Rapid7 InsightVM asset import

kenmcneil
Tera Expert

7 hours ago

We are trying to solve a problem with importing non-persistent VDI's (Workstations). Because we are required to install the Rapid7 agent on all workstations (mostly remote) and servers, I use the following site for asset import:

 

- Rapid7 Insight Agents

 

This import works great, except it imports all non-persistent VDIs (ephemeral assets), creates a few thousand unmatched CIs, and we do not want that. The non-persistent VDI's have the same naming convention ( first 8 characters are the same). 

 

I talked to my friend Copilot and asked about editing the Script Include - Rapid7APIVulnerableItemIntegration to allow adding an exception for the VDIs based on the naming convention, and it warned me about changing OOTB code and gave me the following recommendation:

 

if (this._isExcludedAsset(sourceData)) {
    // Option 1 (safer): tag and continue
    sourceData.u_asset_exception = true;

 

    // Option 2 (riskier): skip creation
    return;
}

 

In InsightVM, I have tried adding a dynamic asset group to a site scan, but because the site scanner cannot scan remote assets, most workstations are missing from the asset import (Servers are fine since they are not remote), which is why I am looking into editing the script include. Another option would be to create a workflow that deletes the non-persistent VDI's after import.

 

Other solutions are appreciated. TIA

 

 

Labels:
0 Helpfuls
  • 132 Views
3 REPLIES 3

andy_ojha
ServiceNow Employee

7 hours ago - last edited 7 hours ago

Hey there,

 

Before we go down the path of touching the Script Include, would check out the config on the Rapid7 InsightVM API Import Filter

You might already be employing (or can look at establishing) asset tags in R7, that could be used as a filter for when ServiceNow makes the API call to, to omit those assets (VDIs, non-persistent gear).

There may be better objects that asset.tags, but feels like a good start to investigate on the R7 side to isolate the stubborn VDIs / non-persistent gear.

 

The R7 API can filter on the "asset" object and they have some neat operators as well like "STARTS WITH".
Example:

  • {"asset":"total_vulnerabilities != 0 && tags STARTS WITH 'CROWN_JEWEL'"}

This Community Post may also help

 

andy_ojha_0-1743515212004.png

 

andy_ojha_1-1743515404659.png

 

andy_ojha_0-1781629682277.png

 

0 Helpfuls

kenmcneil
Tera Expert

6 hours ago

I created the tag "non-persistent vdi" and created a dynamic filter to add all NP VDI to the tag. Would I add the following to the "Content" box to import all assets except the non-persistent vdi's?

 

{"asset":"tags IS NOT 'non-persistent vdi'"} or 

 

{"asset":"tags != 'non-persistent vdi'"}

 

Thanks

0 Helpfuls

andy_ojha
ServiceNow Employee
In response to kenmcneil

4 hours ago

Hey there,


I don't believe the equality operators will play nice with string fields on the R7 API (=, !=)

 

This seems like it should be a good starting point to implement and validate with:

  • {"asset":"tags NOT IN ['non-persistent vdi']"}
0 Helpfuls