSON in the default headers field:
{"api_key":"CUSTOM_SECRET_INPUT"}This stores the API token securely and substitutes it for
CUSTOM_SECRET_INPUTwhen the API is called. -
Set SSL Verify to
falseunless you plan to use signed certificates.
noteHTTPS requires trusted certificates to be installed on Eyeglass, or disable the SSL verify value to
falseto allow self-signed certificates. -
-
Save and test the connection.
warningA successful API call test creates a critical data snapshot job. Verify this from the Eyeglass VM GUI → Jobs icon → Running Jobs tab.
Import the Superna Rapid7 Workflow
Ensure log entries have been tested and are visible in the log search before starting this configuration. You must have followed the steps above to create the API connection and stored credentials containing the API token for Eyeglass.
- Log in to the InsightConnect console.
- Click Workflows.
- Click Add Workflow.
- Download the Snapshot Workflow file.
- Click Import from File.
- Once the import is complete, activate the workflow.
SecOps User Experience Using Workflow Within InsightIDR
After the integration is complete, you can extract key information from Superna Zero Trust alerts and workflows directly within InsightIDR investigations. The workflow is launched from an investigation, automatically calls the Superna Zero Trust API to create a critical data snapshot, and returns the result in the InsightIDR investigation view.
Use Cases for These Workflows
- Snapshot Workflow — Run this workflow for any incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data, and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access to root-cause what data was affected by a security incident.