Thank you very much. @kenmcneil 

We are not using Data Warehouse, but rather integrating with InsightVM.
Therefore, we are using the “Rapid7 Comprehensive Vulnerable Item Integration - API” for InsightVM.

What we would like to confirm is whether it is necessary to execute the “Rapid7 Comprehensive Vulnerable Item Integration - API” job in order to automatically close vulnerable items through data integration from InsightVM.

Yeah the documentation is not clear if you are using InsightVM without Data Warehouse. For the Data Warehouse configuration, Rapid7 Vulnerable Item Resolution Integration closes the vulnerable items. I do not see the same level of integration for InsightVM that does not utilize the Data Warehouse configuration.

Hey there,

I'd look at it more as "what comes over during the integration data imports from R7 from a delta perspective".   

We don't quite "re-import", rather, we fetch deltas from the last time the integration ran and collected data from a 3rd party scanner like Rapid7.

There are technically, 2 flavours of "delta" jobs with Rapid7 InsightVM and VR to pull in findings / vulnerability detections:

1) Daily delta job (Rapid7 Vulnerable Item Integration — API)

2) Weekly comprehensive job (Rapid7 Comprehensive Vulnerable Item Integration - API)

NOTE: This same pattern, of integration and deltas also applies to certain other 3rd party integrations with VR, such as with Qualys.

The main difference between these two Rapid7 IVM + VR integration jobs, boils down to one particular Rapid7 InsightVM API filter, called "includeSame".

1) Daily delta job (New, Fixed) --- (Rapid7 Vulnerable Item Integration — API)

 - includeSame = False 

 - Only fetches New or Fixed vulnerabilities on an asset for that period of time (delta)
 - This means, we do not update the Detections or Vuln Items (Last found, date field)

2) Weekly comprehensive job (New, Fixed, "R7 Same" aka Active or Seen Again) --- (Rapid7 Comprehensive Vulnerable Item Integration - API)

 - includeSame = True

 - Fetches New or Fixed vulnerabilities on an asset for that period of time (delta)
    AND 

 - Fetches vulnerabilities seen again on an asset for that period of time (delta)
 - This means, we do update the Detections and Vuln Items (Last found, date field) when the findings are seen again 
 - This is important, to help determine which Detections / Vuln Items should be deemed as stale over time 
 - Meaning, the scanner has not said these findings are closed / fixed, nor has the scanner said these findings are still open or active - the scanner stops reporting anything on these previously identified vulnerabilities 
 - We can infer these are "stale" and close them out as "stale" over time 
 - This is also key for handling assets that are deleted or removed from Rapid7, as over time we can infer which findings are no longer "active" or "relevant" and should be earmarked as stale and closed accordingly as stale

So the answer, is both of these jobs can bring in New and Fixed findings from Rapid7, but the Comprehensive is special in that it also includes the "active detections" seen again, even if the state has not changed - which is needed to infer which Detections/Vulnerable Items are stale in ServiceNow because Rapid7 has not reported them again (either as Active or Fixed/Remediated).

For more details on the Rapid7 InsightVM 'includeSame' API filter:

- https://docs.rapid7.com/insightvm/servicenow-security-operations/

----------------------------------------------------------------------------------

Technically, the second job, 2) Weekly comprehensive job (New, Fixed, "R7 Same" aka Active or Seen Again) --- (Rapid7 Comprehensive Vulnerable Item Integration - API) - can be viewed as optional and is not really mandatory
- This would mean, we'd have to derive the "Auto-Close Rules" using the Asset Last Scan rather than the Detection Last Found 
- I would not suggest this path where possible 
- Updating the Detection/Vulnerable Item 'Last found' date with this "true-up" type of job allows for identifying specific Detections and Vulnerable Items as stale, even if the asset is still being scanned or seen again

   - Often useful, when vulnerable components are removed, services disabled, reg keys removed
   - There are many situations where the corresponding 3rd party vulnerability scanner does not report findings as "Closed/Remediated" - and so we need to rely on inferring records are stale
- The problem with not using this job, is the "Last found" date on Detections and Vulnerable Items, won't be updated over time 

 - So yes, technically it is "not required" but you will miss out on key data points to drive other logic
 - "Highly advisable" to leverage the 2) Comprehensive job, and setup Auto-Close Rules to ensure we have actionable and clear data on Detection/Vulnerable Item tables is probably a better way to communicate that