Rapid7 Insight IDR

The Dropzone platform integrates with Rapid7 Insight IDR as a data source. This provides the AI agent with LEQL log search, asset and user context, process trees, and normal-activity enrichment during investigations. It works alongside the Rapid7 Insight IDR alert integration, which ingests investigations as alerts.

Obtain credentials

The data source uses the Insight platform API for authentication. You need:

• API Key – An Insight platform (organization) API key with access to Rapid7 Insight IDR

• Region – The data storage region for your tenant (e.g. us, us2, eu, ca, ap, au). See Identify your data region below

To obtain an API key, follow the steps in Obtain credentials on the alert integration page (the same organization key works for both integrations).

Authentication uses the API key in the X-Api-Key header; no OAuth is required.

Identify your data region

Dropzone needs the region code for your InsightIDR data storage region (for example us, not a full hostname). Use either method below.

From the product URL

1. Open any Rapid7 product you have access to (for example InsightIDR)

2. Look at the browser URL subdomain prefix before .idr.insight.rapid7.com (or a similar Rapid7 product hostname)

3. Enter that prefix in Dropzone as the Region value

For example, if your URL is https://us.idr.insight.rapid7.com, enter us in Dropzone.

Rapid7 API hosts for your tenant follow the same prefix:

For more detail, see Rapid7's Check your data region documentation.

From Organization Settings

1. In the Rapid7 Command Platform, go to Administration > Settings > Organization Settings

2. Find Data Storage Region (the display name for your tenant)

3. Map that label to the Region value for Dropzone using the table below

For the full list of supported regions and API base URLs, see Rapid7's Supported regions documentation.

If the connection test fails

When you save or test the data source, Dropzone verifies connectivity by listing log sets from the Log Search API. A wrong Region or API key can produce an error like:

1. Confirm the Region matches your Rapid7 URL prefix or the Organization Settings table (enter us, not us.api.insight.rapid7.com or us.rest.logs.insight.rapid7.com)

2. Re-open InsightIDR and verify the subdomain prefix (for example us2 vs us)

3. If Region is correct, verify the API key is an organization key with InsightIDR access and was copied without extra spaces

If both Region and API key look correct, engage your Dropzone AI support representative.

Capabilities

• LEQL query skill – The agent can generate and run LEQL (Log Entry Query Language) queries against configured log sets.

• Process tree – Retrieve process trees for an alert by alert RRN.

• Device enrichment – Asset context (hostname, IP) from InsightIDR assets.

• User enrichment – Account/user context from InsightIDR accounts.

• Normal activity – User, IP, and device network activity over the normal-activity lookback window.

Log set discovery (scanner)

The data source uses an integration scanner to discover InsightIDR log sets and their field metadata for LEQL queries.

• Test verifies that Dropzone can reach the Log Search API with your API key and Region (for example, by listing log sets). It does not load the full catalog used during investigations.

• Save triggers an integration scan that discovers log sets, field hints, and display names for your tenant.

• LEQL queries rely on that scanner metadata. If a scan is still running or failed, log-set selection during investigations may be limited until discovery completes.

If problems persist after save, engage your Dropzone AI support representative.

Enabling the integration

1. Obtain an API key and identify your Region (see above).

2. In Dropzone, go to Settings > Integrations and add the Rapid7 Insight IDR data source.

3. Enter your API Key and Region.

4. Click Test to verify API key and Region, then Save. Save starts log-set discovery; allow time for the integration scan to finish before relying on full LEQL coverage across log sets.