Skip to main content

Rapid7 InsightCloudSec

Rapid7 InsightCloudSec is a cloud security tool that provides visibility into your cloud environments. You can bring access key, bucket, cloud, user account, virtual machine, and security data from Rapid7 InsightCloudSec into Brinqa to gain a more comprehensive view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Rapid7 InsightCloudSec, and how to obtain that information from Rapid7. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Rapid7 InsightCloudSec from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Rapid7 InsightCloudSec with Brinqa:

  • Base URL: Your organization's Rapid7 InsightCloud server URL. The default format is https://insightcloudsec.<mycompany>.com.

    • Replace <mycompany> with the hostname of your Rapid7 InsightCloudSec server, e.g., https://insightcloudsec.brinqa.com.
  • API key: The access key associated with the Rapid7 InsightCloudSec account, which must have permissions to log in to the API server and return data.

Generate a Rapid7 InsightCloudSec API key

For the Rapid7 InsightCloudSec connector to access the InsightCloudSec API, you must provide an API key. To do so, follow these steps:

  1. Log in to your organization's Rapid7 InsightCloudSec server as an administrator.

  2. Click Settings > API Keys. You have two options:

    • Organization Key: The organization key is tied to an organization as a whole. An organization key can be used to authenticate API requests and also provides access to all data within the organization. Only administrators can create organization API keys.

    • User Key: The user key is tied to a specific user account and can be used to authenticate API requests made by that user. The user key inherits the permissions of the user who creates the API key.

      While both keys can be used to authenticate API requests, Brinqa recommends that you generate a User Key. This is because User Keys can provide more controlled access.

  3. Click New User Key.

  4. Select an organization and provide a name for the key.

  5. Click Generate.

    Your new API key displays. You cannot view the key after this, so copy the key and save it to a secure location.

  6. Click Done.

note

If you do not have the permissions to create an API key, contact your Rapid7 administrator. For additional information, see Rapid7 documentation.

Additional settings

The Rapid7 InsightCloudSec connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 8.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Rapid7 InsightCloudSec API before giving up and reporting a failure. The default setting is 5.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The Rapid7 InsightCloudSec connector can retrieve the following types of data from the InsightCloudSec API:

Table 1: Data retrieved from Rapid7 InsightCloudSec

Connector ObjectRequiredMaps to Data Model
Access KeyNoCloud Resource
BucketNoCloud Resource
Cloud AccountYesCloud Resource
Cloud Log ConfigurationNoCloud Resource
Encryption KeyNoCloud Resource
User AccountNoCloud Resource
ViolationNoViolation
Violation DefinitionNoViolation Definition
Virtual MachineYesHost
info

The Rapid7 InsightCloudSec connector does not currently support operation options for the types of data it retrieves.

For detailed steps on how to view the data retrieved from Rapid7 InsightCloudSec in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Access Key

Table 2: Access Key attribute mappings

Source Field NameMaps to Attribute
categoriescategories
common.accountLocal variable(CLOUD_ACCOUNT_NAME)
common.accountIdLocal variable(CLOUD_ACCOUNT_ID)
common.availabilityZoneLocal variable(AVAILABILITY_ZONE)
common.cloudLocal variable(CLOUD_PLATFORM)
common.creationTimestampsourceCreatedDate
common.discoveredTimestampfirstSeen, Local variable(DISCOVERED_DATE)
common.modifiedTimestampsourceLastModified
common.namespaceIdLocal variable(NAMESPACE_ID)
common.organizationServiceIdLocal variable(CLOUD_ORGANIZATION_ID)
common.providerIdLocal variable(PROVIDER_ID)
common.regionregion
common.resourceIdLocal variable(RESOURCE_ID)
common.resourceNamename, Local variable(RESOURCE_NAME)
common.resourceTypeLocal variable(RESOURCE_TYPE)
common.tagstags
descriptiondescription
resource.accessKeyIdLocal variable(KEY_ID)
resource.ageInDaysLocal variable(AGE_IN_DAYS)
resource.createdDatesourceCreatedDate
resource.expirationDateLocal variable(EXPIRATION_DATE)
resource.lastUsedDateLocal variable(LAST_USED_DATE)
resource.namespaceIdLocal variable(NAMESPACE_ID)
resource.roleNameLocal variable(PRINCIPAL_NAME)
resource.roleResourceIdLocal variable(PRINCIPAL_RESOURCE_ID)
resource.statusstatus
resource.uiduid
resource.userManagedLocal variable(USER_MANAGED)
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Bucket

