> For the complete documentation index, see [llms.txt](https://docs.dropzone.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.dropzone.ai/integrations/alert/rapid7-insight-idr_alert.md).

# Rapid7 Insight IDR

## Rapid7 Insight IDR

{% hint style="info" %}
This alert source integration is in **beta**. It is not visible in the Dropzone UI until it has been explicitly enabled for your tenant. Contact your Dropzone AI Support Representative to request enablement.
{% endhint %}

<<<<<<< Updated upstream The Dropzone AI Platform integrates with [Rapid7 Insight IDR](https://www.rapid7.com/products/insightidr/), a cloud-native SIEM and XDR solution. Dropzone can poll InsightIDR investigations as alert sources, enrich them with associated alerts and evidence (Attacker Behavior Analytics and User Behavior Analytics), and run AI-driven investigations.

### Obtain credentials

Rapid7 Insight IDR uses the [Insight platform API](https://help.rapid7.com/insightidr/en-us/api/v2/docs.html) for authentication. You need:

* API Key – An Insight platform (organization) API key with access to Rapid7 Insight IDR
* Region – The data storage region for your tenant (e.g. `us`, `us2`, `eu`, `ca`, `ap`, `au`). See [Identify your data region](#identify-your-data-region) below =======

### Create an API Key

Rapid7 InsightIDR requires an API key from the [Insight platform API](https://help.rapid7.com/insightidr/en-us/api/v2/docs.html) to enable

{% hint style="info" %}
Rapid7 has two types of API Keys: Organization Keys and User Keys. Organization Keys have access to all company data, while User Keys inherit the permissions of the user. To limit Dropzone's scope, you may wish to create a User Key with Read-only privileges limited to certain projects; alternatively, to improve Dropzone's analysis, you may wish to use an Organization Key. See Rapid7's [Role-Based Access Control documentation](https://docs.rapid7.com/insight/manage-users/) for more information.
{% endhint %}

> > > > > > > Stashed changes

To obtain an Organization API Key, do the following:

<<<<<<< Updated upstream

1. Log in to the [Rapid7 Insight platform](https://insight.rapid7.com)
2. Navigate to your user/account settings and locate API Keys (or equivalent for your organization)
3. Create a new API key with access to InsightIDR and copy it for use in Dropzone

### Identify your data region

Dropzone needs the **region code** for your InsightIDR data storage region (for example `us`, not a full hostname). Use either method below.

#### From the product URL

1. Open any Rapid7 product you have access to (for example InsightIDR)
2. Look at the browser URL subdomain **prefix** before `.idr.insight.rapid7.com` (or a similar Rapid7 product hostname)
3. Enter that prefix in Dropzone as the Region value

For example, if your URL is `https://us.idr.insight.rapid7.com`, enter `us` in Dropzone.

Rapid7 API hosts for your tenant follow the same prefix:

| API                       | Example hostname                          |
| ------------------------- | ----------------------------------------- |
| Insight platform (IDR v2) | `https://us.api.insight.rapid7.com`       |
| Log Search (LEQL)         | `https://us.rest.logs.insight.rapid7.com` |

For more detail, see Rapid7's [Check your data region](https://docs.rapid7.com/insight/navigate-the-insight-platform/#check-your-data-region) documentation.

#### From Organization Settings

1. In the Rapid7 Command Platform, go to Administration > Settings > Organization Settings
2. Find **Data Storage Region** (the display name for your tenant)
3. Map that label to the Region value for Dropzone using the table below

| Data Storage Region (Rapid7 UI) | Dropzone Region value |
| ------------------------------- | --------------------- |
| United States - 1               | `us`                  |
| United States - 2               | `us2`                 |
| Canada                          | `ca`                  |
| Europe                          | `eu`                  |
| Australia                       | `au`                  |
| Japan / Asia-Pacific            | `ap`                  |

For the full list of supported regions and API base URLs, see Rapid7's [Supported regions](https://docs.rapid7.com/insight/product-apis/#supported-regions) documentation.

