{ "name": "ti_rapid7_threat_command", "title": "Rapid7 Threat Command", "version": "2.8.0", "release": "ga", "description": "Collect threat intelligence from Threat Command API with Elastic Agent.", "type": "integration", "download": "/epr/ti_rapid7_threat_command/ti_rapid7_threat_command-2.8.0.zip", "path": "/package/ti_rapid7_threat_command/2.8.0", "icons": [ { "src": "/img/ti_rapid7_threat_command-logo.svg", "path": "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-logo.svg", "title": "Sample logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" }, "elastic": { "subscription": "", "capabilities": [ "security" ] } }, "owner": { "type": "partner", "github": "elastic/security-service-integrations" }, "categories": [ "security", "threat_intel", "vulnerability_management" ], "signature_path": "/epr/ti_rapid7_threat_command/ti_rapid7_threat_command-2.8.0.zip.sig", "format_version": "3.3.2", "readme": "/package/ti_rapid7_threat_command/2.8.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/ti_rapid7_threat_command-ioc_overview_1.png", "path": "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-ioc_overview_1.png", "title": "IOC Overview-1", "size": "600x600", "type": "image/png" }, { "src": "/img/ti_rapid7_threat_command-ioc_overview_2.png", "path": "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-ioc_overview_2.png", "title": "IOC Overview-2", "size": "600x600", "type": "image/png" }, { "src": "/img/ti_rapid7_threat_command-ioc_overview_3.png", "path": "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-ioc_overview_3.png", "title": "IOC Overview-3", "size": "600x600", "type": "image/png" }, { "src": "/img/ti_rapid7_threat_command-alert_overview.png", "path": "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-alert_overview.png", "title": "Alert Overview", "size": "600x600", "type": "image/png" }, { "src": "/img/ti_rapid7_threat_command-vulnerability_overview.png", "path": "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-vulnerability_overview.png", "title": "Vulnerability Overview", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/ti_rapid7_threat_command/2.8.0/LICENSE.txt", "/package/ti_rapid7_threat_command/2.8.0/changelog.yml", "/package/ti_rapid7_threat_command/2.8.0/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/validation.yml", "/package/ti_rapid7_threat_command/2.8.0/docs/README.md", "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-alert_overview.png", "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-ioc_overview_1.png", "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-ioc_overview_2.png", "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-ioc_overview_3.png", "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-logo.svg", "/package/ti_rapid7_threat_command/2.8.0/img/ti_rapid7_threat_command-vulnerability_overview.png", "/package/ti_rapid7_threat_command/2.8.0/kibana/tags.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/sample_event.json", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/lifecycle.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/sample_event.json", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/sample_event.json", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/ingest_pipeline/ti_rapid7_threat_command-cve-rule-transform-pipeline.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/ingest_pipeline/ti_rapid7_threat_command-ioc-rule-transform-pipeline.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/ingest_pipeline/ti_rapid7_threat_command-unique-ioc-transform-pipeline.yml", "/package/ti_rapid7_threat_command/2.8.0/kibana/dashboard/ti_rapid7_threat_command-1abe9f50-591c-11ed-a133-234996671b18.json", "/package/ti_rapid7_threat_command/2.8.0/kibana/dashboard/ti_rapid7_threat_command-20735802-0864-485a-8b6f-e138aae5900d.json", "/package/ti_rapid7_threat_command/2.8.0/kibana/dashboard/ti_rapid7_threat_command-8f985fb0-6988-11ed-8bdb-110ff35bc478.json", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/fields/agent.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/fields/base-fields.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/fields/fields.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/fields/agent.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/fields/base-fields.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/fields/ecs.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/fields/fields.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/fields/is-ioc-transform-source-true.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/fields/agent.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/fields/base-fields.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/fields/fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/transform.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/transform.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/manifest.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/transform.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/agent/stream/httpjson.yml.hbs", "/package/ti_rapid7_threat_command/2.8.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/agent/stream/httpjson.yml.hbs", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/elasticsearch/ilm/default_policy.json", "/package/ti_rapid7_threat_command/2.8.0/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/agent/stream/httpjson.yml.hbs", "/package/ti_rapid7_threat_command/2.8.0/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/fields/agent.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/fields/base-fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/fields/ecs.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/fields/fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_alert/fields/is-ioc-transform-source-false.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/fields/agent.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/fields/base-fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/fields/ecs.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/fields/fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_ioc/fields/is-ioc-transform-source-false.