Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

Service description

The Rapid7 IntSights collector ingests threat indicators from the Insights Threat Intelligence Platform (TIP) as Devo lookup tables. This allows the use of the indicators as a correlation source when using the Devo platform to analyze security data from other systems as part of reactive alerting and proactive threat hunting.

IntSights (a Rapid 7 company) is a security company specialized in Endpoint Security and threat detection. IntSights provides cloud-native external threat detection to further extend Rapid7’s security operations platform, providing customers with end-to-end external and internal threat detection, automation, and remediation.

The information items that IntSights TIP provides are the Indicators of Compromise (IoC). Using the API, the collector extracts the IoC from IntSights and stores them in the Devo system as lookup tables, there are 5 types of IoC provided by IntSights: IP Address, DNS Domains, File Hashes, URLs, and Emails.

Data source description

Data source

Lookup

Collector service

Remote endpoint

Description

IP address

IntSights_IP_Address_IoC_List

iocs_list_ips

https://api.intsights.com:443/public/v3/iocs?type[0]=IpAddresses

IoC related to IP Address, stored using the IP as the primary key of the lookup

Domains

IntSights_Domain_IoC_List

iocs_list_domains

https://api.intsights.com:443/public/v3/iocs?type[0]=Domains

IoC related to Domains, stored using the DNS domain as the primary key of the lookup

File hashes

IntSights_Hash_IoC_List

iocs_list_hashes

https://api.intsights.com:443/public/v3/iocs?type[0]=Hashes

IoC related to File Hashes, stored using the hash value as the primary key of the lookup

URLs

IntSights_URL_IoC_List

iocs_list_urls

https://api.intsights.com:443/public/v3/iocs?type[0]=Urls

IoC related to URLs, stored using the URL as the primary key of the lookup

Email address

IntSights_Email_IoC_List

iocs_list_emails

https://api.intsights.com:443/public/v3/iocs?type[0]=Emails

IoC related to Email Addresses, stored using the email as the primary key of the lookup

Vendor setup

In order to configure the connection to IntSights, you need to generate a client_id and an api_key. Here are the steps to generate the credentials:

Action

Steps

Log in to the Rapid7 console: IntSights - Authentication

  1. Log in to the Rapid7 IntSights console with your user credentials.

Generate API key

  1. Click the Settings wheel icon in the left menu.

  2. Click the Subscription button.

  3. Click Generate API Key. If it already exists and you don't remember the API Key and it is not being used anywhere else, you can revoke it and create a new one.

  4. Copy the Account ID (parameter client_id in collector) and the API Key (api_key in collector).

Check permissions

  1. Click the Settings wheel icon in the left menu.

  2. Click the Users button. You will see the administration page.

  3. Check that the permissions are correct.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

  • No labels