All Collections
Connectors
Application Security (SCA/SAST/DAST)
RiskRecon Connector
RiskRecon Connector

Learn all about integrating RiskRecon into the Vulcan Platform.

Updated over a week ago

Overview

About RiskRecon

RiskRecon provides you with the visibility and tools you need to make third-party cyber risk decisions and take action at the speed of business.

Why integrate RiskRecon into the Vulcan platform?

The RiskRecon Connector by Vulcan integrates with the RiskRecon platform to pull and ingest assets type Website and their related vulnerabilities into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

RiskRecon Connector Details

Supported products

RiskRecon - Risk Management

Category

Application Security - DAST

Ingested asset type(s)

Websites

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Generating RiskRecon API Token

  1. Go to the RiskRecon platform and log in.

  2. Go to My Account > System Administration.

  3. Click API Keys and then New API Key.

  4. Input a value in the Description field and set the Expiration Date of 1 year.

  5. Finally, click Create API Key.

  6. Copy the generated API Key.

Configuring the RiskRecon Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the RiskRecon icon.

  4. Set up the Connector as follows:

  5. Select whether to fetch all companies or click Load to select specific companies.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your RiskRecon instance, then click Create (or Save Changes).

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the RiskRecon icon shows Connected, the sync is complete.

RiskRecon Insights in the Vulcan Platform

Viewing RiskRecon vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

    See the complete list of available vulnerability filters.

  3. Select Risk Recon from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing RiskRecon assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab (Websites).

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select RiskRecon from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by RiskRecon

To take remediation action on vulnerabilities and assets detected by RiskRecon:

  1. Go to the Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the RiskRecon option to view all synced vulnerabilities/assets.

  4. Select the relevant vulnerability from the results list.

  5. Click Take Action.

Automating remediation actions on vulnerabilities detected by RiskRecon

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the RiskRecon Connector.

Learn all about Automation Playbooks in the Vulcan Cyber Platform.

From RiskRecon to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with RiskRecon through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Website fields mapping

RiskRecon field

Vulcan field

field/Value example

host_name or ip_address or domain_name

Asset Uniqueness criteria

host_name or domain_name or ip_address

Asset Name

Websites

Asset type

host_name or domain_name or ip_address

Asset Address

URL

Asset’s vulnerable pages

hosting_provider

asset_value

auth_detected (has authentication)

host_name

domain_name

ip_address

country_name

Asset details

company name

hosting_provider

asset_value

domain

country_name

Asset Tags - Additional

record_load_timestamp or last_seen

Asset Last scan

asset id + finding_id + unique vulnerability id

Vulnerability instance uniqueness criteria

first_seen

Vulnerability instance first seen

finding_detail

Vulnerability instance URL

last_seen

Vulnerability instance Last seen

finding_id

finding_detail

finding_data_value

finding_extra_data_value

asset_value

priority

severity

ip_address

host_name

domain_name

Vulnerability instance details

vulnerable

Vulnerability instance status

URL

Vulnerability instance location path

security_criteria

Unique Vulnerability uniqueness criteria

display_name

Unique vulnerability title

Vulnerability: ssue_long_vuln or issue_short_vuln

Introduction: issue_long_intro or issue_short_intro

EOL: issue_long_eol or issue_short_eol

Unique vulnerability description

severity

Unique vulnerability details

-

Unique vulnerability status

Derived from the "vulnerability instances"

-

Assets-Vulnerability instance connection (info tooltip)

Detailed in the "vulnerability instances section" in the table

security_criteria

Solution uniqueness criteria

Fix from RiskRecon

Solution Title

solution_long or solution_short

Solution Description

solution_references

Solution References

Vulnerability status mapping

RiskRecon Status

Vulcan Status

all ingested findings are vulnerable

Vulnerable

Vulnerability score mapping

RiskRecon score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

Info

0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the RiskRecon connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not seen for X days according to "Last Seen"

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings.

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support and Expected Behaviour

Support and expected behavior remarks on some of RiskRecon ingested and uningested data:

  • Users have the option to select which companies' data should be ingested into Vulcan.

  • Findings with a "pass" or "positive" status are not ingested.

  • The number of vulnerability instances:
    RiskRecon issues (Vulcan vulnerability instances) are counted by issue + IP. This means that a host with two IPs and an issue will be counted as two issues in Vulcan. However, RiskRecon counts only the issues without considering the IPs. Consequently, RiskRecon may potentially display a higher count.

  • The number of unique vulnerabilities:
    RiskRecon Security Criteria (Vulcan unique vulnerabilities) that do not involve the disclosure of IP addresses, hosts, or domains are not ingested. As a result, RiskRecon may potentially show a higher number of unique vulnerabilities.