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/fields/agent.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/fields/base-fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/fields/ecs.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/fields/fields.yml", "/package/ti_rapid7_threat_command/2.8.0/elasticsearch/transform/latest_vulnerability/fields/is-ioc-transform-source-false.yml" ], "policy_templates": [ { "name": "ti_rapid7_threat_command", "title": "Rapid7 Threat Command", "description": "Collect Threat Intel data from Rapid7 Threat Command.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Rapid7 Threat Command API Endpoint.", "multi": false, "required": true, "show_user": false, "default": "https://api.intsights.com" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "account_id", "type": "text", "title": "Account ID", "description": "Account ID of the IntSights account.", "multi": false, "required": true, "show_user": true }, { "name": "api_key", "type": "password", "title": "API Key", "description": "API Key generated from 'Subscription' page of the IntSights ETP Suite.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Threat Intel data via Rapid7 Threat Command API", "description": "Collecting Threat Intel data from Rapid7 Threat Command via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "ti_rapid7_threat_command.alert", "title": "Rapid7 Threat Command Alerts", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch the Alerts from Rapid7 Threat Command (the value of interval must be greater than 1h). NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "4h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far to pull the Alerts from Rapid7 Threat Command. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "720h" }, { "name": "types", "type": "text", "title": "Alert Types", "description": "The type of Alerts to fetch. Allowed values: `AttackIndication`, `DataLeakage`, `Phishing`, `BrandSecurity`, `ExploitableData`, `vip`. NOTE: The values of alert types are case-sensitive. All types of alerts will be fetched if not specified here.", "multi": true, "required": false, "show_user": true }, { "name": "severities", "type": "text", "title": "Alert Severities", "description": "The alert severities to fetch. Allowed values: `High`, `Medium`, `Low`. NOTE: The values of severity are case-sensitive. All severities will be fetched if not specified here.", "multi": true, "required": false, "show_user": true }, { "name": "fetch_closed_alerts", "type": "bool", "title": "Fetch Closed Alerts", "description": "By default, open alerts are retrieved. Enable Fetch Closed Alerts to fetch closed alerts.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded", "rapid7-threat-command-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Rapid7 Threat Command Alerts", "description": "Collect Alerts from Rapid7 Threat Command.", "enabled": true, "ingestion_method": "API" } ], "package": "ti_rapid7_threat_command", "path": "alert" }, { "type": "logs", "dataset": "ti_rapid7_threat_command.ioc", "ilm_policy": "logs-ti_rapid7_threat_command.ioc-default_policy", "title": "Rapid7 Threat Command IOCs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch the latest IOCs from Rapid7 Threat Command. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far to pull the IOCs from Rapid7 Threat Command. The Initial Interval should be maximum of 6 months. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "720h" }, { "name": "ioc_expiration_duration", "type": "text", "title": "IOC Expiration Duration", "description": "Enforces all active IOCs to expire after this duration since their last seen time indicated in the feed. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g `10d`). If invalid units are provided, default value `90d` i.e., 90 days is used. Check `README` for more details how IOC expiration works and removal of custom transforms and views used in older versions.", "multi": false, "required": true, "show_user": true }, { "name": "severities", "type": "text", "title": "IOC Severities", "description": "The IOC severities to fetch. Allowed values: `High`, `Medium`, `Low`, `PendingEnrichment`. NOTE: The values of severity are case-sensitive. All severities will be fetched if not specified here.", "multi": true, "required": false, "show_user": true }, { "name": "types", "type": "text", "title": "IOC Types", "description": "The type of IOCs to fetch. Allowed values: `IpAddresses`, `Urls`, `Domains`, `Hashes`, `Emails`. NOTE: The values of IOC types are case-sensitive. All types of IOCs will be fetched if not specified here.", "multi": true, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded", "rapid7-threat-command-ioc" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Rapid7 Threat Command IOCs", "description": "Collect IOCs from Rapid7 Threat Command.", "enabled": true, "ingestion_method": "API" } ], "package": "ti_rapid7_threat_command", "path": "ioc" }, { "type": "logs", "dataset": "ti_rapid7_threat_command.vulnerability", "title": "Rapid7 Threat Command Vulnerability", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch the CVEs from Rapid7 Threat Command. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "6h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far to pull the CVEs from Rapid7 Threat Command. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1440h" }, { "name": "severities", "type": "text", "title": "Vulnerability Severities", "description": "The vulnerability severities to fetch. Allowed values: `Critical`, `High`, `Medium`, `Low`. NOTE: The values of severity are case-sensitive.", "multi": true, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded", "rapid7-threat-command-vulnerability" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Rapid7 Threat Command Vulnerability", "description": "Collect CVEs from Rapid7 Threat Command.", "enabled": true, "ingestion_method": "API" } ], "package": "ti_rapid7_threat_command", "path": "vulnerability" } ] }