Skip to content

[ti_rapid7_threat_command] Add Agentless Deployment #18331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mohitjha-elastic wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[ti_rapid7_threat_command] Add Agentless Deployment #18331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c8a45ce
Enable agentless deployment
mohitjha-elastic Apr 10, 2026
45f6f10
Update changelog entry
mohitjha-elastic Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion packages/ti_rapid7_threat_command/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@

The [Rapid7 Threat Command](https://www.rapid7.com/) integration allows users to retrieve IOCs (Indicator of Compromises), organization-specific Threat Command alerts, and CVEs (Common Vulnerabilities and Exposures). Furthermore, the correlation between data collected from the Rapid7 Threat Command platform (IOCs and CVEs) and the user's environment helps to identify threats. Rapid7 Threat Command platform gives protectors the tools and clarity they need to assess their attack surface, detect suspicious behavior, and respond and remediate quickly with intelligent automation.

## Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

## Data streams

The Rapid7 Threat Command integration collects three types of data: ioc, alert, and vulnerability.
Expand All @@ -17,7 +22,7 @@ The Rapid7 Threat Command integration collects three types of data: ioc, alert,
## Compatibility

- This integration has been tested against Rapid7 Threat Command `IOC API v2`, `Alert API v1`, and `Vulnerability API v1`.
- Rapid7 Threat Command integration is compatible with Elastic stack `v8.12.0` and newer.
- Rapid7 Threat Command integration is compatible with Elastic stack `v8.19.4` and newer.

## Requirements

Expand Down
5 changes: 5 additions & 0 deletions packages/ti_rapid7_threat_command/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.8.0"
changes:
- description: Enable Agentless deployment.
type: enhancement
link: https://github.com/elastic/integrations/pull/18331
- version: "2.7.1"
changes:
- description: Remove duplicate security-solution-default tag references
Expand Down
6 changes: 6 additions & 0 deletions ...ages/ti_rapid7_threat_command/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ processors:
target_field: event.original
ignore_missing: true
if: ctx.event?.original == null
- remove:
field: message
tag: remove_message
ignore_missing: true
if: ctx.event?.original != null
description: 'The `message` field is no longer required if the document has an `event.original` field.'
- set:
field: ecs.version
value: 8.11.0
Expand Down
6 changes: 6 additions & 0 deletions packages/ti_rapid7_threat_command/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ processors:
target_field: event.original
ignore_missing: true
if: ctx.event?.original == null
- remove:
field: message
tag: remove_message
ignore_missing: true
if: ctx.event?.original != null
description: 'The `message` field is no longer required if the document has an `event.original` field.'
- set:
field: ecs.version
value: 8.11.0
Expand Down
6 changes: 6 additions & 0 deletions ...rapid7_threat_command/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ processors:
target_field: event.original
ignore_missing: true
if: ctx.event?.original == null
- remove:
field: message
tag: remove_message
ignore_missing: true
if: ctx.event?.original != null
description: 'The `message` field is no longer required if the document has an `event.original` field.'
- set:
field: ecs.version
value: 8.11.0
Expand Down
7 changes: 6 additions & 1 deletion packages/ti_rapid7_threat_command/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@

The [Rapid7 Threat Command](https://www.rapid7.com/) integration allows users to retrieve IOCs (Indicator of Compromises), organization-specific Threat Command alerts, and CVEs (Common Vulnerabilities and Exposures). Furthermore, the correlation between data collected from the Rapid7 Threat Command platform (IOCs and CVEs) and the user's environment helps to identify threats. Rapid7 Threat Command platform gives protectors the tools and clarity they need to assess their attack surface, detect suspicious behavior, and respond and remediate quickly with intelligent automation.

## Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

## Data streams

The Rapid7 Threat Command integration collects three types of data: ioc, alert, and vulnerability.
Expand All @@ -17,7 +22,7 @@ The Rapid7 Threat Command integration collects three types of data: ioc, alert,
## Compatibility

- This integration has been tested against Rapid7 Threat Command `IOC API v2`, `Alert API v1`, and `Vulnerability API v1`.
- Rapid7 Threat Command integration is compatible with Elastic stack `v8.12.0` and newer.
- Rapid7 Threat Command integration is compatible with Elastic stack `v8.19.4` and newer.

## Requirements

Expand Down
15 changes: 13 additions & 2 deletions packages/ti_rapid7_threat_command/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.2
format_version: 3.3.2
name: ti_rapid7_threat_command
title: Rapid7 Threat Command
version: "2.7.1"
version: "2.8.0"
description: Collect threat intelligence from Threat Command API with Elastic Agent.
type: integration
categories:
Expand Down Expand Up @@ -45,6 +45,17 @@ policy_templates:
- name: ti_rapid7_threat_command
title: Rapid7 Threat Command
description: Collect Threat Intel data from Rapid7 Threat Command.
deployment_modes:
default:
enabled: true
agentless:
enabled: true
organization: security
division: engineering
team: security-service-integrations
resources:
requests:
memory: 4Gi
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a lot of memory. How was this number determined?

Copy link
Copy Markdown
Collaborator Author

@mohitjha-elastic mohitjha-elastic Apr 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please find the discussion here.

inputs:
- type: httpjson
title: Collect Threat Intel data via Rapid7 Threat Command API
Expand Down
Loading