Skip to main content
All CollectionsConnectorsVulnerability Assessment
Rapid7 Insight VM Connector (with asset-vulnerability connection template only)
Rapid7 Insight VM Connector (with asset-vulnerability connection template only)

Learn all about integrating Rapid7 into the Vulcan Platform

Updated over 11 months ago

Am I reading the right user guide?

There are several "Rapid7 Insight VM Connector" user guides on the Vulcan Help Center.

To open the guide that is relevant to your tenant/environment:

  1. Go to your Vulcan Platform > Connectors > Add New Connector > Rapid7.

  2. Click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.

About Rapid7 Insight VM

Rapid7 InsightVM solution discovers risks across all your endpoints, cloud, and virtualized infrastructure.

Why Integrating Rapid7 Insight Vulnerability Management into the Vulcan platform?

The Rapid7 Insight VM Connector by Vulcan integrates with the Rapid7 VM platform to pull and ingest host-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority based on your business context.

Rapid7 Insight VM Connector details

The Vulcan Platform ingests Rapid7 VM hosts and their linked vulnerabilities. The Connector is based on reports and requires creating a report template in the Rapid7 console to establish the integration.

Supported products

Category

Vulnerability Assessment

Ingested asset type(s)

Hosts

Integration type

UNI directional (data is transferred from Rapid7 to the Vulcan Platform in one direction)

Supported version and type

Vulnerability Assessment - insightVM


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Rapid 7 User

Create a Rapid7 regular user (in Administration > User Configuration panel) with the following configurations:

  • General: Account enabled

  • Roles:

    • User Role

    • Global permissions: Appear on Tickets and Report Lists

  • Site access: "Allow this user to access all sites"

  • Asset Group Access: "Allow this user to access all asset groups"

Create "Asset-Vulnerability Connections" report template

To create a report in Rapid7:

  1. Click on Create > Report

  2. Select Manage Report Templates

  3. Click New to add a new report

Follow the instructions below to create and save the Asset-Vulnerability Connections report template in Rapid7.

  1. Name the template: vulcan_asset_vuln_connection

  2. Add a description (free text).

  3. For Template Type, select Export (CSV format).

  4. In Content, select the following fields:
    "Asset ID"
    "Vulnerability ID"
    "Vulnerable Since"
    "Vulnerability Test Date"
    "Vulnerability Proof"
    "Service Port"
    "Service Protocol
    "

  5. Click Save.


Configuring the Rapid7 Insight VM Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Rapid7 icon.

  4. Set up the Connector as follows:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Rapid7 instance, then click Create (or Save Changes).

  6. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  7. Allow some time for the sync to complete. Then, you can review the sync status under Log.

  8. To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the Rapid7 icon shows Connected, the connection is complete.


Rapid7 Insight VM in the Vulcan Platform

Locating Rapid7 Insight VM vulnerabilities in the Vulcan Platform

As Rapid7 discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.

  2. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  3. Locate Rapid7 on the vulnerability source/Connector list and click to filter results.

  4. Click on any vulnerability to view further information.

Locating Rapid7 Host assets in the Vulcan Platform

To find all retrieved host assets from Rapid7 Insight VM:

  1. Open the Vulcan Cyber dashboard and navigate to Assets.

  2. Click on the Hosts tab.

  3. Click on the Search or filter websites input box and select Connector from the drop-down selection.

  4. Locate the Rapid7 option to view all synced assets.

Automating actions on vulnerabilities detected by Rapid7 Insight VM

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Rapid7 Connector.

Click here to learn how to create automation in the Vulcan Cyber Platform.


From Rapid7 Insight VM to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Rapid7 through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Hosts mapping

Rapid7 Insight VM field

Vulcan field

Value Example

hostName

Asset Name

Asset Names

Asset Details

Hosts

Asset Type

Asset IP Address, Asset Alternate IPv4 Addresses, Asset Alternate IPv6 Addresses

IP

"Asset Alternate IPv4 Addresses": "", 2"Asset Alternate IPv6 Addresses": "", 3"Asset ID": "67", 4"Asset IP Address": "18.216.243.44",

OS

OS

"Asset OS Family": "Ubuntu Linux", 2"Asset OS Name": "Ubuntu Linux", 3"Asset OS Version": "",

osFingerprint

OS version

The time the asset was first ingested into Vulcan

Created date

The last time the asset was seen on a Vulcan sync

Last seen date

Asset Names

FQDN

"Asset Names": "ec2-18-216-243-44.us-east-2.compute.amazonaws.com",

Asset MAC Addresses

Multiple MAC Addresses

Service Port

Service Protocol

Open ports

Custom Tag

Site Name

Asset Owner

Asset Tags - Vendor's tags

Asset Criticality

Site Importance

Asset Location

Asset Tags - Additional

id

Vulnerability instance uniqueness criteria

The first time the vulnerability connection was first ingested into Vulcan

Vulnerability instance first seen

The last time the vulnerability connection was seen on a Vulcan sync

Vulnerability instance Last seen

Vulnerability ID

Unique Vulnerability uniqueness criteria

get_parent_field('Vulnerability Title')

