Configure Incident Command

Incident Command is the AI-native security operations platform within the Rapid7 Command Platform that provides a unified interface for detecting, investigating, and responding to security threats within your Security Operations Center (SOC). This topic outlines what to expect during configuration and how to approach each phase of the Incident Command deployment process.

Want to better understand Rapid7 terms?

If you're looking to get familiar with the terminology used across Rapid7 products and services, check out the Rapid7 Glossary. You can always access it from the left-hand menu for quick reference.

Phase 1: Prepare for configuration

Start by setting up the foundations for Incident Command. Confirm that you can access the Command Platform and determine which roles your team will need. This phase ensures you’re ready to use Incident Command effectively and helps your team hit the ground running with clarity and confidence.

The Rapid7 Command Platform is your base within the ecosystem of Rapid7 cloud offerings, modules, and services. To log in to the platform, you need a Rapid7 Command Platform account.

Already have a Command Platform account?

If you already have a Command Platform account from a trial or existing subscription to another Rapid7 solution, you’re all set! Use your existing email address to log in to insight.rapid7.com/login.

To create an account:

  1. Check your corporate email inbox for an email from the Rapid7 Command Platform team.
  2. Visit insight.rapid7.com/login.
  3. Select Haven’t activated your account?.
  4. Enter your corporate email address to receive an activation email with next steps. If you do not receive an activation email, reach out to your Customer Adoption Manager (CAM) or Customer Success Advisor (CSA).
  5. Refer to the activation email and follow the instructions to create and activate your Command Platform account.

After your Command Platform account is set up, assign yourself the following roles to ensure you have the necessary permissions to use Incident Command.

Capability Role
Automation Administrator (Shared)
SIEM SIEM Admin, Log Search Admin, Velociraptor Investigator (Ultimate tier)
Attack Surface Management Attack Surface Management Admin
Threat Intelligence Threat Intelligence Admin

Phase 2: Configure modules

After you confirm access to the Command Platform and assign the necessary roles, configure the modules included with Incident Command:

Start using Threat Intelligence without setup

Threat Intelligence doesn't require setup. You can start using it immediately.
Already using Rapid7 SIEM?

If so, you can skip the Configure SIEM section. Set up Attack Surface Management and Automation to use these new capabilities alongside your existing SIEM implementation.

Configure Attack Surface Management

To set up Attack Surface Management, install and configure the foundational connectors that power data correlation across the platform. This is the first step to unifying asset data across hybrid environments to break down silos and provide a comprehensive, real-time view of your attack surface.

Some connectors are installed turned on and scheduled by default

When you access the Connectors page for the first time, you’ll see several pre-installed connectors that run by default, including Rapid7 Command Platform, Attack Surface Management Built-ins, Dashboards, and Machine Learning services. These connectors provide essential platform functionality and don't require configuration or management.

To install and schedule a connector:

  1. Go to Connectors.
  2. Click + Connector to open the Rapid7 Extension Library.
  3. Search for and select the following recommended connectors to install:

    • MITRE CWE

    • MITRE D3FEND

  4. Click Install.
  5. Follow the prompts to create a connector profile, configure the required settings, and schedule the connector, if applicable.
  6. Click Save to save your configuration.
  7. Repeat these steps for each connector you want to add.

Configure SIEM

If you're not already using SIEM, configure this module to establish your security center for incident detection and response, authentication monitoring, and endpoint visibility.

To configure SIEM, install a Collector, deploy the Rapid7 Agent, and set up core event sources.

For additional information on setting up SIEM, see the SIEM Quick Start Guide.

The Collector is the on-premises component of SIEM that either polls or receives data from event sources and makes the data available for SIEM to analyze. The Collector captures the data generated by event sources, compresses the data, encrypts it, and pushes it up to the Command Platform. The Command Platform then normalizes, attributes, analyzes, and presents the data for search.

To install the Collector:

  1. Identify all the servers where event source data originates from. Many networks consolidate security and network administration tools and services in a data center or corporate office. This central location is an ideal place to deploy a Collector on a dedicated host.
  2. Review the Collector Requirements.
  3. Install collectors on network servers or virtual machines that meet the following requirements:
    • 4 CPU cores with 2GHz+ on each core
    • 8 GB RAM recommended
    • 60 GB+ available disk space
    • Configured with a Fully Qualified Domain Name (FQDN) such as idrcollector23.myorg.com

For more information, see Collector Installation and Deployment.

The Rapid7 Agent enables SIEM to provide continuous endpoint security monitoring and powers File Integrity Monitoring (FIM). The Rapid7 Agent collects live system information–including basic asset identification information, running processes, and logs–from your assets and sends it to the Command Platform for analysis. Combined with network and user data, this helps you identify stealthy attacks for both your critical and remote assets.

You can deploy the Rapid7 Agent on your target assets using either a token-based installer or certificate package installer. The token-based installer uses a token to download configuration files, whereas the certificate package installer provides a .zip file with the configuration files.

To deploy the Rapid7 Agent:

  1. Decide which installer is best suited for your environment.
  2. Read the steps to download the installer and follow the instructions.

Ransomware Prevention is bundled with Incident Command Ultimate and extends Endpoint Prevention capabilities to assets with the Rapid7 Agent installed. With Ransomware Prevention, you can detect and block suspicious behavior associated with ransomware and malware attacks. This add-on is compatible with third-party Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) solutions and can run alongside existing endpoint security tools.