Table 3: Bucket attribute mappings

Source Field NameMaps to Attribute
categoriescategories
common.accountLocal variable(CLOUD_ACCOUNT_NAME)
common.accountIdLocal variable(CLOUD_ACCOUNT_ID)
common.availabilityZoneLocal variable(AVAILABILITY_ZONE)
common.cloudLocal variable(CLOUD_PLATFORM)
common.creationTimestampsourceCreatedDate
common.discoveredTimestampfirstSeen, Local variable(DISCOVERED_DATE)
common.modifiedTimestampsourceLastModified
common.namespaceIdLocal variable(NAMESPACE_ID)
common.organizationServiceIdLocal variable(CLOUD_ORGANIZATION_ID)
common.providerIdLocal variable(PROVIDER_ID)
common.regionregion
common.resourceIdLocal variable(RESOURCE_ID)
common.resourceNameLocal variable(RESOURCE_NAME)
common.resourceTypeLocal variable(RESOURCE_TYPE)
common.tagstags
descriptiondescription
namename
resource.globalEncryptionLocal variable(GLOBAL_ENCRYPTION)
resource.uiduid
statusstatus
Cloud Account

Table 4: Cloud Account attribute mappings

Source Field NameMaps to Attribute
cloud.accountIduid
cloud.creationTimesourceCreatedDate
cloud.edhRoleLocal variable(EDH_ROLE)
cloud.groupResourceIdLocal variable(RESOURCE_ID)
cloud.lastRefreshedLocal variable(LAST_REFRESHED)
cloud.namename
cloud.resourceCountLocal variable(RESOURCE_COUNT)
cloud.resourceIdLocal variable(GROUP_RESOURCE_ARN)
cloud.roleArnLocal variable(ROLE_ARN)
cloud.statusstatus
cloud.tenantIdLocal variable(TENANT_ID)
cloud.typeIdLocal variable(CLOUD_PLATFORM)
Cloud Log Configuration

Table 5: Cloud Log Configuration attribute mappings

Source Field NameMaps to Attribute
categoriescategories
common.accountLocal variable(CLOUD_ACCOUNT_NAME)
common.accountIdLocal variable(CLOUD_ACCOUNT_ID)
common.availabilityZoneLocal variable(AVAILABILITY_ZONE)
common.cloudLocal variable(CLOUD_PLATFORM)
common.creationTimestampsourceCreatedDate
common.discoveredTimestampfirstSeen, Local variable(DISCOVERED_DATE)
common.modifiedTimestampsourceLastModified
common.namespaceIdLocal variable(NAMESPACE_ID)
common.organizationServiceIdLocal variable(CLOUD_ORGANIZATION_ID)
common.providerIdLocal variable(PROVIDER_ID)
common.regionregion
common.resourceId()Local variable(RESOURCE_ID)
common.resourceNameLocal variable(RESOURCE_NAME)
common.resourceTypeLocal variable(RESOURCE_TYPE)
common.tagstags
descriptiondescription
name, resource.namename
resource.isLoggingisLogging
resource.lockedlocked
resource.multiRegionmultiRegion
resource.retentionDaysretentionDays
resource.storageContainerNamebucketName
resource.uiduid
statusstatus
Encryption Key

