Automated Incident Response with Rapid7 and Smart SOAR – Source: securityboulevard.com

Integration between platforms has become a necessity rather than a nice-to-have. Smart SOAR offers a single platform to act as the connective tissue between siloed point solutions that do not natively integrate with each other. Specifically, the collaboration between Smart SOAR and Rapid7 presents a significant advancement in automating security workloads. Smart SOAR offers three out-of-the-box integrations with key Rapid7 solutions:

• InsightIDR
• InsightVM
• InsightVM Cloud

In this article, we will explore the specifics of these integrations and examine the operational advantages gained through the seamless interaction between Smart SOAR and Rapid7.

Rapid7 InsightIDR

This integration with Rapid7’s SIEM and XDR tool lets Smart SOAR users consolidate security alerts into a single platform, and keep the different alert queues in sync with bi-directional API calls.

To set up a connection, users input their Server URL and API Key:

Then, the list of five integration commands are available to use. These commands are:

1. Fetch Event
2. Fetch Incident
3. List Investigation
4. Set Investigation Status, and
5. Close Investigation

The Fetch Event and Fetch Incident commands are used to ingest new alerts into Smart SOAR. Fetch commands run on a scheduled cadence, and send GET requests to Rapid7. New alerts found are stored as events or incidents inside of Smart SOAR. To learn more about the difference between the two, read this article on Smart SOAR’s two-tiered automation.

Rapid7 InsightVM

Smart SOAR supports both the on-premise and cloud variations of Rapid7’s vulnerability management solution, InsightVM. The connection parameters for InsightVM are Server URL, Username, Password, and API Version:

For InsightVM Cloud, the connection parameters are Server URL, API Key, and API Version:

Workflows using the InsightVM integration commands can assist with scheduled vulnerability monitoring and targeted asset vulnerability analysis.

Workflow 1: Scheduled Vulnerability Monitoring

This workflow is designed for organizations that are setting up their vulnerability management process or adding a new range of assets. It starts by listing available sites and scanning engines. Then, it initiates a site scan and monitors its status. Finally, a comprehensive scan report is generated and downloaded for analysis. Using Smart SOAR’s scheduled playbooks, this workflow can be run on a timed cadence, saving the need to reinstate this project throughout the year. This workflow provides a solid foundation for ongoing vulnerability management.

Workflow 2: Targeted Asset Vulnerability Analysis

When an asset is involved in a security alert, a comprehensive vulnerability analysis can be run on it using the InsightVM integration. In this workflow, asset IDs are assumed to be included in the original alert. Those IDs are used as inputs to create a new site with targeted assets. Then a scan is initiated on that site and, when it’s done, asset vulnerabilities are collected for review during the investigation.

Takeaway

The integration between Smart SOAR and Rapid7 lets users automate scheduled vulnerability assessments and enrich security alerts with vulnerability data on affected assets. Typically these tasks would take hours of time throughout the year, however, much of the manual work can be automated completely. This removes possibility for errors when handling data and standardizes operating procedures.

The post Automated Incident Response with Rapid7 and Smart SOAR appeared first on D3 Security.

*** This is a Security Bloggers Network syndicated blog from D3 Security authored by Pierre Noujeim. Read the original post at: https://d3security.com/blog/automated-incident-response-rapid7-smart-soar-integration/