Knowledge BaseRelease NotesRequest Demo

Rapid7 Destination

Configuring a Rapid7 workflow as an alert destination in your Panther Console

Overview

Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring workflows within Rapid7's InsightConnect product as the destination to be triggered by alerts within Panther.

How to set up Rapid7 InsightConnect destinations in Panther

Step 1: Configure the workflow in InsightConnect

In this step, you will create a simple workflow that will be triggered by receiving a Panther alert. You will likely want to build on to the workflow by adding steps for whatever you need it to do—e.g., creating threats in InsightIDR or firing other workflows.

  1. Log in to Rapid7 InsightConnect. Under an "insightConnect" header is a blue "Open" button.

  2. In the left-hand navigation bar, click Workflows. Under a "Rapid7" header is an "insightConnect" sub-header. Below that is a navigation bar, with the "Workflows" option circled.

  3. Click Add Workflow. To the right of a search field, an "Add Workflow" button is circled.

  4. Download the Panther Sample Alert Destination Workflow file found at the end of this step.

    • This file contains the object schema for Panther to start triggering the workflow, and is the simplest way to bootstrap the workflow.

  5. In the Add Workflow modal, click Import from File, then select the Panther Sample Alert Destination Workflow file you downloaded. Under an "Add Workflow" header are three buttons: Start From Scratch, Browse Templates, and Import from File. "Import from File" is circled.

  6. Once the workflow is populated, click Edit in Builder.

  7. In the upper-right corner, click Edit. Buttons with differing icons are shown. On the right side is a blue "Edit" button.

  8. Click the Panther Alert trigger (the first node in the workflow). A "Panther Alert" label is above a symbol with a circle connected to a plus sign.

  9. In the Configure Details form, check the Require API Key authentication checkbox. Panther does not support unauthenticated workflow executions. A Configure Details form has various fields, like Name, Trigger Description, and Require API Key authentication.

  10. Click Save Step.

  11. In the How to Use section on the right-hand side of the window, copy the API Trigger URL and store it in a secure location. You will input this value into Panther in a later step. Under a How to Use header is an API Trigger URL field, with a URL value.

  12. Make any other desired modifications to the workflow, such as creating a threat or triggering other workflows.

  13. Click Publish Changes. Various buttons with different icons are shown. On the right-side is a blue "Publish Changes" button.

  14. Click the workflow's toggle to enable it. On the right side of text reading "Panther Sample Alert Destination Workflow," is a toggle set to ON.

Panther sample workflow file

Below is an icon file exported from Rapid7, which contains a simple Panther workflow:

7KB
Panther Sample Alert Destination Workflow.icon
Open

Step 2: Generate a Rapid7 API key

You will need to provide Panther a Rapid7 API key in the next step of this process.

  1. In your Rapid7 console, navigate to your Insight control panel.

  2. In the navigation bar, under API Key Management, select either Organization Keys or User Keys.

    • It's recommended to create a tightly scoped user key for this purpose, but any key with permission to run the workflow can be used.

    • Learn more about Rapid7 API keys in the Managing Platform API Keys documentation. A navigation bar titled "Insight Platform" is shown, and an "API Key Management" value is expanded to show "User Keys" and "Organization Keys."

  3. Click Generate New <User or Organization> Key. Follow the instructions on Rapid7's Managing Platform API Keys documentation to finish creating the key. A "Generate New User Key" button is shown.

    • Copy the generated key and store it in a secure location, as you will need it in the following step.

Step 3: Configure the Rapid7 alert destination in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Alert Destinations.

  2. Click +Add your first Destination.

    • If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.

  3. Click Rapid7.

  4. Fill out the form to configure the destination:

    • Display Name: Enter a descriptive name.

    • Workflow URL: Enter the Trigger URL for the workflow you built in the previous section of this documentation.

    • API Key: Enter the API Key that you created in the previous section of this documentation.

    • Severity: Select the severity level of alerts to send to this destination.

    • Alert Types: Select the alert types to send to this destination.

    • Log Type: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types. A "Configure your Rapid7 Insight Connect Destination" form is shown, with fields for "Display Name," "Workflow URL," "API Key," and others.

  5. Click Add Destination.

  6. On the final page, optionally click Send Test Alert to test the integration.

    • You'll be able to see the started workflow in InsightConnect, within the Jobs section.

  7. When you are finished, click Finish Setup.

Additional Information on Destinations

For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: Destinations.

PreviousPagerDuty DestinationNextServiceNow Destination (Custom Webhook)

Last updated

Was this helpful?