1. Kenna FAQ
  2. General
  3. Security Tool/Vulnerability Scanner Connectors

Rapid7 Nexpose/InsightVM Connectors

Rapid7 has InsightVM that was Nexpose, an on-premises scanner that requires access to your IT environment. InsightVM is its next evolution and is a cloud-based solution. Nexpose/InsightVM scans IT environments for vulnerabilities, and then identifies active services, open ports and applications.

The Cisco Vulnerability Management Rapid7 connector supports Nexpose/InsightVM, but only as an on-premises scanner. Cisco Vulnerability Management requires an XML 2.0 export file from Nexpose/InsightVM to ingest its data. Thus, you can:

  • Run a manual report to get XML 2.0 file from Nexpose/InsightVM, and then import it into Cisco Vulnerability Management.
  • Use the API to run the XML 2.0 file, and then export it into Cisco Vulnerability Management.

Use Cisco Vulnerability Management with Nexpose/InsightVM vulnerability information to reduce risk in your IT environment.

User Prerequisites and the Rapid7 Connector Setup

  • • Nexpose/InsightVM is an on-premises scanner, so ensure you have the Kenna Virtual Tunnel or Setting up the Kenna Agent deployed in the same network as your Rapid7 scanner to allow Cisco Vulnerability Management to connect with Nexpose/InsightVM.

  • • Create a user account in Nexpose/InsightVM. For more information, see Managing and creating user accounts.

  • Create an XML 2.0 report, and then schedule the report to run on a regular basis.

Report Prerequisites

Note: The following report prerequisite items:

  1. All XML 2.0 reports are imported that display under the Rapid7 user that is configured in Cisco Vulnerability Management (including old reports that are no longer being generated).
  2. Ensure that the Rapid7 user has access only to required reports and nothing else.
  3. If the report is “started” but has not finished generating when the Cisco Vulnerability Management Connector starts, it retries multiple times over the next 30 minutes. If the report is anything other than Generated after the 30 minutes, the connector run fails.

Configuring your Rapid7 API Connector

Note: To configure this connector, you must be a Cisco Vulnerability Management Administrator.

1. In your Cisco Vulnerability Management, go to the Connectors tab.

Note: The Rapid7 Connector has the following options:

  • Nexpose and Nexpose XML: The automated API Connector is Rapid7 Nexpose that also supports InsightVM.
  • Rapid7 Nexpose XML Connector: It’s a manual drag-and-drop connector that uses an XML2.0 report.

 

2. On the Connectors page, click Rapid7 Nexpose (API Connector). The Nexpose Enterprise window displays:

3. On the Nexpose Enterprise window, type the following information:

  • A Name for the connector.
  • A Username and Password (for a non admin account).
  • The Host information for your scanner.

Note: Just type the host IP and port without the: https://.

  • Select the frequency when you want to run your Rapid7 Connector, such as Daily, Weekly, Monthly...

Note: Cisco recommends that you run the connector on the same schedule as you run your Scans).

  • If required, type the Silo ID.
  • Depending on how your environment is deployed, select one of the following checkboxes:
    • Use Kenna Virtual Tunnel
    • Use Kenna Agent

Tip: You can set a Connector-level asset inactivity limit now, and you can change the value at any time. 

4. Click Save And Verify.

Data Mapping

The following table shows how the Rapid7 fields map to fields in Cisco Vulnerability Management.

 

Rapid7 Field

Cisco Vulnerability Management Field

Notes

Title

Name

 

vuln.id

Identifier (Vulnerability)

 

Vuln > description

Description

 

 

Details / Synopsis

 

Vuln > Solution

Solution/Fix

 

Fix > fix_url

URL (Fix)

 

Fix > fix_reference_links

Reference Links

 

Fix > fix_published_by_source_datetime

Fix Published Date

 

Vuln > Severity

scanner_score

1-10

`vulnerable-`

Vulnerability Status

It only maps open/closed vulnerabilities. It auto-closes any vulnerability not found on the next Connector import (by the same connector)

cve_identifiers

CVE

 

endpoint data > port

Ports

 

last_found_on

Last Seen

 

vulnerable-since_date

Found On

 

N/A

Created

Date the vulnerability is first imported to Cisco Vulnerability Management. Not mapped to a scanner field.

os_vendor

OS

{os_vendor + os_family + os_product + os_version}

device_id

external_id

 

names

hostname

The Host name is extracted from the names array. This value is used for asset deduplication.

names

FQDN

The FQDN is extracted from the names array. This value is used for asset deduplication.

addr

ip_address

 

hardware-address

MAC_address

 

Tags
Asset Groups
Site Names
Device ID

Tags

All these items are converted to tags within Cisco Vulnerability Management.

 

Rapid7 items Converted into Cisco Vulnerability Management Tags

Metadata from Rapid7 scans convert into in the following Cisco Vulnerability Management tags: 

  • Existing Nexpose Tags

  • Asset Groups

  • Site Names

Note: Tags are used in search queries or to create Risk Meter groups.

Vulnerability Date Information

You can display the following dates on the Vulnerabilities tab.

  • Found: The date when the scanner first found the vulnerability.
  • Last Seen: The date when the Rapid7 scanner found the vulnerability.
  • Created: The date when the vulnerability was first imported into Cisco Vulnerability Management.

Optional Settings

You can enable the following settings to run on the backend for Rapid7 Connectors. To have these settings enabled, or for more information, contact Support

 

Optional Setting  Result
Asset Group Tags

When enabled, the scanner pulls asset group tags from Rapid7.
Exclude Informationals

When enabled, Cisco Vulnerability Management won’t import vulnerabilities that do not include a CVE.
Ignore Scanner Last Seen Time When enabled, the asset last seen time in Cisco Vulnerability Management is not used. Instead, the scanner reported last seen time is used.
Skip Tags It allows you to NOT create any Tags within Cisco Vulnerability Management, based on the Rapid7 metadata.
Tag Reset It keeps your Rapid7 metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management are removed and the Rapid7 tag metadata re-created.
  If you create tags manually or any tags created from metadata from other connectors, the tags information is removed, and then refreshed when the connectors are rerun.

 

 

Asset Group Tags

    • When enabled, the scanner will pull asset group tags from Rapid7.

  • Exclude Informationals

    • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

  • Skip Tags

    • This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on the Rapid7 metadata.

  • Tag Reset

    • This setting will assist in keeping your Rapid7 metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the Rapid7 tag metadata re-created.

    • If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.

 

Additional Assistance

For assistance with the Rapid7 Connector, contact Support.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more