  • The number of Assets:

    • RiskRecon's asset view lists only hosts. However, findings may also be associated with an IP or a domain. In Vulcan, these IPs and domains are treated as distinct assets. Consequently, Vulcan may potentially display a higher number of assets.

    • RiskRecon's UI filters out hosts that are not on a company's owned domains. In contrast, Vulcan displays all hosts, regardless of domain ownership. Therefore, Vulcan may potentially show a higher number of assets.

    For detailed instructions on how to compare the number of assets in Vulcan and RiskRecon, refer to the Data Validation section.

  • RiskRecon Host Issues Tab missing information:

    Please note that the value displayed in RiskRecon's host issues tab is not the Security Criteria (Vulcan unique vulnerability) but rather the Security Profile and its parent hierarchy.

  • Vulcan Vulnerability Instance URL:

    The URL field in Vulcan vulnerability instances will only be populated if the finding_detail field contains a URL. Otherwise, it will remain blank.

API Endpoints in Use

API version: v0, v1

API

Use in Vulcan

/v1/toes

Get TOE_IDs (vendor ids) and vendor names

/v1/hosts/{toe_id}

Assets

/v1/findings_paginated/{toe_id}

Vulnerability instances

/v1/display_names/security_criteria

Unique vulnerabilities, solutions

/v0/cpe/raw_language?language=english&security_criteria={security_criteria}

Unique vulnerabilities data

Data Validation

This section shows how to validate and compare data between Vulcan and the RiskRecon platform.

Matching Assets

As described in the Support and Expected Behaviour section, RiskRecon and Vulcan don’t show the same number of assets in the UI. RiskRecon doesn’t provide an option to view all assets for all companies.

In order to compare the data with Vulcan, you would need to do it for one company at a time, using the method detailed below. The numbers received from that method should be identical for both RiskRecon and Vulcan.

In RiskRecon:

  1. Choose a company from the "Portfolio" tab.

  2. Go to the “PDF / Data Downloads” tab and scroll down to the “Data Files” section.

  3. Click the download button for each data file except for "Owned Netblocks," and extract the column representing each file's asset.

  4. Combine all extracted columns into a single column in a new spreadsheet.

  5. Remove duplicates from the new column.

Data File

Column

Hosts

hostname

Name Servers

hostname

Domain Records

domain

Host Headers

hostname

System Reputation Alerts

intel_hostname

Links to External Systems with System Reputation Alerts

source_websites

Software

hostname

Web Encryption

hostname

Domain Hijacking Protection

domain_name

Email Servers

email_server_hostname

Email Authentication

email_domain_name

Email Encryption

email_server_hostname

Shared IP Hosts

Hostname

Malicious Code

Hostname

In Vulcan:
Click on the "Assets" tab and then "Websites."

  1. Click on "Filter" and choose "Asset Tag" as the parameter.

  2. Select the name of the company you want to see and click "Apply."

Matching Unique Vulnerabilities

As described in the Support and Expected Behaviour section, RiskRecon and Vulcan don’t show the same number of unique vulnerabilities in the UI. RiskRecon Security Criteria (Vulcan unique vulnerabilities) that do not involve the disclosure of IP addresses, hosts, or domains are not ingested. Potentially, RiskRecon may show a higher number.

In order to compare the data with Vulcan, you would need to do it for one company at a time, using the method detailed below. The numbers received from that method should be identical for both RiskRecon and Vulcan.

In Riskon:

  1. Choose a company from the "Portfolio" tab.

  2. Go to the “Security Profile” tab.

  3. Enter each of the Security Domains and note which Security Criteria have a number higher than zero in their “Issue Count” field. Include only Security Criteria involving IP addresses, hosts, or domains.

  4. Combine the data from all companies.

In Vulcan:

  1. Click on the "Vulnerabilities" tab.

  2. Click on "Filter" and choose "Vulnerability Source" as the parameter.

  3. Select the connector’s name from the dropdown and click "Apply."

Matching Vulnerability Instances

As described in the Support and Expected Behaviour section, RiskRecon and Vulcan don’t show the same number of vulnerability instances in the UI. Vulcan doesn’t ingest RiskRecon issues (Vulcan vulnerability instances) in status pass or positive.

Furthermore, RiskRecon issues are counted by issue + IP. That means that a host with two IPs and an issue would be counted as two issues.

Vulcan counts only the issues without taking into account the IPs.

Potentially, RiskRecon may show a higher number.

Due to these factors, there is no feasible way to validate the number of vulnerability instances by using the UI.

Related Articles
Tenable.io Connector
CrowdStrike Connector
Rapid7 Insight VM Connector (default new revision)
CyCognito Connector
Did this answer your question?