Rapid7 InsightCloudSec
Rapid7 InsightCloudSec is a cloud security tool that provides visibility into your cloud environments. You can bring access key, bucket, cloud, user account, virtual machine, and security data from Rapid7 InsightCloudSec into Brinqa to gain a more comprehensive view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Rapid7 InsightCloudSec, and how to obtain that information from Rapid7. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Rapid7 InsightCloudSec from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Rapid7 InsightCloudSec with Brinqa:
-
Base URL: Your organization's Rapid7 InsightCloud server URL. The default format is
https://insightcloudsec.<mycompany>.com.- Replace
<mycompany>with the hostname of your Rapid7 InsightCloudSec server, e.g.,https://insightcloudsec.brinqa.com.
- Replace
-
API key: The access key associated with the Rapid7 InsightCloudSec account, which must have permissions to log in to the API server and return data.
Generate a Rapid7 InsightCloudSec API key
For the Rapid7 InsightCloudSec connector to access the InsightCloudSec API, you must provide an API key. To do so, follow these steps:
-
Log in to your organization's Rapid7 InsightCloudSec server as an administrator.
-
Click Settings > API Keys. You have two options:
-
Organization Key: The organization key is tied to an organization as a whole. An organization key can be used to authenticate API requests and also provides access to all data within the organization. Only administrators can create organization API keys.
-
User Key: The user key is tied to a specific user account and can be used to authenticate API requests made by that user. The user key inherits the permissions of the user who creates the API key.
While both keys can be used to authenticate API requests, Brinqa recommends that you generate a User Key. This is because User Keys can provide more controlled access.
-
-
Click New User Key.
-
Select an organization and provide a name for the key.
-
Click Generate.
Your new API key displays. You cannot view the key after this, so copy the key and save it to a secure location.
-
Click Done.
If you do not have the permissions to create an API key, contact your Rapid7 administrator. For additional information, see Rapid7 documentation.
Additional settings
The Rapid7 InsightCloudSec connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Rapid7 InsightCloudSec API before giving up and reporting a failure. The default setting is 5.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Rapid7 InsightCloudSec connector can retrieve the following types of data from the InsightCloudSec API:
Table 1: Data retrieved from Rapid7 InsightCloudSec
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Access Key | No | Cloud Resource |
| Bucket | No | Cloud Resource |
| Cloud Account | Yes | Cloud Resource |
| Cloud Log Configuration | No | Cloud Resource |
| Encryption Key | No | Cloud Resource |
| User Account | No | Cloud Resource |
| Violation | No | Violation |
| Violation Definition | No | Violation Definition |
| Virtual Machine | Yes | Host |
The Rapid7 InsightCloudSec connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Rapid7 InsightCloudSec in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Access Key
Table 2: Access Key attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| common.account | Local variable(CLOUD_ACCOUNT_NAME) |
| common.accountId | Local variable(CLOUD_ACCOUNT_ID) |
| common.availabilityZone | Local variable(AVAILABILITY_ZONE) |
| common.cloud | Local variable(CLOUD_PLATFORM) |
| common.creationTimestamp | sourceCreatedDate |
| common.discoveredTimestamp | firstSeen, Local variable(DISCOVERED_DATE) |
