Rapid7 IDR api

We’re recently demo’ing Rapid7 IDR to help track threats and security related events and I was curious if anyone here uses this product in conjunction with Squared Up/SCOM. It’d be nice to be able to view this system inside a dashboard of some sort as a 1 pane of glass. Any thoughts would be definitely appreciated. Thanks.

Gary

Hi

Initial thoughts are that we can do this at 2 levels:

• Rapid7 IDR infrastructure - definitely one for SCOM - what components are there?
  • Application Server
  • Web Sites
  • Application Pools
  • Databases
• Rapid7 IDR data
  • Would you really want to store this security data with SCOM performance data?
  • Are you comfortable with all the data being stored unencrypted together in the SCOM DB \ DW? More pertinently are you security teams happy with this?
  • If the answers to the above are YES, then I'd do some testing in Dev to make sure that there isn't so much IDR data that it swamps Operations Manager. SCOM isn't really a log collector.

Ideally - SCOM to monitor the infrastructure and something like SPLUNK or, if you are a Microsoft shop, perhaps Operations Management Suite (OMS) to collect the data and be the platform for log analytics.

Happy to help build the infrastructure monitoring if this of interest.

Cheers

Graham

Hey Graham. I just want to tap into the web api for Insight, not get all of this data into SCOM.

Is it this? https://help.rapid7.com/insightvm/en-us/api/index.html#

The first step will be to write a PowerShell script outside of SCOM that achieves what you want:

https://blogs.technet.microsoft.com/heyscriptingguy/2013/10/21/invokerestmethod-for-the-rest-of-us/

https://www.daniellittle.xyz/calling-a-rest-json-api-with-powershell/

Once you have that; we can look to plug that into SCOM.

Cheers

Graham

Hey Graham. I checked with Rapid 7 and IDR does not have a rest api yet but their Nexpose product does. I think this is enough to get me started in the right direction. Thanks again for your help!

Gary