Rapid7 InsightVM asset import

kenmcneil
Tera Expert

We are trying to solve a problem with importing non-persistent VDI's (Workstations). Because we are required to install the Rapid7 agent on all workstations (mostly remote) and servers, I use the following site for asset import:

 

- Rapid7 Insight Agents

 

This import works great, except it imports all non-persistent VDIs (ephemeral assets), creates a few thousand unmatched CIs, and we do not want that. The non-persistent VDI's have the same naming convention ( first 8 characters are the same). 

 

I talked to my friend Copilot and asked about editing the Script Include - Rapid7APIVulnerableItemIntegration to allow adding an exception for the VDIs based on the naming convention, and it warned me about changing OOTB code and gave me the following recommendation:

 

if (this._isExcludedAsset(sourceData)) {
    // Option 1 (safer): tag and continue
    sourceData.u_asset_exception = true;

 

    // Option 2 (riskier): skip creation
    return;
}

 

In InsightVM, I have tried adding a dynamic asset group to a site scan, but because the site scanner cannot scan remote assets, most workstations are missing from the asset import (Servers are fine since they are not remote), which is why I am looking into editing the script include. Another option would be to create a workflow that deletes the non-persistent VDI's after import.

 

Other solutions are appreciated. TIA

 

 

2 ACCEPTED SOLUTIONS

andy_ojha
ServiceNow Employee

Hey there,


I don't believe the equality operators will play nice with string fields on the R7 API (=, !=)

 

This seems like it should be a good starting point to implement and validate with:

  • {"asset":"tags NOT IN ['non-persistent vdi']"}

View solution in original post

andy_ojha
ServiceNow Employee

Hey Ken - awesome, glad you got a win.

 

Yes - we would modify the REST Message > POST Method similarly here. 

  • This will ensure that both the asset and detection jobs for R7 IVM, omit the VDI assets (or any other similar asset based filtering)

  • When the asset job runs, we would not pull these assets in to track with Discovered Items (or trigger CI Lookup attempts, create CIs if one does not exist)

  • When the detection/vuln item job runs, those assets will not be returned to ServiceNow based on the request sent to R7 

- Rapid7 Asset List -> You have to modify the "all_assets" METHOD

- Rapid7 Vulnerable Item -> You have to modify the "post" METHOD
- Rapid7 Vulnerable Item (Comprehensive) -> You have to modify the "post" METHOD

 

The integration jobs, R7 IVM Vulnerable Item and R7 IVM Vulnerable Item (Comprehensive) share that same single REST Msg > POST method, so we would adjust it once.

View solution in original post

6 REPLIES 6

andy_ojha
ServiceNow Employee

Hey Ken - awesome, glad you got a win.

 

Yes - we would modify the REST Message > POST Method similarly here. 

  • This will ensure that both the asset and detection jobs for R7 IVM, omit the VDI assets (or any other similar asset based filtering)

  • When the asset job runs, we would not pull these assets in to track with Discovered Items (or trigger CI Lookup attempts, create CIs if one does not exist)

  • When the detection/vuln item job runs, those assets will not be returned to ServiceNow based on the request sent to R7 

- Rapid7 Asset List -> You have to modify the "all_assets" METHOD

- Rapid7 Vulnerable Item -> You have to modify the "post" METHOD
- Rapid7 Vulnerable Item (Comprehensive) -> You have to modify the "post" METHOD

 

The integration jobs, R7 IVM Vulnerable Item and R7 IVM Vulnerable Item (Comprehensive) share that same single REST Msg > POST method, so we would adjust it once.

Thank you for all of your help.