Skip to main content
Red Hat Insights Connector

Learn all about integrating Red Hat Insights into the Vulcan Platform.

Updated over 8 months ago

Overview

About Red Hat Insights

Red Hat® Insights continuously analyzes platforms and applications to predict risk, recommend actions, and track costs so enterprises can better manage hybrid cloud environments. Insights is included with almost every subscription to Red Hat Enterprise Linux®, Red Hat OpenShift®, and Red Hat Ansible® Automation Platform.

Why integrate RedHat Insights into the Vulcan platform?

The Red Hat Insights Connector by Vulcan integrates with the Red Hat Insights platform to pull and ingest assets type Host and their related vulnerability data (CVEs) into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Red Hat Insights Connector Details

Supported products

Category

Vulnerability Assessment

Ingested asset type(s)

Hosts

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Generating Red Hat Tokens and Assigning Permissions

Step 1: Creating a Service Account

  1. Navigate to the Red Hat Console at https://console.redhat.com/iam.

  2. Go to Service Accounts and click on Create service account.

  3. Enter a Service Account Name and provide a Short Description for the account. Once done, click Create.

  4. Copy and save the Client ID and Client secret, as you won’t be able to view them again. Check the box indicating you have done so and click Close.

Step 2: Group Creation and Configuration

  1. Go to User Access > Groups within the console and select Create group.

  2. Insert a Group Name (e.g. 'vulcan-api-group') and proceed by clicking Next.

  3. In the roles assignment step, input "viewer" into the search box. Select the appropriate API roles:

    • Inventory Host viewer

    • Vulnerability viewer

    • Patch viewer

  4. Confirm your selections and click Next.

  5. On the Add members page, proceed by clicking Next. Finalize the group creation by clicking Submit on the Review details page. Confirm the operation by clicking Exit upon completion.

Step 3: Assigning Service Account to Group

  1. Within the Groups section, click on the newly created group name. Go to the Service Accounts tab. If this tab is not visible, enable the Preview on slider.

  2. Click Add service account.

  3. Locate the service account you created earlier and select it by checking the box next to its name. Then, click Add to group.

Configuring the Red Hat Insights Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Red Hat icon.

  4. Set up the Connector as follows:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Red Hat instance instance, then click Create (or Save Changes).

  6. The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the Red Hat icon shows Connected, the sync is complete.


RedHat Insights in the Vulcan Platform

Viewing Red Hat Insights vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select Red Hat Insights from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing Red Hat Insights assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select Red Hat Insights from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Red Hat Insights

To take remediation action on vulnerabilities and assets detected by Red Hat Insights:

  1. Go to the Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the Red Hat Insights option to view all synced vulnerabilities/assets.

  4. Select the relevant vulnerability from the results list.

  5. Click Take Action.

Automating remediation actions on vulnerabilities detected by Red Hat Insights

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Red Hat Insights Connector.


From Red Hat Insights to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Red Hat Insights through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Host fields mapping

Red Hat Insights field

Vulcan field

field/Value example

id

Asset Uniqueness criteria

display_name

Asset Name

id

ansible_host

groups

system_profile.infrastructure_type

system_profile.cloud_provider

system_profile.bios_vendor

system_profile.system_memory_bytes

system_profile.cpu_flags

system_profile.installed_packages

system_profile.state

Asset details

  • UUID Field is named "insights id"

  • Hostname is mapped to Asset Name

  • Display name is mapped to Asset Name

Host

Asset type

ip_addresses

Asset IPs

system_profile.operating_system.name

Asset OS

system_profile.os_release

Asset OS Version

created

Asset Created date

updated

Asset Last seen date

fqdn

Asset FQDN

mac_addresses

Asset Multiple mac addresses

Installed Packages (Asset data)

Asset Packages (Asset additional data)

system_profile.systemd.state

Asset Status

attributes.tags

Asset Tags - Vendor’s tags

groups.name

Asset Tags - Additional

asset id + unique vulnerability id

Vulnerability instance uniqueness criteria

first_reported

Vulnerability instance first seen

last_evaluation

Vulnerability instance Last seen

status_id

Vulnerability instance status

rule_id

rule_description

rule_error_key

rule_vulnerability

Asset - Vulnerability instance connection (info tool tip)

id

Unique Vulnerability uniqueness criteria

id

Unique Vulnerability title

cvss3_score

Unique Vulnerability score

description

Unique Vulnerability description

public_date

impact

business_risk

Unique Vulnerability details

cvss3_score

Unique Vulnerability CVSS

id

Unique Vulnerability CVE/S

id

Solution uniqueness criteria

Fix from RedHat Insights

Solution title

id + description

Solution description

Solution references

Vulnerability status mapping

Red Hat Insights Status

Vulcan Status

Not Reviewed (0), In-Review (1), On-Hold (2), Scheduled for Patch (3)

Vulnerable

Resolved (4), Resolved via Mitigation (e.g. done without deploying a patch) (6)

Fixed

-

Ignored - false positive

No Action - Risk Accepted (5)

Ignored risk acknowledged

Vulnerability score mapping

CVSS3 based.