Vulnerability title

Vulnerability CVSS Score

Vulnerability score

Vulnerability Description

Vulnerability description

Vulnerability status

Vulnerability CVE IDs

CVE/S

'Vulnerability CVSSv3 Vector

CVSS attack vector

Vulnerability status mapping

Rapid7 Insight VM Status

Vulcan Status

Vulnerability connection retrieved in sync

Vulnerable

Vulnerability connection not retrieved in sync

Fixed

Vulnerability score mapping

Rapid7 Insight VM score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

Information

0

Update Mechanisms

Status update mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the Rapid7 connector for the Rapid7 vulnerabilities and assets ingested into the Vulcan Platform.

Update type

Mechanism

Archiving Assets

By X days according to "Last seen". If the Asset hasn’t been seen for X days, it will be archived from the Vulcan Platform.

Change of vulnerability instances status from "Vulnerable" to "Fixed"

When the vulnerability no longer appears in the scan findings

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync time (the next day).


API

API Endpoints in use

API

Use in Vulcan

Permissions required

GET {{ server_url }}/api/3/assets

Assets

Allow listing Assets

GET {{ server_url }}/api/3/tags

Assets tags

Allow listing Tags

GET {{ server_url }}/api/3/sites

-

Allow listing sites

POST {{ server_url }}/api/3/report

-

Allow create report

POST {{ server_url }}/api/3/reports/{{ report_id }}/generate

-

Allow generating domains

GET{{ server_url }}/api/3/reports/{{ report_id }}/history/{{ report_instance_id }}/output

Asset, vulnerability,

Solutions,

Asset-Vulnerability map

Vulnerability-Solutions map

Allow read report

GET {{ server_url }}/api/3/asset_groups

Asset tags

Allow listing asset_groups

GET server_url }}/api/3/asset_groups/{{ asset_group_id }}/assets

Asset tags

Allow listing asset_groups assets

GET {{ server_url }}/api/3/vulnerabilities

Vulnerabilities

Allow listing vulnerabilities


Data Validation

How do I validate the data between the Rapid7 Insight VM and the Vulcan Platform?

Before you start validating the data:

  • Ensure you use the same user configured in the Vulcan Rapid7 connector. This will remove all permissions and scoping issues out of the way.

  • Keep in mind that asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync time (the next day).

  • Ensure the date compared is within the same time range defined in the "Inactive Assets" connector configuration.

Hosts count validation

  1. On Rapid7 Insight VM, go to Assets on the left menu.

  2. On the Vulcan Platform, go to Assets > Hosts, and filter by Connector - Rapid7 Insight VM.

The number of scanned assets appearing in Rapid7 Insight VM should match the Rapid7 Insight VM host number on the Vulcan Platform. However, you might observe unmatching numbers or hostname discrepancies in the following cases:

Case 1: The Rapid7 connector is set to archive assets from the Vulcan Platform after X days. Therefore, only assets that have been active within the X-day timeframe will appear on the Vulcan Platform. In the example below, Rapid7 is set to archive inactive assets after 30 days. Therefore, only 4 of the ten assets in Rapid7 appear on the Vulcan Platform, based on the last_seen date.

Case 2: In the example screenshot above, the first three hosts have different names than the ones on the Rapid7 Hosts table. This is because when ingested into the Vulcan Platform, they merged with the same assets previously ingested through other sources (i.e., other connectors). Therefore, these three hosts have received the name of the host they were merged with. If you click on one of these three hosts, you can see the Rapid7 data in the asset details.
Read more: What is Asset Deduping, and how does it work?

Vulnerabilities count validation

  1. On Rapid7 Insight VM, go to Vulnerabilities on the left menu. Scroll down to see the Vulnerabilities table.

  2. Scroll down the table to see the total unique vulnerabilities count.

    Note: In Rapid7, the Vulnerability table is aggregated by unique vulnerability name and has the count of the vulnerability instances for each unique vulnerability (same as on the Vulcan Platform).

  3. On the Vulcan Platform, go to Vulnerabilities > Unique Vulnerabilities > Vulnerable, and filter by Connector - Rapid7 Insight VM.

In general, the total count of vulnerabilities in Rapid7 Insight VM should match the Rapid7 Insight VM unique vulnerability count on the Vulcan Platform.

Vulnerability instances count validation

This count of vulnerability instances on Rapid7 should match the Vuln. instances count on Vulcan’s assets view (for assets not merged with other sources).

  1. On Rapid7 Insight VM, go to Assets on the left menu.

  2. On the SCANNED table, a Vulnerabilities column counts the vulnerability instances on each VM.

  3. On the Vulcan Platform, go to Assets > Hosts, and filter by Connector - Rapid7 Insight VM.

Did this answer your question?