Eyeglass Solutions Publication

Rapid7 InsightConnect SOAR Playbook Integration

Home


Overview

Customers using Rapid7 InsightConnect can leverage SOAR customer playbooks that can be launched from InsighIDR investigations or directly from InsightConnect.   


Support Statement

  1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

  1. HTTPS with un-signed certificates is the default configuration and certificate checking has been disabled in this sample code.

Solution Overview

Superna Defender Zero Trust API is the cornerstone technology used to integrate with SOAR, SOAR and XDR platforms.   Automation begins with data that summarizes the threat and places that information into a security tools to be acted on by Secops and run playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers.   In order to allow a InsightConnect to act on the data it must be parsed.   The InsightConnect platform integrate with InsighIDR and leverage Superna playbooks to automation data protection tasks within context of InsighIDR SOAR platform.


What is Rapid7 InsightConnect?

A cloud-based SOAR built for security teams in need of a solution that can quickly detect and respond to threats in today's ever-evolving hybrid and multi-cloud IT environments.


Integration Architecture

Playbooks are created inside Connect that can offer the following functionality.

  1. Create critical data snapshots from any Investigation to protect data proactively.


Solution Configuration in Rapid7 InsightConnect and Defender Zero Trust

Prerequisites

  1. Installed Superna Security Edition
  2. Eyeglass OS appliance version 15.5
    1. cat /etc/os-release
  3. InsightConnect with Orchestrator VM deployed on premise
  4. InsightIDR Zero Trust Alert integration is mandatory.
  5. License key for the Zero Trust API  or Subscription license type


Configuration in Rapid7 InsightConnect

  1. Login to the console and install a
    1. Select Add Raw  
    2.  Check the box for RFC 3164  
    3.  Done


How to Create Workflows in Rapid7 InsightConnect

Overview

The steps below will import a Workflow directly into InsightConnect.  The first step is to create the http API connection in Connect and adding the http rest api pluggin.

How to Configure an HTTP Connection and add http pluggin

  1. Click on the Settings menu and then pluggins

  2. Click Import pluggin, filter on http and then click Install 
    1.  
    2.  
    3. Click the Configure button under the 3 dots

    4. Click Create new Connection as follows
      1.  Select On Your Orchestrator

      3. Assign your on premise Orchestrator,  name the connection exactly as shown below.  The import function expects the credential was created with this exact name.
        1. Name of credential: Superna ZT Api
      4. Create credentials using the name supernaapikey the secret key will be the API token created from the Eyeglass REST API token tab.  
        1. Login to eyeglass --> Main Menu --> Eyeglass REST API --> Create Token button --> copy the token value into the secret key field when creating the named credential.
      6.   Under the Secret section enter supernaapikey
      7. Under secret key enter the API token created from the steps above in the Eyeglass console.  Click save.
      8. In the base URL Section fill in the fields as per below.
        1. Enter the IP address of your eyeglass vm and the following url, replace x.x.x.x with a DNS name that resolves on the Orchestrator VM or enter an ip address of the Eyeglass VM.
        2. https://x.x.x.x/sera/v2/ransomware/criticalpaths
        3. Change Authentication Type to custom and paste the following json text in the default headers field.  {"api_key":"CUSTOM_SECRET_INPUT"} 
        4. This allows the api token to be stored securely and substituted for customer_secret_input when the api is called.
        5. Set the SSL Verify to false unless you plan to use signed certificates.
        6. NOTE:  https will require trusted certificates are used on eyeglass or disable the SSL verify value to false to allow self signed certificates.
      9.  
      10. You can save and test the connection,  NOTE: a successful API call test will create a critical data snapshot job.  You can verify this from the Eyeglass VM GUI --> Jobs icon --> running jobs tab.  See example below.
        1.   
  3. Done.


How to Import the Superna Rapid7 Workflow Workflow InsightConnect SOAR

  1. NOTE: Ensure log entries have been tested and visible in the log search before starting this configuration.
  2. NOTE: You must have followed the steps above to create the api connection and stored credentials that store the API token for Eyeglass.
  3. Login to the console
  4. Click Workflows
  5. Click add Workflow
    1.  
  6. Download the Snapshot Workflow file here.
  7. Click Import from File
  8. Once completed , Activate the Workflow
    1.  


 

SecOPS User Experience using Workflow within InsightIDR

  1. The example below shows how to extract key information from Superna Zero trust alerts and workflows.
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  


Use Cases for these workflows

  1. Snapshot Workflow
    1. You can run this playbook for any incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access.  This is necessary to root cause what data was affected by a security incident. 


© Superna Inc