Migrating to the Rapid7 InsightVM from a Nexpose Connector in Cisco Vulnerability Management

Disclaimer: The InsightVM connector is generally available as of January 22, 2024. For information about setting up the InsightVM connector, see the Rapid7 InsightVM Cloud Connector.

Cisco Vulnerability Management’s new InsightVM connector provides many benefits over the Nexpose and the NexposeXML connectors. However, if you are currently using a Nexpose or NexposeXML connector, you must complete a migration of these connectors to ensure the historical context of your assets and vulnerabilities carry over to your new InsightVM connector.

Important List of Data Points

If you want to move to a new InsightVM connector, ensure you note the following list of data points.

Note: If these fields are not important for you, simply delete your Nexpose connector, and then configure a new InsightVM connector to complete your migration. To setup the new connector, see the Rapid7 InsightVM Cloud Connector information.

  • Asset created at date
  • Asset priority score
  • Asset owner
  • Vulnerability custom fields
  • Vulnerability service ticket association (Jira/SNOW)
  • Vulnerability closed at date
  • Vulnerability notes
  • Vulnerability custom status (Risk Accepted/False Positive)

Before You Migrate to the Rapid7 InsightVM Connector from a Nexpose Connector

Step 1: Cisco recommends that you do a full export of your assets and vulnerabilities (including inactive assets and closed vulnerabilities), so that you have an offline copy of your data, before making any changes to your environment.

Step 2: On February 1, 2024, Cisco released a new feature to assist in ensuring your assets in Nexpose and InsightVM match. This new logic ensures that DNS short hostnames are mapped to the hostname field in Cisco Vulnerability Management, while FQDNs are exclusively mapped to the FQDN field.

Note: Cisco highly recommends that you enable this feature before migrating from your Nexpose connector to an InsightVM connector. This feature was enabled for all customers on February 1, 2024. For more about this feature, contact Customer Success or Technical Support.

Step 3: Review your risk meter queries to identify any risk meters that might no longer return accurate results after you migrate the connector. Ensure you look for risk meters with queries for connector names, or connector types that need to be updated in the InsightVM connector.

Migrate to the Rapid7 InsightVM Connector from a Nexpose Connector

  1. If required, update the Nexpose connector with a locator order to prioritize asset merging.
    Note: Ensure that the Hostname, FQDN, NetBios and IP address locators are at the top of the list, with the external ID at the bottom of the order.
  2. Create the InsightVM connector.
  3. Add an API token to the InsightVM connector.
  4. Update the InsightVM locator order to match the order for the Nexpose connector.
  5. Run the InsightVM connector.
  6. Confirm that asset and vulnerability mergers have raw counts that are not substantially increased after the InsightVM connector run. We assume your InsightVM service account used for the connector includes permissions for all your Nexpose assets that are being brought into Cisco Vulnerability Management.
  7. Do acceptance testing to confirm that assets and vulnerabilities appear as expected, the external ID field is updated to reflect the UUID from InsightVM, and that there are CVEs with two scanner vulnerability tabs (one for Nexpose and one for InsightVM).
  8. If you are comfortable with the merger results, delete your Nexpose connector to remove any duplicated scanner vulnerabilities.
  9. If risk meters with queries containing Nexpose connector names or types were identified in the preliminary steps, update the relevant risk meter queries in your new InsightVM connector.

Your migration is now complete. Historical data is now safely stored on your InsightVM assets and vulnerabilities. For help or more information, contact Customer Success or Technical Support.

Frequently Asked Questions

Q: I have hundreds of risk meters. How can I quickly identify those that might have a Nexpose connector identification in the query?

A: Our GitHub site contains a script that provides an output of all risk meters and their queries. You can execute this script, and then search for “Nexpose” or other connector names to identify risk meters that you might need to update.

https://github.com/KennaSecurity/All_Samples/tree/master/Download%20Risk%20Meter%20Listing 

 

Q: Why do I see an increase in the asset count after running the InsightVM connector?

A: Your InsightVM console might contain assets not previously brought into Cisco Vulnerability Management through a Nexpose connector.

 

Q: Why were some of my assets from Nexpose not merged with an asset from InsightVM?

A: Here are some possible reasons:

1. Assets from your Nexpose consoles might not be available in InsightVM. Confirm the presence of any missing assets in InsightVM to ensure they will be brought into Cisco Vulnerability Management.

2. The API service account you used to create the InsightVM connector might not have permission to view/download all your assets in InsightVM.

3. If assets are not merging, you might need to update your locator orders on the connectors to ensure all assets are merged.

4. Your Nexpose connector might have brought in stale data that is no longer available through the InsightVM connector. Review your scan report selection in the Nexpose connector to validate the asset activity limit for both connectors.

 

Q:  Are there any fields that aren't ingested into Kenna when using the new Rapid7 InsightVM connector?

A: Yes. fix_published is not an ingested field.

 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2024 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.