#### If the connection test fails

When you click **Test** on the alert source, Dropzone verifies connectivity by calling the InsightIDR **investigations** API on the platform host (`{region}.api.insight.rapid7.com`). This is not the Log Search API used by the [Rapid7 Insight IDR data source](/integrations/data/rapid7-insight-idr_data.md). A wrong Region or API key can produce errors like:

```
Invalid API key or unauthorized
```

or:

```
Connection test failed: 403 ...
```

{% hint style="warning" %}
If you see these errors, re-check your **Region** using the steps above before assuming the API key is wrong. The same symptoms can appear when either value is incorrect.
{% endhint %}

1. Confirm the Region matches your Rapid7 URL prefix or the Organization Settings table (enter `us`, not `us.api.insight.rapid7.com`)
2. Re-open InsightIDR and verify the subdomain prefix (for example `us2` vs `us`)
3. If Region is correct, verify the API key is an organization key with InsightIDR access and was copied without extra spaces

For log-set or LEQL connection errors while configuring the data source, see [If the connection test fails](/integrations/data/rapid7-insight-idr_data.md#if-the-connection-test-fails) on the Rapid7 Insight IDR data source page.

## If both Region and API key look correct, engage your Dropzone AI support representative.

* As a platform administrator, log into your Rapid7 Command Platform
* In the left menu, click "Administration"
* Click "API Key management"
* Click "Admin API Keys," then navigate to "Organization Keys"
* Click "New Admin Key"
* Select "Organization Admin Key"
* Select your organization
* Name the key something memorable, such as Dropzone AI
* Click "Generate"
* Copy the key value shown for use later in the Dropzone UI, where it is called API Key

To obtain a User API key, do the following:

> > > > > > > Stashed changes

* In the left menu of the Rapid7 Command Platform Home page, click "Administration"
* Click "API Key Management"
* Click "User Key"
* Click "New user Key"
* Select your organization
* Name the key something memorable, such as Dropzone AI
* Click "Generate"
* Copy the key value shown for use later in the Dropzone UI, where it is called API Key

<<<<<<< Updated upstream

1. Navigate to your Dropzone AI tenant (e.g. `https://_mycompany_.dropzone.app`)
2. Go to Settings > Integrations
3. Click Available and search for Rapid7 Insight IDR
4. Click Configure
5. Enter your API Key and Region
6. Optionally configure Polling filters (priorities, statuses, sources, tags) to limit which investigations are ingested
7. Adjust Poll interval and Poll lookback if needed
8. Click Test to verify the connection, then Save =======

### Enable Rapid7 Insight IDR

To enable the Alert Source integration, you'll need the following information:

| Dropzone Field | Source                                                                                                      |
| -------------- | ----------------------------------------------------------------------------------------------------------- |
| API Key        | The API Key you generated earlier                                                                           |
| Region         | Your Rapid7 data storage region, typically visible in your InsightIDR URL, e.g. *us*.api.insight.rapid7.com |

To enable the Alert Source integration, do the following:

* Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app
* In the bottom left hand corner, click Settings > Integrations

<figure><img src="/files/zN02u3HObDaemUY8E1kD" alt=""><figcaption><p>Integrations Dropdown</p></figcaption></figure>

* Click "Available"

<figure><img src="/files/brI7n2Ux40Tk0jTwBCVh" alt=""><figcaption><p>Click Available</p></figcaption></figure>

* In the Search bar, search Rapid7 Insight IDR, then click "Configure"
* Input the API Key and Region
*
* Click "Test & Save" to finish

> > > > > > > Stashed changes

After saving, Dropzone will poll InsightIDR for new investigations in the configured time window and filters, and create investigations for each.

If you have any errors engage your Dropzone AI support representative.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/integrations/alert/rapid7-insight-idr_alert.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.