rapid7_threat_command
Rapid7 Insight - Threat Command allows managing alerts, CVEs, IOCs, and assets by accounts and MSSP accounts.
Network Security · Rapid7 - Threat Command (IntSights)
Configuration parameters
base_url— Server URL (required)credentials— Account ID (required)integrationReliability— Source Reliability (required)isFetch— Fetch incidentsfirst_fetch— First fetch timestamp.max_fetch— Maximum incidents per fetch (required)alert_types— Alert types to fetch as incidentsnetwork_types— Network types to fetch as incidentsalert_severity— Minimum Alert Severity Levelsource_types— Source types to filter alerts byfetch_closed_incidents— Fetch closed alertsfetch_csv— Include CSV files of alertsfetch_attachments— Include attachments of alertsmssp_sub_account— Sub-account ID (for MSSP accounts).incidentType— Incident typeproxy— Use system proxy settingsinsecure— Trust any certificate (not secure)
Commands (56)
-
domainChecks the reputation of a domain.
-
fileRuns reputation on files.
-
ipChecks the reputation of an IP address.
-
threat-command-account-system-modules-listList the system modules of your account.
-
threat-command-account-user-listList the users in your account. Mainly used to assign alerts.
-
threat-command-account-whitelist-removeReverts IOC values to the system-default whitelist status. The ETP Suite automatically whitelists certain IOCs, such as company assets. You can override this designation or ensure that certain IOCs will not be system whitelisted using the threat-command-account-whitelist-update command. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.
-
threat-command-account-whitelist-updateYou can add an IOC to your user whitelist (even if it is already on the system whitelist). If you change your mind, you can then revert that decision to rely again on the system designation using the threat-command-account-whitelist-remove command. When an IOC is whitelisted, it will not be sent to integrated security to block. When an IOC is not whitelisted, it will be sent to integrated security devices to block. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.
-
threat-command-alert-activity-log-getGet alert activity log.
-
threat-command-alert-analyst-askSend a question to an analyst about the requested alert. Questions can revolve around an alert explanation, a request for more context, recommended remediation steps, or requests for threat actor engagement. In order to get the conversation with the analyst, use the threat-command-alert-analyst-conversation-list command.
-
threat-command-alert-analyst-conversation-listGet alert's analyst response.
-
threat-command-alert-assignAssign an alert to other ETP Suite users. When an alert is assigned, the assignee will receive a notification. Mainly used to assign alerts.
-
threat-command-alert-blocklist-getGet alert's blocklist status.
-
threat-command-alert-blocklist-updateChange selected IOCs blocklist status.
-
threat-command-alert-closeClose alert.
-
threat-command-alert-createCreate a new alert. You have to insert scenario or type and sub_type.
-
threat-command-alert-csv-getGet alert's CSV file in case of credentials leakage or leaked credit cards alerts.
-
threat-command-alert-image-listList alert images by ID.
-
threat-command-alert-ioc-reportReport IOCs to external sources (Report the URLs and domains that are included in an alert to external sources. This can warn others of the potential danger of those IOCs).
-
threat-command-alert-listGet a list of alerts with all details.
-
threat-command-alert-note-addAdd a note to the alert. You can add notes, as text or uploaded files, to an alert that can be seen by internal users. Each note is accompanied by the name of the note creator. Other users can reply to notes. Alert notes remain with the alert, even after it is closed or otherwise remediated.
-
threat-command-alert-reopenReopen alert.
-
threat-command-alert-scenario-listList alert scenarios. They are mainly used to add manual alerts.
-
threat-command-alert-send-mailSend mail with the alert details and a question.
-
threat-command-alert-severity-updateChange the alert's severity. Changing the severity level of alerts can help to prioritize alert management.
-
threat-command-alert-source-type-listList alert source types. They are mainly used to add manual alerts.
-
threat-command-alert-tag-addAdds a tag to an alert. This enables you to classify alerts and later search for all alerts with a specific tag.
-
threat-command-alert-tag-removeRemoves a tag from the alert.
-
threat-command-alert-takedown-requestSend a takedown request for the selected alert (Request that Threat Command will contact the host to request a takedown of a malicious domain, website, or mobile application).
-
threat-command-alert-takedown-request-status-getGet the alert's takedown status.
-
threat-command-alert-type-listList alert types and sub-types. They are mainly used to add manual alerts.
-
threat-command-alert-unassignUnassign an alert from all users.
-
threat-command-asset-addAdd assets by type and value. Assets include any company resource that could lead to a potential security threat.
-
threat-command-asset-deleteDelete asset by type and value.
-
threat-command-asset-listGet account assets grouped by asset type.
-
threat-command-asset-type-listGet all asset types. Mainly used to add or delete assets.
-
threat-command-cve-addAdd CVEs to account.
-
threat-command-cve-deleteDelete CVEs from account.
-
threat-command-cve-listGet CVE's list from account.
-
threat-command-cyber-term-cve-listList cyber term CVEs by cyber term ID.
-
threat-command-cyber-term-ioc-listList cyber term IOCs by cyber term ID.
-
threat-command-cyber-term-listList cyber terms by filter.
-
threat-command-enrichment-quota-usageGets the current API enrichment credits ("quota") usage for the requester account.
-
threat-command-ioc-blocklist-addAdds an IOC to an internal Remediation Blocklist. By sending the blocklist to security devices, you can block the IOCs. At least one IOC is required.
-
threat-command-ioc-blocklist-removeRemoves IOC values from the Remediation blocklist. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.
-
threat-command-ioc-comment-addAdds comments to IOCs. At least one IOC is required.
-
threat-command-ioc-searchGets IOC details by value or IOC's full enrichment data. While using the enrichment flag, the command is scheduled and allows us to get full enrichment data. Note that enrichment has a quota. You can get the quota by using threat-command-quotas-usage-get.
-
threat-command-ioc-severity-updateChanges the severity of existing IOCs for the requester account (overrides the system severity). At least one IOC is required.
-
threat-command-ioc-tags-addAdds user tags to IOCs. This enables you to classify IOCs and later search for all IOCs with a specific tag. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC.
-
threat-command-mention-searchSearch for strings in the scrapes database.
-
threat-command-mssp-customer-listGet all Managed Security Service Provider's (MSSP) sub-accounts.
-
threat-command-mssp-user-listGet the details of the MSSPs users (In case you are an MSSP account).
-
threat-command-source-document-createAdds a new IOC source document. At least one IOC is required.
-
threat-command-source-document-deleteDeletes an existing IOC source document.
-
threat-command-source-document-ioc-createCreate new IOCs to existing IOC source documents. At least one IOC is required.
-
threat-command-source-listGets lists of IOC document sources.
-
urlChecks the reputation of a URL.