Rapid7 and ServiceNow Vulnerability response integration

Alex150 · ‎10-01-2018

Hello.

I've integrated SN and Rapid 7 successfully, but I'm trying find out how perform repadiation process properly.

When I'm closing Vulnerable Item or Vulnerable group I have two option for closure:

Wait for confirmation from next scan
Close vulnerabilities now, reopen if found

It's clear but, how can I run scan a specific vulnerability item/group without waiting for the next scan?

Do I need to create a third-party vulnerability scanner for Rapid7? Does somebody faced with this issue?

andy_ojha · ‎10-04-2019

Hey there,

It would depend on if you are working from a Vulnerability Group or Vulnerable Item, the particular version of ServiceNow VR you have, and in some cases the third-party integration you are working with (Rapid7, Tenable SC, Tenable IO, Qualys, custom integration, etc)...

One way to approach / think of this for Rapid7:

- Users move identified vulnerabilities to [Resolved]

- Scanner / "the system", will move identified vulnerabilities to [Closed], with a {Fixed} substate

Where the general [State Flow] appears as:

..... Open -> Under Investigation -> Awaiting Implementation -> Resolved -> Closed

-------------------------------------------------------

Users have the ability to move Vulnerability Groups and Vulnerable Items to a `Resolved` State; where they can signal they have performed their remediation activities to the best of their knowledge.

The scanner can then take these Vulnerable Items from [Resolved] -> to [Closed] / {Fixed}.

When all Vulnerable Items in a Vulnerability Group, are set to [Closed] / {Fixed} -> the Vulnerability Group should automatically be set to [Closed] / {Fixed}.

-------------------------------------------------------

There are some alternative paths that users can take with the baseline functionality (for Madrid / New York), and these can be adjusted with some configuration to meet your requirements and general user experience that you prefer ...

- Users can nav to a Vulnerable Item, and either set it to [Resolved] or to [Closed] / {Fixed}

- Users can nav to a Vulnerability Group, and set it to [Resolved]

-> Once in [Resolved], a button called "Close" appears

-> Selecting this will set the Vulnerability Group to State of [Closed], with an empty substate

- Users can also request to Defer, either a Vulnerable Item or Vulnerability Group (i.e. buy more time, to perform mitigation activities)...

-> If their request to Defer is approved, the respective Vulnerable Item, or Vulnerability Group will get set to [Deferred]

View solution in original post

qcj3 · ‎10-01-2018

Are you wanting to rescan as soon as the VUL or VIT is closed? Yikes! I would recommend waiting until a sanctioned time frame so not to impact production hours.

Alex150 · ‎10-01-2018

Hi.

Yes, I'd like rescan because in my opinion it will allow checking remediation without waiting for schedule scan. Is it make sense?

andy_ojha · ‎10-02-2018

Hi Alex,

The existing Rapid7 Nexpose and ServiceNow integration does not support triggering / launching requests for scans from ServiceNow to your Nexpose Console.

In this case, you'll need to strategically configure how often the Rapid7 Integration jobs run in ServiceNow based on your scan frequency and staggered scan scopes (i.e. Site IDs, network ranges, etc).

Then, as data is brought into ServiceNow on a periodic basis - e.g. Daily, SN Vulnerable Items (VITs) will be updated to reflect the current state; either an existing vulnerability that was on-boarded into ServiceNow VR is remediated or is still present.

Hope that clarifies.

Alex150 · ‎10-02-2018

Thanks, Andy.