Automatic closure of vulnerability information in conjunction with InsightVM.

Ohki_Yamamoto
Tera Guru

‎06-16-2025 04:36 AM

SecOps-VR is working with InsightVM.

 

When InsightVM determines that vulnerability information has been resolved, we expect that re-importing the vulnerability information into ServiceNow will automatically close the corresponding vulnerable items.

 

Which of the following jobs is required to be executed in the InsightVM integration job to automatically close vulnerable items?

 

Rapid7 Vulnerable Item Integration — API
Rapid7 Vulnerability Integration — API
Rapid7 Asset List Integration - API
Rapid7 Comprehensive Vulnerable Item Integration - API
Rapid7 Site Integration

 

https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...


When I contacted NowSupport to confirm, I received two different responses: “Rapid7 Comprehensive Vulnerable Item Integration - API is required” and “Rapid7 Comprehensive Vulnerable Item Integration - API is not required.” I am unsure which information is necessary for automatic closure.

 

Does anyone know?

 

 

0 Helpfuls
  • 1,119 Views
6 REPLIES 6

Ohki_Yamamoto
Tera Guru
In response to andy_ojha

‎06-16-2025 06:30 PM

@andy_ojha , thank you for the detailed explanation! It is very helpful.

 

I understand that Rapid7 Comprehensive Vulnerable Item Integration - API also imports vulnerability information that has not changed on InsightVM and performs the necessary jobs to determine that the unchanged status is “stale.”

 

Is it correct to understand that Rapid7 Comprehensive Vulnerable Item Integration - API is not required for automatic closure of vulnerability information?

Is it correct to understand that running the Rapid7 Vulnerable Item Integration — API job will automatically close vulnerability information?

0 Helpfuls

andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Ohki_Yamamoto

‎06-17-2025 09:56 AM

Hey there,

 

When we say "automatic closure of Vulnerable Items" - this can be viewed in two ways
1) When Rapid7 IVM says a finding is "Fixed/Remediated" - we close out the corresponding Detection and Vulnerable Items in ServiceNow
  - This is handled in both of the jobs today, the Daily delta and the Weekly Comprehensive (sometimes I also call this a "true-up" job, as it updates the Last found date of detections that have not had a change in status but are reported as found again)

2) Overtime, we will have Detections and Vulnerable Items that are not Closed, but are also not being reported again by Rapid7
 - We would traditionally rely on the Rapid7 IVM Comprehensive job to update the (Last found) or seen again dates on our side in ServiceNow
 - Then, we can infer over time, if a given record has not been reported again -> we can close it out as stale 
 - This uses the Auto-Close Rules you define 

 

-----------------------------------------------------------------------

In my opinion, it is best to use the Rapid7 IVM Comprehensive job to true-up the (Last found) dates over time, and you drive your "stale" record closure this way.

If you choose not to use the Rapid7 IVM Comprehensive job, the (Last found) dates on the Detections and Vulnerable Items will not accurately reflect the "seen again" or "freshness" of the data - especially when data falls off in Rapid7 (assets removed, vulnerable components removed, etc).

You could in theory craft your auto-close rules based on the Asset last scan (Discovered Item), but I am not a fan of this because the Detections and Vulnerable Items will not have accurate (Last found) dates on them and it is likely that though an Asset is still being scanned, previously reported Detections on them could potentially falloff or disappear, and Rapid7 does not report this as "Fixed" -> meaning, there will be Detections and Vulnerable Items showing as Open that are technically "Stale" but it is difficult to identify this without the (Last found) date being updated regularly via using the Rapid7 IVM Comprehensive job.

0 Helpfuls