Red Hat Insights score

Vulcan score

1-10

1-10

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the Red Hat connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not seen for X days according to "Last Seen"

- Asset status on the connector's side indicates irrelevancy

The vulnerability instance status changes to "Fixed"

- Vulnerability status on the connector's side indicates irrelevancy or fixed

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support and Expected Behaviour

Support and expected behavior remarks on some Red Hat Insights ingested data:

  • Assets are archived based on their status and user input, with possible options including Fresh, Stale, and Stale Warning. There is no default status selected by default.

  • It's important to note that the handling of unique vulnerability statuses differs between Vulcan and RedHat Insights:

    • In Vulcan, the status of a unique vulnerability is determined by its vulnerability instances. If there are any vulnerable instances, it will be classified as vulnerable. If there are only fixed instances, it will be marked as fixed. If both conditions are met, it will be labeled as both.

    • In RedHat Insights, the status of a unique vulnerability is independent of its vulnerability instances. The resolution of an instance does not impact the status of the unique vulnerability itself.

    • At first glance, the count of unique vulnerabilities may appear different. Refer to the Data Validation section for guidance on addressing this discrepancy.

API Endpoints in Use

API version:

  • /api/inventory - v1

  • /api/vulnerability - v1

  • /api/patch - v3

API

Use in Vulcan

Permission required

Authentication

-

/api/inventory/v1/hosts

Assets

Inventory Hosts Viewer

/api/vulnerability/v1/vulnerabilities/cves

Unique vulnerabilities

Vulnerability Viewer

/api/vulnerability/v1/cves/{{cve_id}}/affected_systems

Vulnerability instances, asset-vulnerability connections, additional asset data

Vulnerability Viewer

/api/patch/v3/advisories

Solutions

Patch Viewer


Data Validation

This section shows how to validate and compare data between Vulcan and the Red Hat Insights platform.

Matching Assets

In Red Hat Insights:

  1. Click on "Inventory" and then on "Systems."

  2. Ensure that all asset statuses, including archiving, are checked.

In Vulcan:

  1. Go to Assets > Hosts.

  2. Filter by Red Hat Insights connector.

  3. All systems shown should be displayed in Vulcan, resulting in matching numbers.

    Note: Refer to the "Support and Expected Behaviour" section for information about asset status differences.

Matching Unique Vulnerabilities

In Red Hat Insights:

  1. Click on "Security," then "Vulnerability," and finally "CVEs."

  2. Verify the following filters:

    • Systems filter: Set to "1 or more" (default behavior).

    • Advisory filter: Not applied (not the default behavior).

    • Status filter: Set to "Not reviewed," "In review," "On-hold," and "Scheduled for patch."

  • To View Fixed Vulnerabilities, set the Status filter to "Resolved" and "Resolved via mitigation."

  • To View Acknowledged Vulnerabilities, set the Status filter to "No action - risk accepted."

In Vulcan:

Ensure that all displayed CVEs are also shown in Vulcan, resulting in matching numbers.

Note: Refer to the "Support and Expected Behaviour" section for information about asset status differences.

Matching Vulnerability Instances (from the Vulnerability)

In Red Hat Insights:

  1. Click on "Security," then "Vulnerability," "CVEs," and select a specific CVE.

  2. Verify the following filters:

    • Systems filter: Set to "1 or more" (default behavior).

    • Advisory filter: Not applied (not the default behavior).

    • Status filter: Set to "Not reviewed," "In review," "On-hold," and "Scheduled for patch."

In Vulcan:

All assets affected by that unique vulnerability (its vulnerability instances) should be displayed, resulting in matching numbers.

Matching Vulnerability Instances (from the Asset)

In Red Hat Insights:

  1. Click on "Inventory," then "Systems," select a specific system, and click on its vulnerability tab.

  2. Verify the following filters:

    • Status filter: Set to "Not reviewed," "In review," "On-hold," and "Scheduled for patch."

    • Advisory filter: Not applied (not the default behavior).

In Vulcan:

All vulnerabilities affecting that asset (its vulnerability instances) should be displayed, resulting in matching numbers.

Did this answer your question?