Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.
Overview
About Rapid7
Vulcan ingests Rapid7 VM hosts and their linked vulnerabilities. The connector is based on reports and requires the user to create a report template in the Rapid7 console, which will be used to generate the reports on each sync.
Fully scan your network: Discover risks across all your endpoints, cloud, and virtualized infrastructure.
Eliminate vulnerabilities: Prioritize risks and provide step-by-step directions to IT and DevOps for more efficient remediation.
Track and communicate progress: View your risk in real time right from your dashboard. Measure and communicate progress on your program goals.
Why integrate Rapid7 (API v4) into the Vulcan platform?
The Rapid7 (API v4) by Vulcan integrates with the Rapid7 platform to pull and ingest Host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Rapid7 (API v4) Connector Details
Supported products | Vulnerability Assessment - InsightVM |
Category | Vulnerability Assessment |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
The Rapid7 InsightVM Cloud user must have Admin permissions.
Generating Rapid7 API KEY
Go to the Rapid7 Platform
Navigate to Settings > API Keys
Click on Generate New User Key
Select the appropriate organization, assign a name to the API key, and click "Submit”.
Copy the API key immediately, as it will only be visible during its creation.
Configuring the Rapid7 Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Rapid7 InsightVM Cloud icon.
Set up the Connector as follows:
Select the region of your Rapid7 account.
Enter the API Key you generated earlier.
Data pulling configuration:
Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Repid7 instance.
Connector scheduling: Set the connector's sync time and days. By default, all days are selected.
Click Create (or Save Changes).
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the Rapid7 InsightVM Cloud icon shows Connected.
Rapid7 API v4 in the Vulcan Platform
Viewing Rapid7 vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Rapid7 InsightVM Cloud.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Viewing Rapid7 API v4 assets in the Vulcan Platform
Viewing assets by Connector for users with the new platform view (Asset Hub):
Go to the Assets page.
Click on "Filter" and specify the condition as "Assets > Connector is Rapid7 InsightVM Cloud".
You can add more filters to narrow down your search further.
See the complete list of available asset filters.
Click on any asset for more asset details.
Taking Action on vulnerabilities and assets detected by Rapid7 InsightVM Cloud
To take remediation action on vulnerabilities and assets detected by Rapid7 InsightVM Cloud :
Go to the Vulnerabilities pr Assets Page.
Use the Filter to view the Rapid7 InsightVM Cloud's vulnerabilities and their associated assets/vulnerabilities.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.
Automating remediation actions on vulnerabilities detected by Rapid7 InsightVM Cloud
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
From Rapid7 (API v4) to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Rapid7 through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Host fields mapping
Rapid7 UI field | Rapid7 API field | Vulcan field |
- | id | Asset Uniqueness criteria |
- | host_name or ip or id | Host Name (hostname) |
- | os_system_name or os_name or os_family | Host OS (os) |
- | os_version | Host OS Version (os_version) |
- | ip | Host IP (ip ) |
- | ip | Host external IP (ip ) |
- | host_name | Host FQDN (fqdn, if list fqdns) |
- | os_description | platform_family |
- | last_scan_end or last_assessed_for_vulnerabilities | Host Last report (last_seen) |
- | Host ID- id Host Type - type Architecture - os_architecture Risk Score - risk_score Host Unique Identifiers - unique_identifiers Credential Assessments - credential_assessments | Host details(added_data)
|
- | tags.name from tags | Host Tags - Vendor’s tags (tags) |
- | portand protocol | Vulnerability instance uniqueness criteria |
- | first_found | Vulnerability instance First seen (first_seen) |
- | last_found | Vulnerability instance Last seen (last_seen) |
- | Proof - proof Status - status | Vulnerability instance details(added_data) |
- | port | Vulnerability instance port(port) |
- | protocol | Vulnerability instance port(protocol) |
- | fixed - if status is NOT_VULNERABLE riskAcknowledged - if status is EXCEPTION_VULN_EXPL or EXCEPTION_VULN_VERS | Vulnerability instance Fixed mechanism (report_item_status)
|
- | vulnerability_id | Unique Vulnerability uniqueness criteria |
- | vulcan_enrichment.vuln_data[0].data.title | Vulnerability title (title) |
- | vulcan_enrichment.vuln_data[0].data.severity_score or vulcan_enrichment.vuln_data[0].data.cvss_v3_score | Vulnerability score (cvss_score) |
- | vulcan_enrichment.vuln_data[0].data.description | Vulnerability description (description) |
|
| Vulnerability details(added_data) |
- | vulcan_enrichment.vuln_data[0].data.cves | CVE/S (report_item_cve) |
- | vulcan_enrichment.vuln_data[0].data.cvss_v3_vector | CVSS attack vector (cvss3_vector) |
- | rapid7_insightvm_cloud|host|vulnerability_id | cloud_vv_id |
- | solution_id | Solution uniqueness criteria |
- | Fix from Rapid7 | Fix - Title (title) |
- | solution_fix | Fix - Description(description) |
Vulnerability status mapping
Rapid7 Status | Vulcan Status |
All other statuses | Vulnerable |
NOT_VULNERABLE | Fixed |
- | Ignored - false positive |
EXCEPTION_VULN_EXPL, EXCEPTION_VULN_VERS | Ignored risk acknowledged |
Vulnerability score mapping
Rapid7 score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
- | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).
