Rapid7 InsightVM
Integration version: 6.0
Configure Rapid7 InsightVM integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Api Root | String | N/A | Yes | API root of the Rapid7 InsightVM instance. |
| Username | String | N/A | Yes | Rapid7 InsightVM API Username. |
| Password | Password | N/A | Yes | Rapid7 InsightVM API Password. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verifies that the SSL certificate for the connection to the Rapid7 InsightVM server is valid. |
Actions
Enrich Asset
Description
Enrich an asset.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"10.0.0.100": {
"users": [{
"id": 500,
"name": "Administrator"
},{
"id": 503,
"name": "DefaultAccount"
},{
"id": 501,
"name": "Guest"
}],
"userGroups": [{
"id": 7,
"name": "ANONYMOUS LOGON"
},{
"id": 579,
"name": "Access Control Assistance Operators"
},{
"id": 544,
"name": "Administrators"
}],
"hostNames": [{
"source": "netbios",
"name": "WS-HUNULULU"
},{
"source": "dns",
"name": "ws-chaimsky.siemplify.local"
}],
"addresses": [{
"ip": "1.1.1.1",
"mac": "48:4D:7E:B8:3B:A4"
}],
"links": [{
"href": "https://1.1.1.1:3780/api/3/assets/1",
"rel": "self"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/software",
"rel": "Software"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/files",
"rel": "Files"
}],
"assessedForPolicies": false,
"ip": "1.1.1.1",
"hostName": "ws-chaimsky.siemplify.local",
"osFingerprint": {
"product": "Windows Server 2016",
"vendor": "Microsoft",
"description": "Microsoft Windows Server 2016",
"family": "Windows",
"systemName": "Microsoft Windows",
"type": "General",
"id": 8
},
"riskScore": 8270.22559,
"mac": "48:4D:7E:B8:3B:A4",
"rawRiskScore": 8270.22559,
"vulnerabilities": {
"moderate": 6,
"exploits": 1,
"malwareKits": 0,
"severe": 12,
"critical": 0,
"total": 18
},
"services": [{
"protocol": "tcp",
"name": "DCE Endpoint Resolution",
"links": [{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/135",
"rel": "self"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/135/configurations",
"rel": "Configurations"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/135/databases",
"rel": "Databases"
}],
"port": 135
},{
"name": "CIFS Name Service",
"protocol": "udp",
"port": 137,
"links": [{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/udp/137",
"rel": "self"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/udp/137/configurations",
"rel": "Configurations"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/udp/137/databases",
"rel": "Databases"
}],
"configurations": [{
"name": "advertised-name-1",
"value": "SIEMPLIFY (Domain Name)"
},{
"name": "advertised-name-2",
"value": "WS-CHAIMSKY (File Server Service)"
},{
"name": "advertised-name-3",
"value": "WS-CHAIMSKY (Computer Name)"
}]}, {
"product": "Windows 10 Enterprise N 2016 LTSB 6.3",
"protocol": "tcp",
"name": "CIFS",
"links": [{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/139",
"rel": "self"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/139/configurations",
"rel": "Configurations"
},{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/139/databases",
"rel": "Databases"
}],
"port": 139,
"configurations": [{
"name": "domain",
"value": "SIEMPLIFY"
},{
"name": "password-mode",
"value": "encrypt"
},{
"name": "security-mode",
"value": "user"
}]}],
"assessedForVulnerabilities": true,
"os": "Microsoft Windows Server 2016",
"id": 1,
"history": [{
"date": "2019-03-25T04:25:46.333Z",
"scanId": 1,
"version": 1,
"type": "SCAN"
},{
"date": "2019-03-25T06:58:49.450Z",
"scanId": 2,
"version": 2,
"type": "SCAN"
},{
"date": "2019-03-26T03:58:44.859Z",
"scanId": 5,
"version": 3,
"type": "SCAN"
}]
}
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| users | Returns if it exists in JSON result |
| id | Returns if it exists in JSON result |
| name | Returns if it exists in JSON result |
| userGroups | Returns if it exists in JSON result |
| hostName | Returns if it exists in JSON result |
| source | Returns if it exists in JSON result |
| addresses | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| mac | Returns if it exists in JSON result |
| links | Returns if it exists in JSON result |
| href | Returns if it exists in JSON result |
| rel | Returns if it exists in JSON result |
| assessedForPolicies | Returns if it exists in JSON result |
| product | Returns if it exists in JSON result |
| vendor | Returns if it exists in JSON result |
| description | Returns if it exists in JSON result |
| Family | Returns if it exists in JSON result |
| systemName | Returns if it exists in JSON result |
| type | Returns if it exists in JSON result |
| riskScore | Returns if it exists in JSON result |
| rawRiskScore | Returns if it exists in JSON result |
| moderate | Returns if it exists in JSON result |
| vulnerabilities | Returns if it exists in JSON result |
| exploits | Returns if it exists in JSON result |
| malwareKits | Returns if it exists in JSON result |
| severe | Returns if it exists in JSON result |
| critical | Returns if it exists in JSON result |
| total | Returns if it exists in JSON result |
| configurations | Returns if it exists in JSON result |
