This guide explains how to ingest Axur Platform feeds into Rapid7 SIEM (InsightIDR) using a custom event source over HTTP. The steps below mirror the style of the other SIEM guides in this repository and rely on native Rapid7 features only.
Note: This tutorial assumes you already have access to the Axur Platform and the required API Key.
Prerequisites
Rapid7 InsightIDR access with permissions to create/manage Event Sources
Axur Platform API Key
Cost and billing considerations
Important: Any cloud or platform costs related to Rapid7 are billed by Rapid7 to your subscription/account. Axur does not bill for, manage, or assume responsibility for Rapid7 charges.
Common cost drivers:
Log ingestion volume and retention in InsightIDR
Any add‑on features enabled in your Rapid7 subscription
Tips to control cost:
Start with narrower feed filters in Axur to limit volume
Monitor ingestion size in Rapid7 and adjust schedule/filters as needed
Tip: A glossary of Rapid7 terms used in this tutorial is available at the end of the document.
1) In Rapid7: Open Event Sources and add a new source
In the Rapid7 console, navigate to Event Sources and start creating a new Event Source.
Screenshots:
2) Select the Rapid7 Custom Logs option and name the source
Choose the Rapid7 Custom Logs (or equivalent custom ingestion) option. Give the event source a clear name (e.g., “Axur Integration”).
Select the Webhook option. Provide a name for the source and set the JSON event key according to the Axur collection you intend to ingest:
For tickets: set the JSON event key to
collectionData.tickets(this splits into N ticket events)For credentials (detections): set the JSON event key to
collectionData.detections(this splits into N credential events)
After saving, copy the generated Webhook URL. You will use this URL to create the Axur Push feed. No credential is required here.
Screenshots:
Notes: - Ensure the JSON event key matches the desired Axur entity type. Create separate webhook sources if you wish to ingest both tickets and detections independently.
3) In Axur: Create a PUSH Feed pointing to the Webhook URL
In the Axur Platform, create a Push (Webhook 2.0) feed and set the endpoint to the Rapid7 Webhook URL copied in Step 2. Align the feed type/filters with the JSON event key you configured:
What to configure in Axur (Push/Webhook 2.0): - Endpoint URL: paste the Rapid7 Webhook URL - JSON event alignment: - If your webhook uses collectionData.tickets, configure a ticket feed and filters accordingly - If your webhook uses collectionData.detections, configure a credentials feed and filters accordingly - Suggested schedule/filtering: start conservatively (e.g., longer intervals / tighter filters) and adjust after validating volume
Screenshots:
Validation
After enabling the feed and waiting a few minutes, validate that events are reaching Rapid7.
Steps: 1. In InsightIDR, open Log Search (or the view associated with your new Event Source). 2. Filter by the Event Source name you created (e.g., “Axur Integration”). 3. Confirm new events are arriving and fields are present as expected (e.g., ticket/detection data from Axur).
If you do not see events after 10–15 minutes, consult the troubleshooting section below.
Screenshots:
Troubleshooting
No events appearing: - Verify your Axur API Key is valid and the Push feed is enabled - Confirm the Rapid7 Webhook URL matches exactly what was copied from the UI - Check for HTTP errors in Axur feed delivery logs (401/404/429/5xx)
401/403 errors: - Re‑copy the Webhook URL from Rapid7 and ensure there are no truncations or extra characters - If the webhook was regenerated, update the URL in the Axur feed
429 (rate limiting) or volume concerns: - Reduce feed scope via filters in the Axur Platform
Malformed payload errors: - Ensure Axur is sending JSON and that Rapid7’s event source expects JSON - If Rapid7 requires a specific top‑level structure, add a lightweight transform (if available) or adjust the event source parsing.
Glossary
InsightIDR (Rapid7): Rapid7’s cloud SIEM and XDR platform used here to ingest Axur data
Event Source: A configured input in InsightIDR that receives logs/events
Ingestion Endpoint: The Webhook URL provided by Rapid7 to receive events
Push (Webhook 2.0): Axur delivery mode that posts events directly to your endpoint
If you have any questions, feel free to reach out at [email protected] 😊