Rapid7 offers two core vulnerability products: Rapid7 Nexpose and Rapid7 InsightVM. Rapid7 Nexpose is the older, on-premise scanner and Rapid7 InsightVM is the cloud-based scanner. Both scanners scan an environment for vulnerabilities while also identifying active services, open ports, and running applications on machines.
The Cisco Vulnerability Management Rapid7 Nexpose connector supports both Rapid7 Nexpose and Rapid7 InsightVM connections. Currently a standalone connector for Rapid7 InsightVM does not exist. Use the Rapid7 Nexpose connector to import your vulnerability scan information into Cisco Vulnerability Management to assist you in reducing risk across your environment.
User Prerequisites and Rapid7 Connector Setup
-
Given the on-premise nature of Nexpose, you must have the Kenna Virtual Tunnel or Kenna Agent deployed in the same network as your Rapid7 scanner to allow Cisco Vulnerability Management to connect with Nexpose, even if you are using InsightVM.
-
Create a user account. For more information, see Managing and creating user accounts.
-
Create an XML 2.0 report and schedule the report to run on a regular basis.
-
Note1: All XML 2.0 reports are imported that are showing under the Rapid7 user that Cisco Vulnerability Management has configured to be used (including old reports that are no longer being generated). You must ensure that the Rapid7 user has access only to necessary reports and nothing else.
- Note2: If the report is “started” but has not finished generating when the Cisco Vulnerability Management Connector kicks off, Cisco Vulnerability Management retries multiple times over the next 30 minutes. If the report is anything other than “generated” after this 30 minute period, the connector run fails.
-
Configuring your Rapid7 API Connector in Cisco Vulnerability Management
Navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator).
Note: There are two options for a Rapid7 Connector.
- One is Nexpose, and the other is Nexpose XML. The automated, API Connector is Rapid7 Nexpose (also supports InsightVM).
- The Rapid7 NexposeXML Connector is a manual drag and drop connector that takes an XML2.0 report.
After you select the Rapid7 Nexpose (API Connector) icon from the Connectors page, the following window displays:
-
Enter a name for the connector.
-
Enter the username and password for the Normal level account.
-
Enter the host information for your scanner. When entering the host IP and port, it's not necessary to prefix it with https://.
-
Select the frequency that you want to run your Rapid7 Connector (Daily, Weekly, Monthly - Cisco recommends that you run the connector on the same schedule as you run your Scans).
-
(Optional) Enter the Silo ID.
-
Select one of the following checkboxes, depending on which one is deployed in your environment:
-
Use Kenna Virtual Tunnel
-
Use Kenna Agent
-
- Tip: You can optionally set a Connector level asset inactivity limit now. You can change the change value at any time.
-
Click Save And Verify.
What Rapid7 items are synced with Cisco Vulnerability Management items?
The following table shows the Rapid7 fields and their corresponding fields in Cisco Vulnerability Management.
Title |
Name |
|
vuln.id |
Identifier (Vulnerability) |
|
Vuln > description |
Description |
|
|
Details / Synopsis |
|
Vuln > Solution |
Solution/Fix |
|
Fix > fix_url |
URL (Fix) |
|
Fix > fix_reference_links |
Reference Links |
|
Fix > fix_published_by_source_datetime |
Fix Published Date |
|
Vuln > Severity |
scanner_score |
1-10 |
`vulnerable-` |
Vulnerability Status |
Only maps open/closed vulnerabilities. We will auto-close any vulnerability not seen on the next Connector import (by the same connector). |
cve_identifiers |
CVE |
|
endpoint data > port |
Ports |
|
last_found_on |
Last Seen |
|
vulnerable-since_date |
Found On |
|
N/A |
Created |
Date the vuln was first imported to Cisco Vulnerability Management. Not mapped to a scanner field. |
os_vendor |
OS |
{os_vendor + os_family + os_product + os_version} |
device_id |
external_id |
|
names |
hostname |
The hostname is extracted from the names array. This value is used for asset deduplication. |
names |
FQDN |
The FQDN is extracted from the names array. This value is used for asset deduplication. |
addr |
ip_address |
|
hardware-address |
MAC_address |
|
Tags |
Tags |
All of these items are converted to tags within Cisco Vulnerability Management. |
What Rapid7 items are turned into Cisco Vulnerability Management Tags?
The following metadata from Rapid7 scans will be converted into tags in Cisco Vulnerability Management. These tags can be used during search queries or to create Risk Meter groups.
-
Existing Nexpose Tags
-
Asset Groups
-
Site Names
Vulnerability Date Information
You can display the following dates on the Vulnerabilities tab.
- Found: When the scanner first found the vulnerability.
- Last Seen: When the Rapid7 scanner found the vulnerability.
- Created: When the vulnerability was first imported into Cisco Vulnerability Management.
Optional Settings
The following settings can be enabled on the backend for Rapid7 Connectors. To have these settings enabled, or for more information, contact Support, or your Customer Success Engineer.
-
Asset Group Tags
-
When enabled, the scanner will pull asset group tags from Rapid7.
-
-
Exclude Informationals
-
When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE.
-
-
Ignore Scanner Last Seen Time
-
If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
-
-
Skip Tags
-
This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on the Rapid7 metadata.
-
-
Tag Reset
-
This setting will assist in keeping your Rapid7 metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the Rapid7 tag metadata re-created.
-
If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.
-
Additional Assistance:
Contact Support for help with the Rapid7 Connector.
Comments
Please sign in to leave a comment.