rapid7_threat_command

Rapid7 Insight - Threat Command allows managing alerts, CVEs, IOCs, and assets by accounts and MSSP accounts.

Network Security · Rapid7 - Threat Command (IntSights)

Configuration parameters

  • base_url — Server URL (required)
  • credentials — Account ID (required)
  • integrationReliability — Source Reliability (required)
  • isFetch — Fetch incidents
  • first_fetch — First fetch timestamp.
  • max_fetch — Maximum incidents per fetch (required)
  • alert_types — Alert types to fetch as incidents
  • network_types — Network types to fetch as incidents
  • alert_severity — Minimum Alert Severity Level
  • source_types — Source types to filter alerts by
  • fetch_closed_incidents — Fetch closed alerts
  • fetch_csv — Include CSV files of alerts
  • fetch_attachments — Include attachments of alerts
  • mssp_sub_account — Sub-account ID (for MSSP accounts).
  • incidentType — Incident type
  • proxy — Use system proxy settings
  • insecure — Trust any certificate (not secure)

Commands (56)

  • domain

    Checks the reputation of a domain.

  • file

    Runs reputation on files.

  • ip

    Checks the reputation of an IP address.

  • threat-command-account-system-modules-list

    List the system modules of your account.

  • threat-command-account-user-list

    List the users in your account. Mainly used to assign alerts.

  • threat-command-account-whitelist-remove

    Reverts IOC values to the system-default whitelist status. The ETP Suite automatically whitelists certain IOCs, such as company assets. You can override this designation or ensure that certain IOCs will not be system whitelisted using the threat-command-account-whitelist-update command. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.

  • threat-command-account-whitelist-update

    You can add an IOC to your user whitelist (even if it is already on the system whitelist). If you change your mind, you can then revert that decision to rely again on the system designation using the threat-command-account-whitelist-remove command. When an IOC is whitelisted, it will not be sent to integrated security to block. When an IOC is not whitelisted, it will be sent to integrated security devices to block. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.

  • threat-command-alert-activity-log-get

    Get alert activity log.

  • threat-command-alert-analyst-ask

    Send a question to an analyst about the requested alert. Questions can revolve around an alert explanation, a request for more context, recommended remediation steps, or requests for threat actor engagement. In order to get the conversation with the analyst, use the threat-command-alert-analyst-conversation-list command.

  • threat-command-alert-analyst-conversation-list

    Get alert's analyst response.

  • threat-command-alert-assign

    Assign an alert to other ETP Suite users. When an alert is assigned, the assignee will receive a notification. Mainly used to assign alerts.

  • threat-command-alert-blocklist-get

    Get alert's blocklist status.

  • threat-command-alert-blocklist-update

    Change selected IOCs blocklist status.

  • threat-command-alert-close

    Close alert.

  • threat-command-alert-create

    Create a new alert. You have to insert scenario or type and sub_type.

  • threat-command-alert-csv-get

    Get alert's CSV file in case of credentials leakage or leaked credit cards alerts.

  • threat-command-alert-image-list

    List alert images by ID.

  • threat-command-alert-ioc-report

    Report IOCs to external sources (Report the URLs and domains that are included in an alert to external sources. This can warn others of the potential danger of those IOCs).

  • threat-command-alert-list

    Get a list of alerts with all details.

  • threat-command-alert-note-add

    Add a note to the alert. You can add notes, as text or uploaded files, to an alert that can be seen by internal users. Each note is accompanied by the name of the note creator. Other users can reply to notes. Alert notes remain with the alert, even after it is closed or otherwise remediated.

  • threat-command-alert-reopen

    Reopen alert.

  • threat-command-alert-scenario-list

    List alert scenarios. They are mainly used to add manual alerts.

  • threat-command-alert-send-mail

    Send mail with the alert details and a question.

  • threat-command-alert-severity-update

    Change the alert's severity. Changing the severity level of alerts can help to prioritize alert management.

  • threat-command-alert-source-type-list

    List alert source types. They are mainly used to add manual alerts.

  • threat-command-alert-tag-add

    Adds a tag to an alert. This enables you to classify alerts and later search for all alerts with a specific tag.

  • threat-command-alert-tag-remove

    Removes a tag from the alert.

  • threat-command-alert-takedown-request

    Send a takedown request for the selected alert (Request that Threat Command will contact the host to request a takedown of a malicious domain, website, or mobile application).

  • threat-command-alert-takedown-request-status-get

    Get the alert's takedown status.

  • threat-command-alert-type-list

    List alert types and sub-types. They are mainly used to add manual alerts.

  • threat-command-alert-unassign

    Unassign an alert from all users.

  • threat-command-asset-add

    Add assets by type and value. Assets include any company resource that could lead to a potential security threat.

  • threat-command-asset-delete

    Delete asset by type and value.

  • threat-command-asset-list

    Get account assets grouped by asset type.

  • threat-command-asset-type-list

    Get all asset types. Mainly used to add or delete assets.

  • threat-command-cve-add

    Add CVEs to account.

  • threat-command-cve-delete

    Delete CVEs from account.

  • threat-command-cve-list

    Get CVE's list from account.

  • threat-command-cyber-term-cve-list

    List cyber term CVEs by cyber term ID.

  • threat-command-cyber-term-ioc-list

    List cyber term IOCs by cyber term ID.

  • threat-command-cyber-term-list

    List cyber terms by filter.

  • threat-command-enrichment-quota-usage

    Gets the current API enrichment credits ("quota") usage for the requester account.

  • threat-command-ioc-blocklist-add

    Adds an IOC to an internal Remediation Blocklist. By sending the blocklist to security devices, you can block the IOCs. At least one IOC is required.

  • threat-command-ioc-blocklist-remove

    Removes IOC values from the Remediation blocklist. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC. At least one IOC is required.

  • threat-command-ioc-comment-add

    Adds comments to IOCs. At least one IOC is required.

  • threat-command-ioc-search

    Gets IOC details by value or IOC's full enrichment data. While using the enrichment flag, the command is scheduled and allows us to get full enrichment data. Note that enrichment has a quota. You can get the quota by using threat-command-quotas-usage-get.

  • threat-command-ioc-severity-update

    Changes the severity of existing IOCs for the requester account (overrides the system severity). At least one IOC is required.

  • threat-command-ioc-tags-add

    Adds user tags to IOCs. This enables you to classify IOCs and later search for all IOCs with a specific tag. There is no indication of success or failure for this command. The user has to choose a correct and existing IOC.

  • threat-command-mention-search

    Search for strings in the scrapes database.

  • threat-command-mssp-customer-list

    Get all Managed Security Service Provider's (MSSP) sub-accounts.

  • threat-command-mssp-user-list

    Get the details of the MSSPs users (In case you are an MSSP account).

  • threat-command-source-document-create

    Adds a new IOC source document. At least one IOC is required.

  • threat-command-source-document-delete

    Deletes an existing IOC source document.

  • threat-command-source-document-ioc-create

    Create new IOCs to existing IOC source documents. At least one IOC is required.

  • threat-command-source-list

    Gets lists of IOC document sources.

  • url

    Checks the reputation of a URL.