# Rapid7 InsightIDR

Rapid7 InsightIDR is a cloud SIEM and XDR platform that detects intrusions, lateral movement, credential theft, and other threats across endpoints, network traffic, and cloud activity. Connecting Rapid7 InsightIDR forwards investigation alerts to Radiant Security over a universal webhook. 

{% hint style="info" %}
This configuration requires switching between Rapid7 InsightIDR and Radiant Security several times to copy credentials in both directions. Have both platforms open before you start.
{% endhint %}

### Prerequisites

* [ ] Admin access to Rapid7 InsightIDR

### Create the user and API Key in Rapid7 InsightIDR

1. In Rapid7 InsightIDR, in the upper-right corner, click **Settings** > **Users**.

<div align="left"><figure><img src="/files/SydtM1Dz2mfMddn8KMcZ" alt=""><figcaption></figcaption></figure></div>

2. Click **Create User**.

<div align="left"><figure><img src="/files/veMM3GoxzeK1bshN2Jub" alt=""><figcaption></figcaption></figure></div>

3. Under **User Details**, enter values for **First Name**, **Last Name**, and **Email**, then click **Next**.

<div align="left"><figure><img src="/files/3QFCojd16P39vZ5ae6Fs" alt="" width="563"><figcaption></figcaption></figure></div>

4. Click the **Manage Individual Permissions** tab.&#x20;
5. On the **Products** tab, toggle **InsightIDR** to enabled.

<div align="left"><figure><img src="/files/saXfkEsyOh9BnEF0QPQ4" alt="" width="563"><figcaption></figcaption></figure></div>

6. Click the **Roles** tab, then select the **InsightIDR Analyst** and **Log Search Admin** role checkboxes.

<div align="left"><figure><img src="/files/tcVjnT7DBTwtqRCLJgcQ" alt="" width="563"><figcaption></figcaption></figure></div>

7. Click **Save**.
8. Sign in as the newly created user. In the upper-right corner, click **Settings** > **API Keys**.

<div align="left"><figure><img src="/files/tSbFgxEDhBHJU8hlerLv" alt=""><figcaption></figcaption></figure></div>

9. Click **Generate New User Key**.&#x20;
10. Select your organization, enter a **Name** (e.g., `Radiant Security`), then click **Submit**.&#x20;
11. Click **Copy** to copy the **API Key** value.

<div align="left"><figure><img src="/files/LgQATntV5qp2EAgKhX4Q" alt="" width="450"><figcaption></figcaption></figure></div>

{% hint style="warning" %}
Copy the **API Key** value now. It cannot be retrieved later.
{% endhint %}

### Start adding the data connector in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **Rapid7 Insights IDR**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **Rapid7 Insights IDR (Webhook)**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for this credential (e.g., `Rapid7 InsightIDR Credentials`).
6. Under **Required Credentials**, enter the following:
   * **Rapid7 Investigation API Token**: the **API Key** value copied from Rapid7 InsightIDR.

Leave this page open. You will return to it after generating the HMAC Secret in Rapid7.

### Create the webhook and obtain the HMAC Secret in Rapid7 InsightIDR

1. In Rapid7 InsightIDR, click **Data Collection** > **Data Exporters** > **Add Data Exporter**.

<figure><img src="/files/z85ueHtzsMMtnjRLMvao" alt=""><figcaption></figcaption></figure>

2. Under **Select Data Exporter Type**, select **Universal Webhook**, then copy the **Secret** value.

<div align="left"><figure><img src="/files/jOUHdZ1CaHzLTchKzmgZ" alt="" width="563"><figcaption></figcaption></figure></div>

Leave this page open. You will return to it after generating the Webhook URL and Token in Radiant.

### Finish adding the data connector in Radiant Security

1. Return to the **Rapid7 Insights IDR (Webhook)** connector you started in Radiant Security.
2. Under **Required Credentials**, enter the following:
   * **Rapid7 Webhook HMAC Secret**: the **Secret** value copied from Rapid7 InsightIDR.
3. Click **Add Connector**.
4. Click **View Details** on the newly created connector.
5. Copy the following values to use in the next section:
   * **Token**
   * **Webhook URL**

### Complete the webhook configuration in Rapid7 InsightIDR

1. In the **Edit Data Exporter** page, paste the **Webhook URL** copied from Radiant Security into the **URL** field.
2. Under **Headers**, add the following:
   * **Key**: `X-RS-TOKEN`
   * **Value**: the **Token** copied from Radiant Security.

<div align="left"><figure><img src="/files/jdYJlHybh1lmaz6VYIAC" alt="" width="563"><figcaption></figcaption></figure></div>

3. Click **Save**.

### Verify ingestion

After Rapid7 InsightIDR begins forwarding, confirm alerts and events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"rapid7_insight_idr"`.
3. Confirm recent alerts and events appear.

{% hint style="info" %}
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/rapid7-insightidr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.