To set up Ransomware Prevention:

  1. Install the Rapid7 Agent - Make sure the Rapid7 Agent is installed on each asset you want to protect.
  2. Verify environment compatibility - Review the Ransomware Prevention add-on requirements to confirm your environment meets all prerequisites.
  3. Install Ransomware Prevention - Choose a deployment method and follow the instructions to install the add-on.

To use out-of-the-box compliance dashboards and reports, you must set up these event sources. Setup instructions for each event source can vary depending on the technology you use.

Event Source Required For Description
LDAP (Advanced and Ultimate tiers) Detection Rules and Legacy Detection Rules Adding a Lightweight Directory Access Protocol (LDAP) server allows SIEM to track the users, admins, and security groups contained in the domain and to link account activity with real users to identify privileged and service accounts.

To add the LDAP event source:

  • Designate a Service Account with the correct permissions.

  • Open Port 636 (LDAPS) between the Collector and the LDAP server.

For detailed setup instructions, see LDAP.
Active Directory Detection Rules and Legacy Detection Rules Active Directory provides security logs from your domain controllers and authentication and administrative events for your domain users. Make sure that you add one Active Directory event source for each domain controller.

To add the Active Directory event source:

  • Open ports 135, 139, and 445 between the Collector and Active Directory.

  • Designate a Service Account with the correct permissions.

For detailed setup instructions, see Active Directory.
DHCP Legacy Detection Rules Dynamic Host Configuration Protocol (DHCP) event logs provide IP lease information to correlate each IP address with its assigned host at the time of the event.

To add the DHCP event source, choose one of the following methods:

  • Domain Admin Account: Use this method if you want to collect logs using a Domain Admin account.

  • NXLog: Use this method if you don’t want to use a Domain Admin account to collect logs.
DNS Legacy Detection Rules Connecting DNS as an event source allows SIEM to gather DNS logs which provides more information about web traffic. DNS also provides greater visibility into destination URLs.

Connecting DNS as an event source allows SIEM to track services, incidents, and threats found on your network. DNS logs gathered from a DNS event source provide more information about web traffic. DNS also provides greater visibility into destination URLs, which can be flagged in Account Visited Suspicious Link incidents.

For instructions on how to configure DNS appliances with SIEM, see DNS.
VPN Detection Rules and Legacy Detection Rules VPN logs provide visibility into users’ remote network ingress activity and allow you to collect and verify information about user activity.

For setup instructions, see VPN.
Firewall Detection Rules By introducing Firewall data, you allow SIEM to track traffic moving in and out of your network visits to malicious domains or cloud services. More than simply collecting configuration logs and change logs, SIEM can automatically attribute connection events to the users and endpoints that are accessing such websites.

We recommend you set up separate Firewall event sources for each Firewall type.

To add a Firewall event source:

  • Determine which Firewall event source(s) best suits your needs and follow the related configuration steps.

For setup instructions for each type of Firewall event source, see Firewall.

Set up Automation

Set up Automation to start building automated workflows that handle security operations tasks. For more information on Automation, refer to Get Started with Automation and then return to this guide.

Phase 3: Validate configuration and explore

Now that you're properly set up, use your dashboards to monitor security operations and validate that your environment is functioning as expected. If your dashboards are empty, it means no data is coming in. Refer back to Phase 2: Configure modules.

Confirm dashboard data

The Detection & Response, MITRE ATT&CK Coverage, and AI Command Center dashboards are key to maintaining a strong security posture and help you:

  • Monitor detection and response activity in real time.

  • Evaluate coverage against attacker tactics and techniques.

  • Apply AI and machine learning technologies to accelerate investigations and decision-making.

The Detection and Response dashboard gives you a clear, unified view of your organization’s security health so your team can make faster, more confident decisions. By bringing together alert trends, Agent coverage, and telemetry insights in one intuitive dashboard, it helps you pinpoint coverage gaps, validate critical data sources, and strengthen your threat response. With clear visuals and actionable context, your analysts spend less time switching tools and more time proactively reducing risk.

The MITRE ATT&CK Coverage dashboard visualizes how your detection rules align with the MITRE ATT&CK framework, helping you identify gaps and assess how well your detections map to attacker behavior across tactics and techniques. You can also view the percentage of detection rules enabled, track adoption over time, and use this insight to prioritize where to expand coverage and strengthen your threat detection strategy.

The AI Command Center provides visibility into which AI and machine learning technologies are currently active or available across your environment. It centralizes access to Rapid7’s AI-powered capabilities, such as LLM Attack Coverage, AI CVSS Generation, AI/ML Security Best Practices, and the D&R Shadow AI Dashboard, and offers direct links to the corresponding in-platform features or learning resources, enabling you to easily explore, understand, and leverage Rapid7’s AI-driven security innovations from one unified location.

Explore Threat Intelligence (Advanced and Ultimate tiers)

Threat Intelligence delivers curated, high-fidelity threat insights directly in the Command Platform with no setup required. You can use it to enrich your detection, investigation, and response workflows with actionable intelligence derived from Rapid7 Labs' community-driven tools, such as AttackerKB, and proprietary threat and vulnerability research. If you want to push or pull indicators of compromise (IOCs) to your tools, set up IOC integrations.

With Threat Intelligence, you can:

  • Proactively respond to threats using reliable IOCs, CVEs, and TTPs enriched with Rapid7’s proprietary threat data.

  • Prioritize remediation by identifying vulnerabilities actively being exploited in the wild.

  • Enhance detection coverage and threat hunting in SIEM with context-rich threat feeds and threat actor profiles.

  • Streamline threat reporting by translating complex data into clear, actionable insights.