Edit: We’ve got a newer, better way for you to submit your InsightConnect plugin + workflow requests. Check it out!
Original Post
Post your plugin requests here! We need some info about the plugin you’re requesting so we can ensure we understand how you want to use it and how it’d be useful overall.
Product: What product is the plugin integrating with?
Use cases: At a high level, how would you want to use this plugin? What would it help you achieve?
Actions/Triggers: This is the place to mention any specific actions/triggers you’d want to be included, and why.
If there are any other helpful details you want to include, feel free to add those too.
Use cases: We want to automate the creation of incidents in ServiceNow based on data retrieved from InsightVM.
Actions/Triggers: Definitely want an action for creating a new incident. We may end up further expanding the automation, so actions for searching, updating, and deleting incidents would probably be good too.
We have had a few plugin requests from back in January, but here they are.
Product minemeld
Use case- add IP addresses and domains to external dynamic list
Action/trigger- be able to add/remove to external dynamic lists for blocking IOCs
Product manage engine service desk
Use case automate the creation/closing of tickets in our ticket service system
Action/trigger- creating, updating, assigning and closing incident. would also be great to start a workflow based on a ticket being created and assigned to our queue
Product- malwarebytes
Use case- scanning endpoints that we suspect may be compromised
Action/trigger- scan endpoints, remediate infected endpoints. learn when the last scan was
Thanks @ryan_fried. We have MineMeld prioritized and are working on getting a lab instance set up today.
Regarding Manage Engine, we’re planning on revamping a few of our existing ticketing integrations this quarter but I will check to see what the lift is like for ManageEngine.
For MalwareBytes, which product are you using? We looked into building an integration a couple years ago but they did not have any API’s available to our knowledge. I still don’t see any on their website but if I’m just not looking in the right place, feel free to send me a private message or pass it onto your rep with the product name and any API documentation for it and we will dig in.
@ryan_fried It was easy to get our hands on the API and an instance so we were able to release a plugin for Palo Alto MineMeld last week. It’s available here: Rapid7 Extensions
If you have any feedback or suggestions let us know through the necessary support channels.
We would love to be able to Cloudflare firewall event details returned (E.g. source IP) when specific block event rules are triggered. We could then take that information and enrich and/or add it to our other security platforms (E.g. Trend Micro, Cybereason, ZScaler, etc.) to block as IOCs.
Feature request to add a “Modify User” action the Active Directory LDAP plug-in. This would be to update user attributes, including and especially adding/removing a specified user to Active Directory groups.
Feature request to add the ability to limit the fields returned by the Query action in the Active Directory LDAP plug-in.
That plugin alone is taking up over 9GB of Mem and 13GB of NetIO on my Orchestrator and I wonder if limiting the output to what I need could reduce this load.
Hey @john_breen, we updated the Active Directory LDAP plugin - actions in question include " Add or Remove an Object from Group" (AD objects include specified users) and “Modify Objects” (to update user attributes). Check out the new updates on the extension library here: Rapid7 Extensions
So we renamed “Modify Groups” to “Add or Remove an Object from Group” because this action essentially allows you to add or remove specified objects (which could be Users, Computers, Organizational Units, other groups etc) to an AD group. Then the “Modify Objects” action allows you to modify the values of any attributes of an object using the attribute name. Was there other functionality you were looking for in the plugin?
No, I was just confused because I was already using “Modify Groups” to remove membership and I saw this and didn’t understand what changed. That is probably also why it changed to a 4.0 and a requires manual upgrade?
Just the Query Action from rapid7/active_directory_ldap:3.2.10. (UserPrincipalName={{["Azure User"].[user_information].[userPrincipalName]}})
I restarted the container yesterday afternoon and already it is this:
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O
PIDS
e967bc6fb713 rapid7_active_directory_ldap_3.2.10_action 0.03% 8.496GiB / 15.51GiB 54.77% 1.08GB / 17.6MB 31.8MB / 0B
10
The workflow that calls this has very high activity (366 runs in the last 24 hours alone)
I do know that our AD is pretty messy, one of the users profile that I downloaded from the Job was 154kb with 45 user certs in it, so if I could only pull the fields that want I could limit that greatly
Please consider enhancing output options for the JSON to CSV action in the CSV (rapid7/csv:1.1.6) plugin. I am sure there was a good reason for using “bytes” but why not “string” as unformatted Unicode text to save subsequent and unnecessary type conversion or SMTP email attachment input just to see the data?