| common.modifiedTimestamp | sourceLastModified |
| common.namespaceId | Local variable(NAMESPACE_ID) |
| common.organizationServiceId | Local variable(CLOUD_ORGANIZATION_ID) |
| common.providerId | Local variable(PROVIDER_ID) |
| common.region | region |
| common.resourceId | Local variable(RESOURCE_ID) |
| common.resourceName | name, Local variable(RESOURCE_NAME) |
| common.resourceType | Local variable(RESOURCE_TYPE) |
| common.tags | tags |
| description | description |
| resource.accessKeyId | Local variable(KEY_ID) |
| resource.ageInDays | Local variable(AGE_IN_DAYS) |
| resource.createdDate | sourceCreatedDate |
| resource.expirationDate | Local variable(EXPIRATION_DATE) |
| resource.lastUsedDate | Local variable(LAST_USED_DATE) |
| resource.namespaceId | Local variable(NAMESPACE_ID) |
| resource.roleName | Local variable(PRINCIPAL_NAME) |
| resource.roleResourceId | Local variable(PRINCIPAL_RESOURCE_ID) |
| resource.status | status |
| resource.uid | uid |
| resource.userManaged | Local variable(USER_MANAGED) |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Bucket
Table 3: Bucket attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| common.account | Local variable(CLOUD_ACCOUNT_NAME) |
| common.accountId | Local variable(CLOUD_ACCOUNT_ID) |
| common.availabilityZone | Local variable(AVAILABILITY_ZONE) |
| common.cloud | Local variable(CLOUD_PLATFORM) |
| common.creationTimestamp | sourceCreatedDate |
| common.discoveredTimestamp | firstSeen, Local variable(DISCOVERED_DATE) |
| common.modifiedTimestamp | sourceLastModified |
| common.namespaceId | Local variable(NAMESPACE_ID) |
| common.organizationServiceId | Local variable(CLOUD_ORGANIZATION_ID) |
| common.providerId | Local variable(PROVIDER_ID) |
| common.region | region |
| common.resourceId | Local variable(RESOURCE_ID) |
| common.resourceName | Local variable(RESOURCE_NAME) |
| common.resourceType | Local variable(RESOURCE_TYPE) |
| common.tags | tags |
| description | description |
| name | name |
| resource.globalEncryption | Local variable(GLOBAL_ENCRYPTION) |
| resource.uid | uid |
| status | status |
Cloud Account
Table 4: Cloud Account attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cloud.accountId | uid |
| cloud.creationTime | sourceCreatedDate |
| cloud.edhRole | Local variable(EDH_ROLE) |
| cloud.groupResourceId | Local variable(RESOURCE_ID) |
| cloud.lastRefreshed | Local variable(LAST_REFRESHED) |
| cloud.name | name |
| cloud.resourceCount | Local variable(RESOURCE_COUNT) |
| cloud.resourceId | Local variable(GROUP_RESOURCE_ARN) |
| cloud.roleArn | Local variable(ROLE_ARN) |
| cloud.status | status |
| cloud.tenantId | Local variable(TENANT_ID) |
| cloud.typeId | Local variable(CLOUD_PLATFORM) |
Cloud Log Configuration
Table 5: Cloud Log Configuration attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| common.account | Local variable(CLOUD_ACCOUNT_NAME) |
| common.accountId | Local variable(CLOUD_ACCOUNT_ID) |
| common.availabilityZone | Local variable(AVAILABILITY_ZONE) |
| common.cloud | Local variable(CLOUD_PLATFORM) |
| common.creationTimestamp | sourceCreatedDate |
| common.discoveredTimestamp | firstSeen, Local variable(DISCOVERED_DATE) |
| common.modifiedTimestamp | sourceLastModified |
| common.namespaceId | Local variable(NAMESPACE_ID) |
| common.organizationServiceId | Local variable(CLOUD_ORGANIZATION_ID) |
| common.providerId | Local variable(PROVIDER_ID) |
| common.region | region |
| common.resourceId() | Local variable(RESOURCE_ID) |
| common.resourceName | Local variable(RESOURCE_NAME) |
| common.resourceType | Local variable(RESOURCE_TYPE) |
| common.tags | tags |
| description | description |
| name, resource.name | name |
