Rapid7 (Nexpose or InsightVM) Connectors - API and XML

Rapid7 offers two core vulnerability products: R7 Nexpose and R7 InsightVM. Rapid7 Nexpose is the older, on-premise scanner and InsightVM is the cloud-based scanner. Both scanners scan an environment for vulnerabilities while also identifying active services, open ports, and running applications on machines.

 

The Kenna Rapid7 Nexpose connector supports both Nexpose and InsightVM connections. Currently a standalone connector for InsightVM does not exist. Use the Rapid7 Nexpose Connector to import your vulnerability scan information into Kenna to assist you in reducing risk across your environment.

User Prerequisites and Rapid7 Connector Setup

  • Given the on-premise nature of Nexpose, you must have the Kenna Virtual Tunnel or Kenna Agent deployed in the same network as your Rapid7 scanner to allow Kenna to connect with Nexpose, even if you are using Insight VM. 

  • Create a user with “Normal” access

  • Create an XML 2.0 report and schedule the report to run on a regular basis.

    • Note: if the report is “started” but has not finished generating when the Kenna Connector kicks off, Kenna will retry multiple times over the next 30 minutes. If the report is anything other than “generated” after this 30 minute period, the connector run will fail.

Configuring your Rapid7 API Connector in Kenna

Navigate to the Connectors tab in your Kenna deployment (you must be a Kenna Administrator).

Rapid7.png

Note: there are two options for a Rapid7 Connector.

  • One is Nexpose, and the other is Nexpose XML. The automated, API Connector is Rapid7 Nexpose (also supports InsightVM).
  • The Rapid7 NexposeXML Connector is a manual drag and drop connector that takes an XML2.0 report.

Once you select the Rapid7 Nexpose (API Connector) icon from the Kenna Connectors page, you will see a screen like this:

r7_api.png

  • Enter a name for the connector

  • Enter the username/password for the Normal level account

  • Enter the Host information for your scanner. When entering the host IP and port, there is no need to prefix with https:// as it is not required

  • Select the frequency that you want to run your Kenna Rapid7 Connector (Daily, Weekly, Monthly - Kenna recommends that you run the connector on the same schedule as you run your Scans)

  • (Optional) Enter the Silo ID

  • Check the box to use either the Virtual Tunnel or the Kenna Agent depending on which one is deployed in your environment

  • Tip: If you would like to set a Connector level asset inactivity limit, you can do so at this time. This is optional, and can always be modified at a later date. 
  • Save and Verify

What Rapid7 items are synced with Kenna items?

Rapid7 Field

Kenna Field

Notes

Title

Name

 

vuln.id

Identifier (Vulnerability)

 

Vuln > description

Description

 

 

Details / Synopsis

 

Vuln > Solution

Solution/Fix

 

Fix > fix_url

URL (Fix)

 

Fix > fix_reference_links

Reference Links

 

Fix > fix_published_by_source_datetime

Fix Published Date

 

Vuln > Severity

scanner_score

1-10

`vulnerable-`

Vulnerability Status

Only maps open/closed vulnerabilities. We will auto-close any vulnerability not seen on the next Connector import (by the same connector).

cve_identifiers

CVE

 

endpoint data > port

Ports

 

last_found_on

Last Seen

 

vulnerable-since_date

Found On

 

N/A

Created

Date the vuln was first imported to Kenna. Not mapped to a scanner field.

os_vendor

OS

{os_vendor + os_family + os_product + os_version}

device_id

external_id

 

names

hostname

 

addr

ip_address

 

hardware-address

MAC_address

 

Tags
Asset Groups
Site Names
Device ID

Tags

All of these items are converted to tags within Kenna.

 

What Rapid7 items are turned into Kenna Tags?

The following metadata from Rapid7 scans will be converted into tags within Kenna. These tags can be used during search queries or to create Risk Meter groups.

  • Existing Nexpose Tags

  • Asset Groups

  • Site Names

 

Vulnerability Date Information

Within Kenna you will notice several dates in the Vulnerabilities tab. When importing your Rapid7 data the following criteria are used to populate those date fields.

  • “Found” within Kenna is when the scanner first found the vulnerability

  • “Last Seen” within Kenna is the most recent date the Rapid7 scanner found the vulnerability

  • “Created” within Kenna is the date the vulnerability was first imported to Kenna

 

Optional Settings

The following settings can be enabled on the backend for Rapid7 Connectors. To get these settings enabled or for more information, please contact Support, or your Customer Success Engineer.

  • Asset Group Tags

    • When enabled, the scanner will pull asset group tags from Rapid7.

  • Exclude Informationals

    • When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Kenna to be the scanner reported last seen time.

  • Skip Tags

    • This setting will allow you to NOT create any Tags within Kenna based on the Rapid7 metadata.

  • Tag Reset

    • This setting will assist in keeping your Rapid7 metadata in sync with Kenna. Each time the connector is run, ALL tags within Kenna will be removed and the Rapid7 tag metadata re-created.

    • If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.

 

Additional Assistance:

Please contact Kenna Support should you require any additional assistance with the Rapid7 Connector.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.