> For the complete documentation index, see [llms.txt](https://docs.dropzone.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.dropzone.ai/integrations/data/rapid7-insight-idr_data.md).

# Rapid7 Insight IDR

{% hint style="info" %}
Rapid7 Insight IDR is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.
{% endhint %}

{% hint style="info" %}
This data source integration is in **beta**. It is not visible in the Dropzone UI until it has been explicitly enabled for your tenant. Contact your Dropzone AI Support Representative to request enablement.
{% endhint %}

The Dropzone platform integrates with [Rapid7 Insight IDR](https://www.rapid7.com/products/insightidr/) as a data source. This provides the AI agent with LEQL log search, asset and user context, process trees, and normal-activity enrichment during investigations. It works alongside the [Rapid7 Insight IDR alert integration](/integrations/alert/rapid7-insight-idr_alert.md), which ingests investigations as alerts.

## Obtain credentials

The data source uses the [Insight platform API](https://help.rapid7.com/insightidr/en-us/api/v2/docs.html) for authentication. You need:

* API Key – An Insight platform (organization) API key with access to Rapid7 Insight IDR
* Region – The data storage region for your tenant (e.g. `us`, `us2`, `eu`, `ca`, `ap`, `au`). See [Identify your data region](#identify-your-data-region) below

To obtain an API key, follow the steps in [Obtain credentials](/integrations/alert/rapid7-insight-idr_alert.md#obtain-credentials) on the alert integration page (the same organization key works for both integrations).

Authentication uses the API key in the `X-Api-Key` header; no OAuth is required.

| Dropzone Field | Description                                                          |
| -------------- | -------------------------------------------------------------------- |
| API Key        | Rapid7 Insight platform API key (Organization key).                  |
| Region         | Data storage region code (e.g. `us`, `us2`, `eu`, `ca`, `ap`, `au`). |

## Identify your data region

Dropzone needs the **region code** for your InsightIDR data storage region (for example `us`, not a full hostname). Use either method below.

### From the product URL

1. Open any Rapid7 product you have access to (for example InsightIDR)
2. Look at the browser URL subdomain **prefix** before `.idr.insight.rapid7.com` (or a similar Rapid7 product hostname)
3. Enter that prefix in Dropzone as the Region value

For example, if your URL is `https://us.idr.insight.rapid7.com`, enter `us` in Dropzone.

Rapid7 API hosts for your tenant follow the same prefix:

| API                       | Example hostname                          |
| ------------------------- | ----------------------------------------- |
| Insight platform (IDR v2) | `https://us.api.insight.rapid7.com`       |
| Log Search (LEQL)         | `https://us.rest.logs.insight.rapid7.com` |

For more detail, see Rapid7's [Check your data region](https://docs.rapid7.com/insight/navigate-the-insight-platform/#check-your-data-region) documentation.

### From Organization Settings

1. In the Rapid7 Command Platform, go to Administration > Settings > Organization Settings
2. Find **Data Storage Region** (the display name for your tenant)
3. Map that label to the Region value for Dropzone using the table below

| Data Storage Region (Rapid7 UI) | Dropzone Region value |
| ------------------------------- | --------------------- |
| United States - 1               | `us`                  |
| United States - 2               | `us2`                 |
| Canada                          | `ca`                  |
| Europe                          | `eu`                  |
| Australia                       | `au`                  |
| Japan / Asia-Pacific            | `ap`                  |

For the full list of supported regions and API base URLs, see Rapid7's [Supported regions](https://docs.rapid7.com/insight/product-apis/#supported-regions) documentation.

### If the connection test fails

When you save or test the data source, Dropzone verifies connectivity by listing log sets from the Log Search API. A wrong Region or API key can produce an error like:

```
test_integration_connection() failed: Rapid7 connection test failed: could not list log sets. Verify the API key and region.
```

{% hint style="warning" %}
If you see this error, re-check your **Region** using the steps above before assuming the API key is wrong. The same message can appear when either value is incorrect.
{% endhint %}

1. Confirm the Region matches your Rapid7 URL prefix or the Organization Settings table (enter `us`, not `us.api.insight.rapid7.com` or `us.rest.logs.insight.rapid7.com`)
2. Re-open InsightIDR and verify the subdomain prefix (for example `us2` vs `us`)
3. If Region is correct, verify the API key is an organization key with InsightIDR access and was copied without extra spaces

If both Region and API key look correct, engage your Dropzone AI support representative.

## Capabilities

* **LEQL query skill** – The agent can generate and run LEQL (Log Entry Query Language) queries against configured log sets.
* **Process tree** – Retrieve process trees for an alert by alert RRN.
* **Device enrichment** – Asset context (hostname, IP) from InsightIDR assets.
* **User enrichment** – Account/user context from InsightIDR accounts.
* **Normal activity** – User, IP, and device network activity over the normal-activity lookback window.

## Log set discovery (scanner)

The data source uses an integration scanner to discover InsightIDR log sets and their field metadata for LEQL queries.

* **Test** verifies that Dropzone can reach the Log Search API with your API key and Region (for example, by listing log sets). It does not load the full catalog used during investigations.
* **Save** triggers an integration scan that discovers log sets, field hints, and display names for your tenant.
* LEQL queries rely on that scanner metadata. If a scan is still running or failed, log-set selection during investigations may be limited until discovery completes.

If problems persist after save, engage your Dropzone AI support representative.

## Enabling the integration

1. Obtain an API key and identify your Region (see above).
2. In Dropzone, go to Settings > Integrations and add the **Rapid7 Insight IDR** data source.
3. Enter your API Key and Region.
4. Click **Test** to verify API key and Region, then **Save**. Save starts log-set discovery; allow time for the integration scan to finish before relying on full LEQL coverage across log sets.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/integrations/data/rapid7-insight-idr_data.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.