Table 6: Encryption Key attribute mappings

Source Field NameMaps to Attribute
categoriescategories
common.accountLocal variable(CLOUD_ACCOUNT_NAME)
common.accountIdLocal variable(CLOUD_ACCOUNT_ID)
common.availabilityZoneLocal variable(AVAILABILITY_ZONE)
common.cloudLocal variable(CLOUD_PLATFORM)
common.creationTimestamp, resource.createDatesourceCreatedDate
common.discoveredTimestampfirstSeen, Local variable(DISCOVERED_DATE)
common.modifiedTimestamp, resource.modifiedDatesourceLastModified
common.namespaceIdLocal variable(NAMESPACE_ID)
common.organizationServiceIdLocal variable(CLOUD_ORGANIZATION_ID)
common.providerIdLocal variable(PROVIDER_ID)
common.regionregion
common.resourceId()Local variable(RESOURCE_ID)
common.resourceNameLocal variable(RESOURCE_NAME)
common.resourceTypeLocal variable(RESOURCE_TYPE)
common.tagstags
descriptiondescription
name,name
resource.arnLocal variable(ARN)
resource.customerManagedLocal variable(CUSTOMER_MANAGED)
resource.isPublicLocal variable(IS_PUBLIC)
resource.keyIdLocal variable(KEY_ID)
resource.keyRotationLocal variable(KEY_ROTATION)
resource.namename
resource.originLocal variable(ORIGIN)
resource.parentResourceIdLocal variable(PARENT_RESOURCE_ID)
resource.resourceCountLocal variable(RESOURCE_COUNT)
resource.scheduledDeletionDateLocal variable(SCHEDULED_DELETION_DATE)
resource.stateLocal variable(STATE)
resource.trustedAccountsLocal variable(TRUSTED_ACCOUNTS)
resource.uiduid
status, resource.enabledstatus
User Account

Table 7: User Account attribute mappings

Source Field NameMaps to Attribute
categoriescategories
common.accountLocal variable(CLOUD_ACCOUNT_NAME)
common.accountIdLocal variable(CLOUD_ACCOUNT_ID)
common.availabilityZoneLocal variable(AVAILABILITY_ZONE)
common.cloudLocal variable(CLOUD_PLATFORM)
common.creationTimestampsourceCreatedDate
common.discoveredTimestampfirstSeen, Local variable(DISCOVERED_DATE)
common.modifiedTimestampsourceLastModified
common.namespaceIdLocal variable(NAMESPACE_ID)
common.organizationServiceIdLocal variable(CLOUD_ORGANIZATION_ID)
common.providerIdLocal variable(PROVIDER_ID)
common.regionregion
common.resourceIdLocal variable(RESOURCE_ID)
common.resourceNameLocal variable(RESOURCE_NAME)
common.resourceTypeLocal variable(RESOURCE_TYPE)
common.tagstags
descriptiondescription
namename
resource.activeApiKeysLocal variable(ACTIVE_API_KEYS)
resource.adminLocal variable(ADMIN)
resource.ageInDaysLocal variable(AGE_IN_DAYS)
resource.disabledstatus
resource.emailemail
resource.inactiveApiKeysLocal variable(INACTIVE_API_KEYS)
resource.inlinePoliciesLocal variable(INLINE_POLICY_COUNT)
resource.loginProfileLocal variable(LOGIN_PROFILE)
resource.managedPolicyCountLocal variable(MANAGED_POLICY_COUNT)
resource.passwordLastChangedLocal variable(PASSWORD_LAST_CHANGED)
resource.passwordLastUsedLocal variable(PASSWORD_LAST_USED)
resource.policyCountLocal variable(POLICY_COUNT)
resource.twoFactorEnabledLocal variable(MFA_ENABLED)
resource.uiduid
resource.userNameusername
resource.userIdLocal variable(USER_ID)
statusstatus
Violation

