Document toolboxDocument toolbox

Rapid7 IntSights collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
6 min read
[ 1 Service description ] [ 2 Data source description ] [ 3 Vendor setup ] [ 4 Run the collector ]

Service description

The Rapid7 IntSights collector ingests threat indicators from the Insights Threat Intelligence Platform (TIP) as Devo lookup tables. This allows the use of the indicators as a correlation source when using the Devo platform to analyze security data from other systems as part of reactive alerting and proactive threat hunting.

IntSights (a Rapid 7 company) is a security company specialized in Endpoint Security and threat detection. IntSights provides cloud-native external threat detection to further extend Rapid7’s security operations platform, providing customers with end-to-end external and internal threat detection, automation, and remediation.

The information items that IntSights TIP provides are the Indicators of Compromise (IoC). Using the API, the collector extracts the IoC from IntSights and stores them in the Devo system as lookup tables, there are 5 types of IoC provided by IntSights: IP Address, DNS Domains, File Hashes, URLs, and Emails.

Data source description

Data source

Lookup

Collector service

Remote endpoint

Description

Data source

Lookup

Collector service

Remote endpoint

Description

IP address

IntSights_IP_Address_IoC_List

iocs_list_ips

https://api.intsights.com:443/public/v2/iocs?type[0]=IpAddresses

IoC related to IP Address, stored using the IP as the primary key of the lookup

Domains

IntSights_Domain_IoC_List

iocs_list_domains

https://api.intsights.com:443/public/v2/iocs?type[0]=Domains

IoC related to Domains, stored using the DNS domain as the primary key of the lookup

File hashes

IntSights_Hash_IoC_List

iocs_list_hashes

https://api.intsights.com:443/public/v2/iocs?type[0]=Hashes

IoC related to File Hashes, stored using the hash value as the primary key of the lookup

URLs

IntSights_URL_IoC_List

iocs_list_urls

https://api.intsights.com:443/public/v2/iocs?type[0]=Urls

IoC related to URLs, stored using the URL as the primary key of the lookup

Email address

IntSights_Email_IoC_List

iocs_list_emails

https://api.intsights.com:443/public/v2/iocs?type[0]=Emails

IoC related to Email Addresses, stored using the email as the primary key of the lookup

Vendor setup

In order to configure the connection to IntSights, you need to generate a client_id and an api_key. These values are generated using the IntSights Cyber Intelligence asset in Rapid 7.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).