Rapid7 InsightIDR Integration Setup
This guide walks you through integrating Rapid7 InsightIDR with RAD Security for advanced user behavior analytics, threat detection, and incident investigation, enabling you to correlate security events and leverage InsightIDR’s SIEM capabilities. Rapid7 InsightIDR provides user behavior analytics, attacker behavior detection, and automated investigation capabilities for comprehensive security monitoring.Prerequisites
Before you begin, ensure you have:- Admin access to Rapid7 InsightIDR
- Ability to create users in your Rapid7 organization
- Access to the email account you’ll use for the service user
- Access to RAD Security workspace with integration permissions
Service User Recommended: Create a dedicated service user for this integration rather than using a personal account. This ensures continuity when team members change roles.
Step 1: Create Service User (Optional but Recommended)
Creating a dedicated service user allows you to limit API key permissions and maintain better security hygiene.1
Log in as Administrator
Log in to Rapid7 InsightIDR with an administrator account
2
Navigate to User Management
Click the settings gear icon in the top right corner and select Users
3
Create New User
Click the Create User button
4
Enter User Details
Fill in the user information:
- First Name (e.g., “RAD Security”)
- Last Name (e.g., “Integration”)
- Email Address (use a service email account)
You’ll need access to this email to activate the account. In production, use a service account email (e.g.,
security-integrations@company.com) to ensure the integration remains active when employees change roles.5
Assign Product Access
Assign the user to the Insight IDR product
6
Assign Roles
Assign the following roles to the user:
- Insight IDR Analyst
- Log Search View Only
These are the minimum roles required for the integration to function properly. You can assign higher-level roles if additional permissions are needed for your use case.
7
Create User
Click Add User to confirm creation
8
Log Out
Log out of your administrator account
9
Activate Service User
- Open the email account associated with the new user
- Find the activation link from Rapid7
- Click the link to activate the account
- Complete the activation process and set a password
Save the activation link! Make sure to activate the account promptly. If you lose the activation email, you may need to request a new one from your administrator.
Step 2: Create Platform API Key
1
Log in as Service User
Log in to Rapid7 InsightIDR using the service user credentials you just created (or the existing user you want to use)
2
Navigate to API Keys
Click the settings gear icon in the top right corner and select API Keys
3
Create User Platform API Key
Follow Rapid7’s documentation for creating a User Platform API key
- Click New User Key
- Enter a descriptive name (e.g., “RAD Security Integration”)
- Click Generate
4
Copy and Save API Key
Immediately copy the API key to a secure location
This is your only chance to view the key! If you lose it, you cannot retrieve it and will need to generate a new one.
Step 3: Determine Regional API URL
Rapid7 InsightIDR uses different API endpoints based on your data center location.Regional URLs
Regional URLs
Refer to Rapid7’s supported regions documentation to find the correct endpoint for your region.Common Regional URLs:
| Region | API Endpoint |
|---|---|
| United States | https://us.api.insight.rapid7.com |
| United States 2 | https://us2.api.insight.rapid7.com |
| United States 3 | https://us3.api.insight.rapid7.com |
| Europe | https://eu.api.insight.rapid7.com |
| Canada | https://ca.api.insight.rapid7.com |
| Australia | https://au.api.insight.rapid7.com |
| Japan | https://ap.api.insight.rapid7.com |
Use the base URL without any path components. For example:
https://us2.api.insight.rapid7.comStep 4: Configure in RAD Security
Navigate to your RAD Security workspace and configure the Rapid7 InsightIDR integration with the following parameters:Required Parameters
| Parameter | Description | Example |
|---|---|---|
| URL | Regional base URL for Rapid7 InsightIDR API (no path components) | https://us2.api.insight.rapid7.com |
| Token | Platform API key from Step 2 | your-api-key-here |
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources > Integrations > SIEM in RAD Security
- Locate your Rapid7 InsightIDR integration
- Check the connection status shows as Connected
- Verify security events are being synced
Your Rapid7 InsightIDR integration is now configured! RAD Security can now correlate security events with InsightIDR’s user behavior analytics and threat detection capabilities.