| resource.isLogging | isLogging |
| resource.locked | locked |
| resource.multiRegion | multiRegion |
| resource.retentionDays | retentionDays |
| resource.storageContainerName | bucketName |
| resource.uid | uid |
| status | status |
Encryption Key
Table 6: Encryption Key attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| common.account | Local variable(CLOUD_ACCOUNT_NAME) |
| common.accountId | Local variable(CLOUD_ACCOUNT_ID) |
| common.availabilityZone | Local variable(AVAILABILITY_ZONE) |
| common.cloud | Local variable(CLOUD_PLATFORM) |
| common.creationTimestamp, resource.createDate | sourceCreatedDate |
| common.discoveredTimestamp | firstSeen, Local variable(DISCOVERED_DATE) |
| common.modifiedTimestamp, resource.modifiedDate | sourceLastModified |
| common.namespaceId | Local variable(NAMESPACE_ID) |
| common.organizationServiceId | Local variable(CLOUD_ORGANIZATION_ID) |
| common.providerId | Local variable(PROVIDER_ID) |
| common.region | region |
| common.resourceId() | Local variable(RESOURCE_ID) |
| common.resourceName | Local variable(RESOURCE_NAME) |
| common.resourceType | Local variable(RESOURCE_TYPE) |
| common.tags | tags |
| description | description |
| name, | name |
| resource.arn | Local variable(ARN) |
| resource.customerManaged | Local variable(CUSTOMER_MANAGED) |
| resource.isPublic | Local variable(IS_PUBLIC) |
| resource.keyId | Local variable(KEY_ID) |
| resource.keyRotation | Local variable(KEY_ROTATION) |
| resource.name | name |
| resource.origin | Local variable(ORIGIN) |
| resource.parentResourceId | Local variable(PARENT_RESOURCE_ID) |
| resource.resourceCount | Local variable(RESOURCE_COUNT) |
| resource.scheduledDeletionDate | Local variable(SCHEDULED_DELETION_DATE) |
| resource.state | Local variable(STATE) |
| resource.trustedAccounts | Local variable(TRUSTED_ACCOUNTS) |
| resource.uid | uid |
| status, resource.enabled | status |
User Account
Table 7: User Account attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| common.account | Local variable(CLOUD_ACCOUNT_NAME) |
| common.accountId | Local variable(CLOUD_ACCOUNT_ID) |
| common.availabilityZone | Local variable(AVAILABILITY_ZONE) |
| common.cloud | Local variable(CLOUD_PLATFORM) |
| common.creationTimestamp | sourceCreatedDate |
| common.discoveredTimestamp | firstSeen, Local variable(DISCOVERED_DATE) |
| common.modifiedTimestamp | sourceLastModified |
| common.namespaceId | Local variable(NAMESPACE_ID) |
| common.organizationServiceId | Local variable(CLOUD_ORGANIZATION_ID) |
| common.providerId | Local variable(PROVIDER_ID) |
| common.region | region |
| common.resourceId | Local variable(RESOURCE_ID) |
| common.resourceName | Local variable(RESOURCE_NAME) |
| common.resourceType | Local variable(RESOURCE_TYPE) |
| common.tags | tags |
| description | description |
| name | name |
| resource.activeApiKeys | Local variable(ACTIVE_API_KEYS) |
| resource.admin | Local variable(ADMIN) |
| resource.ageInDays | Local variable(AGE_IN_DAYS) |
| resource.disabled | status |
| resource.email | |
| resource.inactiveApiKeys | Local variable(INACTIVE_API_KEYS) |
| resource.inlinePolicies | Local variable(INLINE_POLICY_COUNT) |
| resource.loginProfile | Local variable(LOGIN_PROFILE) |
| resource.managedPolicyCount | Local variable(MANAGED_POLICY_COUNT) |
| resource.passwordLastChanged | Local variable(PASSWORD_LAST_CHANGED) |
| resource.passwordLastUsed | Local variable(PASSWORD_LAST_USED) |
| resource.policyCount | Local variable(POLICY_COUNT) |
| resource.twoFactorEnabled | Local variable(MFA_ENABLED) |
| resource.uid | uid |
| resource.userName | username |
| resource.userId | Local variable(USER_ID) |
| status | status |
Violation
