Rapid7 Destination (Beta)
Configuring a Rapid7 workflow as an alert destination in your Panther Console
Last updated
Configuring a Rapid7 workflow as an alert destination in your Panther Console
Last updated
The Rapid7 alert destination is in open beta starting with Panther version 1.111, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring workflows within Rapid7's InsightConnect product as the destination to be triggered by alerts within Panther.
In this step, you will create a simple workflow that will be triggered by receiving a Panther alert. You will likely want to build on to the workflow by adding steps for whatever you need it to do—e.g., creating threats in InsightIDR or firing other workflows.
Log in to Rapid7 InsightConnect.
In the left-hand navigation bar, click Workflows.
Click Add Workflow.
Download the Panther Sample Alert Destination Workflow file found at the end of this step.
This file contains the object schema for Panther to start triggering the workflow, and is the simplest way to bootstrap the workflow.
In the Add Workflow modal, click Import from File, then select the Panther Sample Alert Destination Workflow file you downloaded.
Once the workflow is populated, click Edit in Builder.
In the upper-right corner, click Edit.
Click the Panther Alert trigger (the first node in the workflow).
In the Configure Details form, check the Require API Key authentication checkbox. Panther does not support unauthenticated workflow executions.
Click Save Step.
In the How to Use section on the right-hand side of the window, copy the API Trigger URL and store it in a secure location. You will input this value into Panther in a later step.
Make any other desired modifications to the workflow, such as creating a threat or triggering other workflows.
Click Publish Changes.
Click the workflow's toggle to enable it.
Below is an icon file exported from Rapid7, which contains a simple Panther workflow:
You will need to provide Panther a Rapid7 API key in the next step of this process.
In your Rapid7 console, navigate to your Insight control panel.
In the navigation bar, under API Key Management, select either Organization Keys or User Keys.
It's recommended to create a tightly scoped user key for this purpose, but any key with permission to run the workflow can be used.
Copy the generated key and store it in a secure location, as you will need it in the following step.
In the left-hand navigation bar of your Panther Console, click Configure > Alert Destinations.
Click +Add your first Destination.
If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.
Click Rapid7.
Fill out the form to configure the destination:
Display Name: Enter a descriptive name.
Workflow URL: Enter the Trigger URL for the workflow you built in the previous section of this documentation.
API Key: Enter the API Key that you created in the previous section of this documentation.
Severity: Select the severity level of alerts to send to this destination.
Alert Types: Select the alert types to send to this destination.
Click Add Destination.
On the final page, optionally click Send Test Alert to test the integration.
You'll be able to see the started workflow in InsightConnect, within the Jobs section.
When you are finished, click Finish Setup.
For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: Destinations.
Learn more about Rapid7 API keys in the Managing Platform API Keys documentation.
Click Generate New <User or Organization> Key. Follow the instructions on Rapid7's Managing Platform API Keys documentation to finish creating the key.
Log Type: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.