What Data is Synced
Once configured, RAD Security will sync the following data with Rapid7 InsightIDR:Security Events
Security Events
- Threat detections and alerts
- Security incidents
- Attacker behavior indicators
- Investigation findings
- Alert timeline data
User Behavior Data
User Behavior Data
- Authentication events
- User activity patterns
- Anomalous behavior detections
- Privilege escalation attempts
- Account compromise indicators
Log Data
Log Data
- Security event logs
- Authentication logs
- Network activity logs
- Endpoint activity
- Custom log sources
Investigation Data
Investigation Data
- Incident timelines
- Investigation notes
- Evidence artifacts
- Threat actor TTPs
- Correlation results
Use Cases
User Behavior Analytics
Correlate RAD Security runtime events with InsightIDR’s user behavior analytics to detect anomalous activities.
Attacker Behavior Detection
Identify attacker tactics, techniques, and procedures (TTPs) across endpoints and containerized infrastructure.
Automated Investigation
Leverage InsightIDR’s automated investigation capabilities with RAD Security’s runtime context.
Incident Response
Streamline incident response by correlating container security events with broader organizational security data.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- API key is incorrect or expired
- Service user account was deactivated
- Wrong regional API URL
- Verify the API key is copied correctly (no extra spaces)
- Check that the service user account is still active
- Confirm you’re using the correct regional URL for your instance
- Generate a new API key if the current one is lost or compromised
Insufficient Permissions
Insufficient Permissions
Possible causes:
- Service user doesn’t have required roles
- User not assigned to Insight IDR product
- Roles were removed or changed
- Log in as admin and verify user roles
- Ensure user has both “Insight IDR Analyst” and “Log Search View Only” roles
- Verify user is assigned to Insight IDR product
- Check that roles haven’t been modified
No Data Syncing
No Data Syncing
Possible causes:
- No security events in InsightIDR yet
- Initial sync still in progress
- Log sources not configured
- API rate limits reached
- Verify InsightIDR has active log sources
- Allow up to 15 minutes for initial data sync
- Check that collectors are sending data to InsightIDR
- Review integration logs in RAD Security for specific errors
- Monitor API usage to ensure you’re within rate limits
Wrong Regional URL
Wrong Regional URL
Possible causes:
- Using incorrect regional endpoint
- Including path components in URL
- Using old API endpoint format
- Verify you’re using the correct region (US, US2, US3, EU, CA, AU, AP)
- Ensure URL is base only (e.g.,
https://us2.api.insight.rapid7.com) - Remove any path components like
/api/3 - Check your InsightIDR console URL to determine your region
API Key Issues
API Key Issues
Possible causes:
- API key was manually revoked
- Service user password was changed
- Key expired or deleted
- Log in as the service user
- Navigate to API Keys management
- Check if the key still exists and is active
- Generate a new API key if needed
- Update the key in RAD Security integration settings
Service User Account Problems
Service User Account Problems
Possible causes:
- Service user was deleted or suspended
- Account locked due to failed login attempts
- Email address changed or invalid
- Log in as admin and verify the service user exists
- Check the account status is Active
- Unlock the account if it was locked
- Verify the email address is accessible
- Reactivate the account if it was suspended
Security Best Practices
Use Service Accounts
Create a dedicated service account with a service email address to ensure continuity.
Least Privilege Roles
Only assign Insight IDR Analyst and Log Search View Only roles unless higher permissions are specifically required.
Rotate API Keys
Periodically rotate API keys as part of your security hygiene practices.
Secure Key Storage
Store API keys in a secure password manager or secrets vault. Never commit them to version control.
Monitor API Usage
Review API key usage in Rapid7 to detect any anomalous activity.
Audit User Access
Regularly review service user permissions and ensure they remain appropriate.
API Key Management
To manage your API keys:1
View Existing Keys
Log in as the service user and navigate to API Keys to view all active keys
2
Rotate Keys
- Create a new API key with a different name
- Update RAD Security with the new key
- Verify the integration works
- Delete the old key
3
Revoke Compromised Keys
If a key is compromised, immediately revoke it and generate a new one
Additional Resources
Platform API Keys
Official guide to managing Rapid7 platform API keys
Supported Regions
Complete list of regional API endpoints
Rapid7 InsightVM
Configure Rapid7 InsightVM for vulnerability management