Table 8: Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cloud.id | cloudAccountId |
| finding.identifiedAt | firstFound |
| finding.insightId | type |
| finding.resourceId | targets |
| last found | lastFound |
| status | status |
| status category | statusCategory |
| uid | uid |
Violation Definition
Table 9: Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| insight.author | Local variable(AUTHOR) |
| insight.description | summary |
| insight.filters | Local variable(QUERY_FILTERS) |
| insight.insertedAt | sourceCreatedDate |
| insight.name | name |
| insight.notes, notes.getDescription | description |
| insight.released | Local variable(RELEASED) |
| insight.resourceTypes | Local variable(RESOURCE_TYPES) |
| insight.severity | severity(normalized), severityScore, sourceSeverity |
| insight.source | Local variable(SOURCE) |
| insight.supportedClouds | Local variable(SUPPORTED_CLOUDS) |
| insight.updatedAt | sourceLastModified |
| notes.getRecommendation | recommendation |
| uid | uid |
Virtual Machine
Table 10: Virtual Machine attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| common.account | Local variable(CLOUD_ACCOUNT_NAME) |
| common.accountId | Local variable(CLOUD_ACCOUNT_ID) |
| common.availabilityZone | Local variable(AVAILABILITY_ZONE) |
| common.cloud | Local variable(CLOUD_PLATFORM) |
| common.creationTimestamp | sourceCreatedDate |
| common.discoveredTimestamp | firstSeen, Local variable(DISCOVERED_DATE) |
| common.modifiedTimestamp | sourceLastModified |
| common.namespaceId | Local variable(NAMESPACE_ID) |
| common.organizationServiceId | Local variable(CLOUD_ORGANIZATION_ID) |
| common.providerId | Local variable(PROVIDER_ID) |
| common.region | region |
| common.resourceId() | Local variable(RESOURCE_ID) |
| common.resourceName | Local variable(RESOURCE_NAME) |
| common.resourceType | Local variable(RESOURCE_TYPE) |
| common.tags | tags |
| description | description |
| instance.imageId | image |
| instance.instanceType | Local variable(INSTANCE_TYPE) |
| instance.launchTime | lastStarted, Local variable(LAUNCH_TIME) |
| instance.networkResourceId | Local variable(NETWORK_ID) |
| instance.object_id | instanceId |
| instance.platform | operatingSystem, Local variable(PLATFORM) |
| instance.privateIpAddress | privateIpAddresses |
| instance.publicIpAddress | publicIpAddresses |
| instance.roleResourceId | Local variable(ROLE_ID) |
| instance.subnetResourceId | Local variable(SUBNET_ID) |
| instance.terminationProtection | Local variable(TERMINATION_PROTECTION) |
| ipAddresses | ipAddresses |
| name | name |
| resource.uid | uid |
| status, instance.state | status |
APIs
The Rapid7 InsightCloudSec connector uses the InsightCloudSec API. Specifically, it uses the following endpoints:
Table 7: Rapid7 InsightCloudSec API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Access Key | v3/public/resource/etl-query |
| Bucket | v3/public/resource/etl-query |
| Cloud Account | v2/public/clouds/list |
| Cloud Log Configuration | v3/public/resource/etl-query |
| Encryption Key | v3/public/resource/etl-query |
| User Account | v3/public/resource/etl-query |
| Violation | v2/public/clouds/list |
v4/insights/findings-per-cloud/%s | |
| Violation Definition | v2/public/insights/list |
| Virtual Machine | v3/public/resource/etl-query |
Changelog
The Rapid7 InsightCloudSec connector has undergone the following changes:
3.4.7
- No change.
3.4.6
- No change.
3.4.5
- No change.
3.4.4
- No change.
3.4.3
- No change.
3.4.2
- No change.
3.4.1
- Added the PROVIDER_STATUS and SOURCE_STATUS attributes to the Violation object.
3.4.0
- No change.
3.3.3
- No change.
3.2.1
- Added an additional setting, Page size, for configuring connections.
3.2.0
- Initial Integration+ release.