Vulnerable Item Detections Open but VI Closed

Armacar2 · ‎11-18-2020

Hi,

I have detected that many of the Vulnerable Items are state "Closed" with the substate "Stale" but their Vulnerable Item Detections are "Open". I confirmed on Rapid7 they are open so I ran the comprehensive Integration to run before the last found date for those VIs but this integration is not refreshing the last found date on them. I raised a ticket on HI but they haven't get to the solution, Any recommendations? I got Rapid7 v11 and Vulnerability Response v12 running on Paris.

Thank you.

andy_ojha · ‎11-18-2020

Hey there,

You're on the right track with opening the HI Support Ticket.

---------------------------------

You mentioned R7 Comprehensive Job - so assuming you are using Rapid7 InsightVM and not Data Warehouse?

---------------------------------

Are you using a fresh installation of these Store Apps (Rapid7 v11 / VR v12) - or, did you recently upgrade? If you upgraded, what version(s) did you upgrade from for these apps?

---------------------------------

On the culprit Vulnerable Items (State = Closed, Substate = Stale):

Where Open Detections are present, does the 'Last Found' date on the Vulnerable Item record match exactly to the latest 'Last Found' date of any of the Open Detections associated to that Vulnerable Item?
If they don't match, can you share a screenshot or list the difference (e.g. VI Last Found is 03/24/2020 but lastest Last Found from Detections is 01/15/2020)

---------------------------------

If you go to your Script Includes, and open the Script Include called "Detection" ... (not DetectionBase)

- Do you have more than 5 lines of code in this Script Include?

---------------------------------

If you go to your Script Includes, and open the Script Include called "DetectionBase" ...

- Do you have the following statement on Line 631?

        if (isVIClosed && (Number(vi.getValue("substate")) === this.VI_SUBSTATE_FIXED || Number(vi.getValue("substate")) === this.VI_SUBSTATE_STALE))

Armacar2 · ‎11-18-2020

Hi

I'm using Rapid7 InsightVM

---------------------------------

Rapid7 Integration for Security Operations - Upgraded from 10.3.5 to 11.0.0

Vulnerability Response - Upgraded from 11.0.3 to 12.0.3

---------------------------------

On the culprit Vulnerable Items (State = Closed, Substate = Stale):

Where Open Detections are present, does the 'Last Found' date on the Vulnerable Item record match exactly to the latest 'Last Found' date of any of the Open Detections associated to that Vulnerable Item?

Yes, they all match.

---------------------------------

If you go to your Script Includes, and open the Script Include called "Detection" ... (not DetectionBase)

- Do you have more than 5 lines of code in this Script Include?

No, I don't only 5.

var Detection = Class.create();
Detection.prototype = Object.extendsObject(sn_vul.DetectionBase, {

type: 'Detection'
});

---------------------------------

If you go to your Script Includes, and open the Script Include called "DetectionBase" ...

- Do you have the following statement on Line 631?

Yes, I do have that statement on line 631.

---------------------------------

Additional information:

Our first integration running daily was the Rapid7 Vulnerable Item Integration - API who created all of the original detections, including all of the closed-stale VIs, now that we recently running the Rapid7 Comprehensive Vulnerable Item Integration - API it is not overwriting or updating the original detection. My theory is that the detection has to be updated so the system detects the new last found date on them and can reopen this closed-stale false positives? Not sure but I do appreciate all the help.

Thanks.

andy_ojha · ‎11-18-2020

Hey there,

You are spot on.

The Detections have to come in again as "NEW" or "SAME" from Rapid7, which will transition the Vulnerable Items they are associated to out of (Closed / Stale) and back to (Open).

Given you have that Statement on Line 631 of DetectionBase, and you have no override functionality in Detection - this should be working.

-------------------------------

Which flavor of Auto-Close do you have configured (based on Last Found from the Vulnerable Item, or Last Scan Date for the asset)?

-------------------------------

So are we seeing that none of our detections that were initially created before upgrading the Store Apps, are being updated (their Last Found date) when we run the Comprehensive Job now?

Are any new detections being created after running the Comprehensive Job?

-------------------------------

By chance, has the filtering changed the Rapid7 Configuration Page (perhaps we started with specifying some Rapid7 Sites, later added some, later removed some etc.)?

Armacar2 · ‎11-19-2020

Hi Andy,

Here's the answers:

-------------------------------

Which flavor of Auto-Close do you have configured (based on Last Found from the Vulnerable Item, or Last Scan Date for the asset)?

When I was on the 10.3.5 Rapid7 Integration version I had enabled the OOB Import Configuration checked "Closed by age" and the "Close after" field as 90 days which closed a lot of our VIs that today are closed-stale but not closed on the Rapid7 Side and the ones that have the open detections.

On the current 11.0.0 version have not activated the Auto-Close Stale Vulnerable Items Function.

-------------------------------

So are we seeing that none of our detections that were initially created before upgrading the Store Apps, are being updated (their Last Found date) when we run the Comprehensive Job now?

Correct, and I think this is why the VIs are not getting re-open.

Are any new detections being created after running the Comprehensive Job?

Yes, they are, but only a few. I made a report and only 0.73% of our entire VI records has been created by the Comprehensive Integration, the other 99.27% has been created by the regular Rapid7 Vulnerable Item Integration. I have found very exceptional cases in which the VI record contains 2 detections on the same day by this 2 different integrations jobs when I believe this should be the expected behavior in all our VIs since I'm running both integrations daily, first the Rapid7 Vulnerable Item Integration and then the Comprehensive Integration.

-------------------------------

By chance, has the filtering changed the Rapid7 Configuration Page (perhaps we started with specifying some Rapid7 Sites, later added some, later removed some etc.)?

We haven't add filters or modified the configuration page. The site filter has been empty all the time.

Thanks for the interest on continue helping me.

Regards.