Rapid7 Siem Api

The API Guide for InsightVM and InsightIDR

Overview

The Insight Platform provides an API that allows you to easily integrate your security solutions with our Insight products. It consists of several independent REST APIs that share a single endpoint authentication mechanism and design so that you can interact with our Insight products.

Next-Gen SIEM for the Cloud-First Era

Scale and speed for hybrid environments. Embrace digital transformation, SaaS adoption, and agile development with elastic, cloud-native security information and event management (SIEM).

Security Information and Event Management (SIEM)

SIEM is a type of solution that detects security issues by centralizing, correlating, and analyzing data across an IT network. Core functionality of a SIEM includes log management and centralization, security event detection and reporting, and search capabilities.

API Endpoints

The API endpoint for the logs resource is: ``` https://{us|eu|ca|ap|au}.insight.rapid7.com/platform/api/v3/logs ``` Remember to change "us" in the URL to the region that your InsightIDR account is in, e.g., "us," "eu," "ca," "ap," or "au." You'll need to add a header to the request in order to authenticate.

InsightIDR: Rapid7's Native Cloud SIEM and XDR Solution

InsightIDR delivers accelerated detection and response through: * Native integrations with leading cloud services * Advanced analytics and machine learning * Threat hunting and incident response tools

Rapid7 Threat Command Integration

The Rapid7 Threat Command integration collects these types of data: * IOCs: Uses the REST API to retrieve indicators from the Rapid7 Threat Command platform * Alerts: Uses the REST API to retrieve alerts from the Rapid7 Threat Command platform * Vulnerabilities: Uses the REST API to retrieve CVEs from the Rapid7 Threat Command platform

Sophos Central SIEM Integration

Sophos Central provides a SIEM integration script to connect to their secure API for event and alert data. The integration script must be run on a scheduled basis using a scheduled task (Windows) or a Cronjob (Linux).

Create an Azure Application to Access the Microsoft Defender for Endpoint API

To complete the tasks outlined in this article, you'll need the following: * An active subscription to Microsoft Defender for Endpoint * An Administrator account for Microsoft Azure

InsightVM Integrates with Your SIEM

Integrate with your SIEM for comprehensive enterprise security intelligence and threat management. With vulnerability data provided through the InsightVM API, you can act in real-time with up-to-date situational awareness and comprehensive security analytics.

See How the Insight Platform Can Transform Your Security Program

XDR | SIEM | Cloud Security | VM Threat Intel | SOAR | AppSec

Rapid7 Provides Handy Auto Configure Instructions

From the InsightIDR portal, click "Data Collection" again from the menu on the left side of the screen.

InsightIDR: Rapid7's Cloud SIEM for Modern Detection and Response

InsightIDR collects data from the major management and security tools native to Azure, combines that with information from across the organization's IT footprint, and uses advanced analytics to detect malicious behaviors.

Using the InsightVM RESTful API

To extract InsightVM scan data to ingest into your SIEM, CMDB, or generate tickets for your remediation teams, leveraging the InsightVM RESTful API is a good starting point. Endpoints to use and best practices for retrieving large amounts of data are available.

What is an API?

An application programming interface (API) allows applications to connect with each other. APIs let you interact with other web components in a defined language to request or execute actions of the API's available services.