Migrating to the Rapid7 InsightVM from a Nexpose Connector in Cisco Vulnerability Management

Disclaimer: The InsightVM connector is generally available as of January 22, 2024. For information about setting up the InsightVM connector, see the Rapid7 InsightVM Cloud Connector.

Cisco Vulnerability Management’s new InsightVM connector provides many benefits over the Nexpose and the NexposeXML connectors. However, if you are currently using a Nexpose or NexposeXML connector, you must complete a migration of these connectors to ensure the historical context of your assets and vulnerabilities carry over to your new InsightVM connector.

Important List of Data Points

If you want to move to a new InsightVM connector, ensure you note the following list of data points.

Note: If these fields are not important for you, simply delete your Nexpose connector, and then configure a new InsightVM connector to complete your migration. To setup the new connector, see the Rapid7 InsightVM Cloud Connector.

  • Asset created at date
  • Asset priority score
  • Asset owner
  • Vulnerability custom fields
  • Vulnerability service ticket association (Jira/SNOW)
  • Vulnerability closed at date
  • Vulnerability notes
  • Vulnerability custom status (Risk Accepted/False Positive)

Before You Migrate to the Rapid7 InsightVM Connector from a Nexpose Connector

Step 1: We recommend you do a full export of your assets and vulnerabilities (including inactive assets and closed vulnerabilities), so that you have an offline copy of your data, before making any changes to your environment.

Step 2: On February 1, 2024, we are releasing a new feature to assist in ensuring your assets in Nexpose and InsightVM match. This new logic ensures that DNS short hostnames are mapped to the hostname field in Cisco Vulnerability Management, while FQDNs are exclusively mapped to the FQDN field.

Note: We highly recommend you enable this feature before migrating from your Nexpose connector to an InsightVM connector. This feature will be enabled for all customers on February 1, 2024. For more about enabling this feature, contact Customer Success or Technical Support.

Step 3: Review your risk meter queries to identify any risk meters that may no longer return accurate results after you migrate the connector. Ensure you look for risk meters with queries for connector names, or connector types that need to be updated in the InsightVM connector.

Migrate to the Rapid7 InsightVM Connector from a Nexpose Connector

  1. If required, update the Nexpose connector with a locator order to prioritize asset merging.
    Note: Ensure that the Hostname, FQDN, NetBios and IP address locators are at the top of the list, with the external ID at the bottom of the order.
  2. Create the InsightVM connector.
  3. Add an API token to the InsightVM connector.
  4. Update the InsightVM locator order to match the order for the Nexpose connector.
  5. Run the InsightVM connector.
  6. Confirm that asset and vulnerability mergers have raw counts that are not substantially increased after the InsightVM connector run. We assume your InsightVM service account used for the connector includes permissions for all your Nexpose assets that are being brought into Cisco Vulnerability Management.
  7. Do acceptance testing to confirm that assets and vulnerabilities appear as expected, the external ID field is updated to reflect the UUID from InsightVM, and that there are CVEs with two scanner vulnerability tabs (one for Nexpose and one for InsightVM).
  8. If you are comfortable with the merger results, delete your Nexpose connector to remove any duplicated scanner vulnerabilities.
  9. If risk meters with queries containing Nexpose connector names or types were identified in the preliminary steps, update the relevant risk meter queries in your new InsightVM connector.

Your migration is now complete. Historical data is now safely stored on your InsightVM assets and vulnerabilities. For help or more information, contact Customer Success or Technical Support.

Frequently Asked Questions

Q: I have hundreds of risk meters. How can I quickly identify those that may have a Nexpose connector identification in the query?

A: Our GitHub contains a script that provides an output of all risk meters and their queries. You can execute this script, and then search for “Nexpose” or other connector names to identify risk meters that may need to be updated.

https://github.com/KennaSecurity/All_Samples/tree/master/Download%20Risk%20Meter%20Listing 

Q: Why do I see an increase in the asset count after running the InsightVM connector?

A: Your InsightVM console may contain assets not previously brought into Cisco Vulnerability Management through a Nexpose connector.

Q: Why were some of my assets from Nexpose not merged with an asset from InsightVM?

A: Here are some possible reasons:

1. Assets from your Nexpose consoles may not be available in InsightVM. Confirm the presence of any missing assets in InsightVM to ensure they will be brought into Cisco Vulnerability Management.

2. The API service account you used to create the InsightVM connector may not have permission to view/download all your assets in InsightVM.

3. If assets are not merging, you may need to update your locator orders on the connectors to ensure all assets are merged.

4. Your Nexpose connector may have brought in stale data that is no longer available through the InsightVM connector. Review your scan report selection in the Nexpose connector to validate the asset activity limit for both connectors.

 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2024 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.