The table below lists how the status update mechanism works in the X connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the Connector's last sync - Asset not seen for X days according to "Last Seen" |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - If the vulnerability status on the Connector's side changes to - Vulnerability status on the Connector's side indicates irrelevancy (e.g., "INACTIVE").
|
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: v4
API | Use in Vulcan | Permissions required |
vm/v4/integration/vulnerabilities | enrichment to vulnerabilities | - |
vm/v4/integration/assets | map assets, vulnerabilities, findings, solutions | - |
Data Validation
Matching Asset Count
Objective: Ensure Rapid7 InsightVM Cloud reports the same number of assets as those displayed in Vulcan.
In Rapid7 InsightVM Cloud:
Go to Newly Discovered Assets in the Rapid7 InsightVM Cloud platform.
Click on total new assets to view the complete list of discovered assets.
The platform displays the total count of newly discovered assets.
In Vulcan:
In the Vulcan platform, navigate to Assets from the left menu.
Click on Filter and set
Where → Asset → Connectorto Rapid7 InsightVM Cloud.The number of assets displayed in Vulcan should match the count seen in the Rapid7 InsightVM Cloud.
Validations if an asset is not present in Vulcan:
Archive by date: Ensure the asset is not archived in Vulcan based on an outdated last-seen date.
Archive by status: If the asset is no longer present or valid, confirm that it was removed or deleted.
Loader/checkbox: Verify that any relevant checkboxes or loader settings have been correctly applied.
Matching vulnerability count
Objective: Ensure the number of unique vulnerabilities in Rapid7 InsightVM Cloud aligns with those in Vulcan.
In Rapid7 InsightVM Cloud:
Go to “Assets” in the Rapid7 UI.
Click on the asset name to view its vulnerabilities.
A distinct “Vulnerability” entry identifies each unique vulnerability. This set represents the vulnerabilities that should be reflected in Vulcan.
In Vulcan:
Navigate to Vulnerabilities from the left menu.
Click on Filter, then set
Where → Asset → Connectorto Rapid7 InsightVM Cloud.The total number of unique vulnerabilities should match what you observed in Rapid7.
Validations if vulnerability is not present in Vulcan:
No asset has this vulnerability: Check if the vulnerability is tied to an asset in Rapid7 that exists in Vulcan.
Asset-vulnerability mapping: Ensure correct mapping between the asset and its vulnerabilities.
Matching Findings (Asset-Vulnerability Instances)
Objective: Verify that the number of findings (asset-vulnerability instances) in Rapid7 InsightVM Cloud aligns with Vulcan.
In Rapid7 InsightVM Cloud:
Navigate to the Assets page.
Click on the asset name to view its detailed findings.
The list under Findings shows the vulnerabilities and instances of that asset.
Note: There may be discrepancies between the findings shown in the UI and those returned by the API. Vulcan aligns with the API data from Rapid7.
The numbers marked in the following image do not match the numbers we get from the API:
In Vulcan:
In the Vulcan platform, click on Findings.
Click on Filter, then set
Where → Asset → Connectorto Rapid7 InsightVM Cloud.The total number of findings (asset-vulnerability instances) should match the API-based count from Rapid7.
Discrepancies:
The numbers displayed in the Rapid7 UI might not always match the API response used by Vulcan.
Users should rely on API-driven data for accurate comparisons.
Validations if a connection is not present in Vulcan:
If a finding transitions to fixed, it will appear on Vulcan’s Fixed screen.
If the finding does not exist for a supported asset or is missing from the Rapid7 API response, it will not show in Vulcan.