Table 8: Violation attribute mappings

Source Field NameMaps to Attribute
cloud.idcloudAccountId
finding.identifiedAtfirstFound
finding.insightIdtype
finding.resourceIdtargets
last foundlastFound
statusstatus
status categorystatusCategory
uiduid
Violation Definition

Table 9: Violation Definition attribute mappings

Source Field NameMaps to Attribute
categoriescategories
insight.authorLocal variable(AUTHOR)
insight.descriptionsummary
insight.filtersLocal variable(QUERY_FILTERS)
insight.insertedAtsourceCreatedDate
insight.namename
insight.notes, notes.getDescriptiondescription
insight.releasedLocal variable(RELEASED)
insight.resourceTypesLocal variable(RESOURCE_TYPES)
insight.severityseverity(normalized), severityScore, sourceSeverity
insight.sourceLocal variable(SOURCE)
insight.supportedCloudsLocal variable(SUPPORTED_CLOUDS)
insight.updatedAtsourceLastModified
notes.getRecommendationrecommendation
uiduid
Virtual Machine

Table 10: Virtual Machine attribute mappings

Source Field NameMaps to Attribute
categoriescategories
common.accountLocal variable(CLOUD_ACCOUNT_NAME)
common.accountIdLocal variable(CLOUD_ACCOUNT_ID)
common.availabilityZoneLocal variable(AVAILABILITY_ZONE)
common.cloudLocal variable(CLOUD_PLATFORM)
common.creationTimestampsourceCreatedDate
common.discoveredTimestampfirstSeen, Local variable(DISCOVERED_DATE)
common.modifiedTimestampsourceLastModified
common.namespaceIdLocal variable(NAMESPACE_ID)
common.organizationServiceIdLocal variable(CLOUD_ORGANIZATION_ID)
common.providerIdLocal variable(PROVIDER_ID)
common.regionregion
common.resourceId()Local variable(RESOURCE_ID)
common.resourceNameLocal variable(RESOURCE_NAME)
common.resourceTypeLocal variable(RESOURCE_TYPE)
common.tagstags
descriptiondescription
instance.imageIdimage
instance.instanceTypeLocal variable(INSTANCE_TYPE)
instance.launchTimelastStarted, Local variable(LAUNCH_TIME)
instance.networkResourceIdLocal variable(NETWORK_ID)
instance.object_idinstanceId
instance.platformoperatingSystem, Local variable(PLATFORM)
instance.privateIpAddressprivateIpAddresses
instance.publicIpAddresspublicIpAddresses
instance.roleResourceIdLocal variable(ROLE_ID)
instance.subnetResourceIdLocal variable(SUBNET_ID)
instance.terminationProtectionLocal variable(TERMINATION_PROTECTION)
ipAddressesipAddresses
namename
resource.uiduid
status, instance.statestatus

APIs

The Rapid7 InsightCloudSec connector uses the InsightCloudSec API. Specifically, it uses the following endpoints:

Table 7: Rapid7 InsightCloudSec API Endpoints

Connector ObjectAPI Endpoint
Access Keyv3/public/resource/etl-query
Bucketv3/public/resource/etl-query
Cloud Accountv2/public/clouds/list
Cloud Log Configurationv3/public/resource/etl-query
Encryption Keyv3/public/resource/etl-query
User Accountv3/public/resource/etl-query
Violationv2/public/clouds/list
v4/insights/findings-per-cloud/%s
Violation Definitionv2/public/insights/list
Virtual Machinev3/public/resource/etl-query

Changelog

The Rapid7 InsightCloudSec connector has undergone the following changes:

3.4.4

  • No change.

3.4.3

  • No change.

3.4.2

  • No change.

3.4.1

  • Added the PROVIDER_STATUS and SOURCE_STATUS attributes to the Violation object.

3.4.0

  • No change.

3.3.3

  • No change.

3.2.1

  • Added an additional setting, Page size, for configuring connections.

3.2.0