| date | Returns if it exists in JSON result |
| ScanId | Returns if it exists in JSON result |
| Version | Returns if it exists in JSON result |
Insights
N/A
Get Scan Results
Description
Get scan results by ID.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Scan ID | String | N/A | Yes | The ID of the scan. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
{
"STATUS": {
"STATE": "Finished"
},
"EXPIRATION_DATETIME": "2019-02-04T13:11:15Z",
"TITLE": "Scan scan/1533110666.07264 Report",
"USER_LOGIN": "sempf3mh",
"OUTPUT_FORMAT": "PDF",
"LAUNCH_DATETIME": "2019-01-28T13:11:14Z",
"TYPE": "Scan",
"ID": "775111",
"SIZE": "22.17 KB"
}
Entity Enrichment
N/A
Insights
N/A
Launch Scans
Description
Start a scan for a specific site.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Scan Name | String | N/A | No | The scan name. |
| Scan Engine | String | N/A | Yes | The name of the engine to use in the scan. |
| Scan Template | String | N/A | Yes | The name of the template to use in the scan. |
| Site Name | String | N/A | Yes | The name of the site to run the scan on. |
| Fetch Results | Checkbox | Unchecked | No | Whether to wait for the scan to complete and get its results or not. |
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| scan_id | N/A | N/A |
JSON Result
{
"status": "finished",
"scanType": "Manual",
"assets": 1,
"links": [{
"href": "https://1.1.1.1:3780/api/3/scans/8",
"rel": "self"
}],
"vulnerabilities": {
"severe": 12,
"total": 18,
"critical": 0,
"moderate": 6
},
"startTime": "2019-04-11T07:44:00.095Z",
"duration": "PT7M58.298S",
"engineName": "Local scan engine",
"endTime": "2019-04-11T07:51:58.393Z",
"id": 8,
"scanName": "siemplify_20190411-104353"
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| status | Returns if it exists in JSON result |
| scanType | Returns if it exists in JSON result |
| assets | Returns if it exists in JSON result |
| links | Returns if it exists in JSON result |
| href | Returns if it exists in JSON result |
| rel | Returns if it exists in JSON result |
| vulnerabilities | Returns if it exists in JSON result |
| severe | Returns if it exists in JSON result |
| total | Returns if it exists in JSON result |
| critical | Returns if it exists in JSON result |
| moderate | Returns if it exists in JSON result |
| startTime | Returns if it exists in JSON result |
| duration | Returns if it exists in JSON result |
| engineName | Returns if it exists in JSON result |
| endTime | Returns if it exists in JSON result |
| id | Returns if it exists in JSON result |
| scanName | Returns if it exists in JSON result |
Insights
N/A
List Scans
Description
List scans.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Days Backwards | String | N/A | Yes | Number of days backwards to fetch scans from. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"status": "finished",
"scanType": "Manual",
"assets": 1,
"links": [{
"href": "https://1.1.1.1:3780/api/3/scans/8",
"rel": "self"
}],
"vulnerabilities": {
"severe": 12,
"total": 18,
"critical": 0,
"moderate": 6
},
"startTime": "2019-04-11T07:44:00.095Z",
"duration": "PT7M58.298S",
"engineName": "Local scan engine",
"endTime": "2019-04-11T07:51:58.393Z",
"id": 8,
"scanName": "siemplify_20190411-104353"
}
]
Entity Enrichment
N/A
Insights
N/A
Ping
Description
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Connectors
Rapid7 InsightVM - Vulnerabilities Connector
Description
Pull information about asset vulnerabilities from Rapid7 InsightVM.
Configure Rapid7 InsightVM - Vulnerabilities Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | riskEventType | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 500 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://{ip}:3780 | Yes | API root of the Rapid7 InsightVM instance. |
| Username | String | N/A | Yes | Username of the Rapid7 InsightVM account. |
| Password | Password | N/A | Yes | Password of the Rapid7 InsightVM account. |
| Lowest Severity To Fetch | String | Moderate | No | The lowest severity that needs to be used to fetch vulnerabilities. Possible values: Moderate, Severe, Critical. If nothing is provided, the connector fetches vulnerabilities with all severities. |
| Max Assets To Process | Integer | 5 | No | Amount of assets that need to be processed per one connector iteration. Note: It's not recommended to increase the value of this parameter, because the connector will be more prone to timeouts. |
| Grouping Mechanism | String | Host | No | Grouping mechanism that is used to create Google Security Operations SOAR alerts. Possible values: Host, None. If "Host" is provided, the connector creates one Google Security Operations SOAR alert containing all of the vulnerabilities related to the host. If "None" or invalid value is provided, the connector creates a new Google Security Operations SOAR alert for each separate vulnerability per host. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist is used as a blacklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Rapid7 InsightVM server is valid.r is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.