Plugin Requests

Post your plugin requests here! We need some info about the plugin you’re requesting so we can ensure we understand how you want to use it and how it’d be useful overall.

Product: What product is the plugin integrating with?

Use cases: At a high level, how would you want to use this plugin? What would it help you achieve?

Actions/Triggers: This is the place to mention any specific actions/triggers you’d want to be included, and why.

If there are any other helpful details you want to include, feel free to add those too.

Here’s an example of a plugin request.

Product: ServiceNow

Use cases: We want to automate the creation of incidents in ServiceNow based on data retrieved from InsightVM.

Actions/Triggers: Definitely want an action for creating a new incident. We may end up further expanding the automation, so actions for searching, updating, and deleting incidents would probably be good too.

We have had a few plugin requests from back in January, but here they are.

Product minemeld
Use case- add IP addresses and domains to external dynamic list
Action/trigger- be able to add/remove to external dynamic lists for blocking IOCs

Product manage engine service desk
Use case automate the creation/closing of tickets in our ticket service system
Action/trigger- creating, updating, assigning and closing incident. would also be great to start a workflow based on a ticket being created and assigned to our queue

Product- malwarebytes
Use case- scanning endpoints that we suspect may be compromised
Action/trigger- scan endpoints, remediate infected endpoints. learn when the last scan was

Thanks @ryan_fried. We have MineMeld prioritized and are working on getting a lab instance set up today.

Regarding Manage Engine, we’re planning on revamping a few of our existing ticketing integrations this quarter but I will check to see what the lift is like for ManageEngine.

For MalwareBytes, which product are you using? We looked into building an integration a couple years ago but they did not have any API’s available to our knowledge. I still don’t see any on their website but if I’m just not looking in the right place, feel free to send me a private message or pass it onto your rep with the product name and any API documentation for it and we will dig in.

Thanks

Thanks! For malwarebytes, we use cloud incident response

I found this documentation for integration with another SOAR platform

It looks like the malwarebytes platform cloud IR was renamed to Nebula, which is what we use

https://mwbcloud.ngrok.io/api/nebula.html

@ryan_fried It was easy to get our hands on the API and an instance so we were able to release a plugin for Palo Alto MineMeld last week. It’s available here: https://extensions.rapid7.com/extension/palo_alto_mine_meld

If you have any feedback or suggestions let us know through the necessary support channels.

We would love to be able to Cloudflare firewall event details returned (E.g. source IP) when specific block event rules are triggered. We could then take that information and enrich and/or add it to our other security platforms (E.g. Trend Micro, Cybereason, ZScaler, etc.) to block as IOCs.

https://api.cloudflare.com/

Feature request to add a “Modify User” action the Active Directory LDAP plug-in. This would be to update user attributes, including and especially adding/removing a specified user to Active Directory groups.

Feature request to add the ability to limit the fields returned by the Query action in the Active Directory LDAP plug-in.
That plugin alone is taking up over 9GB of Mem and 13GB of NetIO on my Orchestrator and I wonder if limiting the output to what I need could reduce this load.

Hey @john_breen, we updated the Active Directory LDAP plugin - actions in question include " Add or Remove an Object from Group" (AD objects include specified users) and “Modify Objects” (to update user attributes). Check out the new updates on the extension library here: https://extensions.rapid7.com/extension/active_directory_ldap#Documentation-Technical-Details-Actions-Modify-Object

What is different from the Action that was there “Modify Groups”?

So we renamed “Modify Groups” to “Add or Remove an Object from Group” because this action essentially allows you to add or remove specified objects (which could be Users, Computers, Organizational Units, other groups etc) to an AD group. Then the “Modify Objects” action allows you to modify the values of any attributes of an object using the attribute name. Was there other functionality you were looking for in the plugin?

No, I was just confused because I was already using “Modify Groups” to remove membership and I saw this and didn’t understand what changed. That is probably also why it changed to a 4.0 and a requires manual upgrade?

Yes, exactly

Is this feature in the backlog of work? My container again got to 10GB of Memory today and required a restart to free it up.

Yes, we’re talking about this now. Can you give us more info about what you’re doing with the plugin when this happens?

(Based on what I’m reading above, are you just getting a massive payload on one of the actions?)

Just the Query Action from rapid7/active_directory_ldap:3.2.10.
(UserPrincipalName={{["Azure User"].[user_information].[userPrincipalName]}})

I restarted the container yesterday afternoon and already it is this:
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O
PIDS
e967bc6fb713 rapid7_active_directory_ldap_3.2.10_action 0.03% 8.496GiB / 15.51GiB 54.77% 1.08GB / 17.6MB 31.8MB / 0B
10

The workflow that calls this has very high activity (366 runs in the last 24 hours alone)
I do know that our AD is pretty messy, one of the users profile that I downloaded from the Job was 154kb with 45 user certs in it, so if I could only pull the fields that want I could limit that greatly