Am I reading the right user guide?
There are several "Rapid7 Insight VM Connector" user guides on the Vulcan Help Center.
To open the guide that is relevant to your tenant/environment:
Go to your Vulcan Platform > Connectors > Add New Connector > Rapid7.
Click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
About Rapid7 Insight VM
Rapid7 InsightVM solution discovers risks across all your endpoints, cloud, and virtualized infrastructure.
Why Integrating Rapid7 Insight Vulnerability Management into the Vulcan platform?
The Rapid7 Insight VM Connector by Vulcan integrates with the Rapid7 VM platform to pull and ingest host-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority based on your business context.
Rapid7 Insight VM Connector details
The Vulcan Platform ingests Rapid7 VM hosts and their linked vulnerabilities. The Connector is based on reports and requires creating a report template in the Rapid7 console to establish the integration.
Supported products | |
Category | Vulnerability Assessment |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from Rapid7 to the Vulcan Platform in one direction) |
Supported version and type | Vulnerability Assessment - insightVM |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Rapid 7 User
Create a Rapid7 regular user (in Administration > User Configuration panel) with the following configurations:
General: Account enabled
Roles:
User Role
Global permissions: Appear on Tickets and Report Lists
Site access: "Allow this user to access all sites"
Asset Group Access: "Allow this user to access all asset groups"
Create "Asset-Vulnerability Connections" report template
To create a report in Rapid7:
Click on Create > Report
Select Manage Report Templates
Click New to add a new report
Follow the instructions below to create and save the Asset-Vulnerability Connections report template in Rapid7.
Name the template:
vulcan_asset_vuln_connection
Add a description (free text).
For Template Type, select Export (CSV format).
In Content, select the following fields:
"Asset ID"
"
"Vulnerability ID"
"Vulnerable Since"
"Vulnerability Test Date"
"Vulnerability Proof"
"Service Port"
"Service ProtocolClick Save.
Configuring the Rapid7 Insight VM Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Rapid7 icon.
Set up the Connector as follows:
Enter the Rapid7 Insight VM server URL
Rapid7 Insight VM Username and password you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Rapid7 instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the Rapid7 icon shows Connected, the connection is complete.
Rapid7 Insight VM in the Vulcan Platform
Locating Rapid7 Insight VM vulnerabilities in the Vulcan Platform
As Rapid7 discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate Rapid7 on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.
Locating Rapid7 Host assets in the Vulcan Platform
To find all retrieved host assets from Rapid7 Insight VM:
Open the Vulcan Cyber dashboard and navigate to Assets.
Click on the Hosts tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the Rapid7 option to view all synced assets.
Automating actions on vulnerabilities detected by Rapid7 Insight VM
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Rapid7 Connector.
Click here to learn how to create automation in the Vulcan Cyber Platform.
From Rapid7 Insight VM to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Rapid7 through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Hosts mapping
Rapid7 Insight VM field | Vulcan field | Value Example |
| Asset Name |
|
| Asset Details |
|
Hosts | Asset Type |
|
| IP |
|
OS | OS |
|
osFingerprint | OS version |
|
The time the asset was first ingested into Vulcan | Created date |
|
The last time the asset was seen on a Vulcan sync | Last seen date |
|
| FQDN |
|
| Multiple MAC Addresses |
|
| Open ports |
|
| Asset Tags - Vendor's tags |
|
| Asset Tags - Additional |
|
| Vulnerability instance uniqueness criteria |
|
The first time the vulnerability connection was first ingested into Vulcan | Vulnerability instance first seen |
|
The last time the vulnerability connection was seen on a Vulcan sync | Vulnerability instance Last seen |
|
| Unique Vulnerability uniqueness criteria |
|
| Vulnerability title |
|
| Vulnerability score |
|
| Vulnerability description |
|
| Vulnerability status |
|
| CVE/S |
|
| CVSS attack vector |
|
Vulnerability status mapping
Rapid7 Insight VM Status | Vulcan Status |
Vulnerability connection retrieved in sync | Vulnerable |
Vulnerability connection not retrieved in sync | Fixed |
Vulnerability score mapping
Rapid7 Insight VM score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
Information | 0 |
Update Mechanisms
Status update mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the Rapid7 connector for the Rapid7 vulnerabilities and assets ingested into the Vulcan Platform.
Update type | Mechanism |
Archiving Assets | By X days according to "Last seen". If the Asset hasn’t been seen for X days, it will be archived from the Vulcan Platform. |
Change of vulnerability instances status from "Vulnerable" to "Fixed" | When the vulnerability no longer appears in the scan findings |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync time (the next day).
API
API Endpoints in use
API | Use in Vulcan | Permissions required |
| Assets | Allow listing Assets |
| Assets tags | Allow listing Tags |
| - | Allow listing sites |
| - | Allow create report |
| - | Allow generating domains |
| Asset, vulnerability, Solutions, Asset-Vulnerability map Vulnerability-Solutions map | Allow read report |
| Asset tags | Allow listing |
| Asset tags | Allow listing |
| Vulnerabilities | Allow listing vulnerabilities |
Data Validation
How do I validate the data between the Rapid7 Insight VM and the Vulcan Platform?
Before you start validating the data:
Ensure you use the same user configured in the Vulcan Rapid7 connector. This will remove all permissions and scoping issues out of the way.
Keep in mind that asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync time (the next day).
Ensure the date compared is within the same time range defined in the "Inactive Assets" connector configuration.
Hosts count validation
On Rapid7 Insight VM, go to Assets on the left menu.
On the Vulcan Platform, go to Assets > Hosts, and filter by Connector - Rapid7 Insight VM.
The number of scanned assets appearing in Rapid7 Insight VM should match the Rapid7 Insight VM host number on the Vulcan Platform. However, you might observe unmatching numbers or hostname discrepancies in the following cases:
Case 1: The Rapid7 connector is set to archive assets from the Vulcan Platform after X days. Therefore, only assets that have been active within the X-day timeframe will appear on the Vulcan Platform. In the example below, Rapid7 is set to archive inactive assets after 30 days. Therefore, only 4 of the ten assets in Rapid7 appear on the Vulcan Platform, based on the last_seen
date.
Case 2: In the example screenshot above, the first three hosts have different names than the ones on the Rapid7 Hosts table. This is because when ingested into the Vulcan Platform, they merged with the same assets previously ingested through other sources (i.e., other connectors). Therefore, these three hosts have received the name of the host they were merged with. If you click on one of these three hosts, you can see the Rapid7 data in the asset details.
Read more: What is Asset Deduping, and how does it work?
Vulnerabilities count validation
On Rapid7 Insight VM, go to Vulnerabilities on the left menu. Scroll down to see the Vulnerabilities table.
Scroll down the table to see the total unique vulnerabilities count.
Note: In Rapid7, the Vulnerability table is aggregated by unique vulnerability name and has the count of the vulnerability instances for each unique vulnerability (same as on the Vulcan Platform).
On the Vulcan Platform, go to Vulnerabilities > Unique Vulnerabilities > Vulnerable, and filter by Connector - Rapid7 Insight VM.
In general, the total count of vulnerabilities in Rapid7 Insight VM should match the Rapid7 Insight VM unique vulnerability count on the Vulcan Platform.
Vulnerability instances count validation
This count of vulnerability instances on Rapid7 should match the Vuln. instances count on Vulcan’s assets view (for assets not merged with other sources).