- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
We are trying to solve a problem with importing non-persistent VDI's (Workstations). Because we are required to install the Rapid7 agent on all workstations (mostly remote) and servers, I use the following site for asset import:
- Rapid7 Insight Agents
This import works great, except it imports all non-persistent VDIs (ephemeral assets), creates a few thousand unmatched CIs, and we do not want that. The non-persistent VDI's have the same naming convention ( first 8 characters are the same).
I talked to my friend Copilot and asked about editing the Script Include - Rapid7APIVulnerableItemIntegration to allow adding an exception for the VDIs based on the naming convention, and it warned me about changing OOTB code and gave me the following recommendation:
In InsightVM, I have tried adding a dynamic asset group to a site scan, but because the site scanner cannot scan remote assets, most workstations are missing from the asset import (Servers are fine since they are not remote), which is why I am looking into editing the script include. Another option would be to create a workflow that deletes the non-persistent VDI's after import.
Other solutions are appreciated. TIA
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hey there,
I don't believe the equality operators will play nice with string fields on the R7 API (=, !=)
This seems like it should be a good starting point to implement and validate with:
- {"asset":"tags NOT IN ['non-persistent vdi']"}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hey Ken - awesome, glad you got a win.
Yes - we would modify the REST Message > POST Method similarly here.
-
This will ensure that both the asset and detection jobs for R7 IVM, omit the VDI assets (or any other similar asset based filtering)
-
When the asset job runs, we would not pull these assets in to track with Discovered Items (or trigger CI Lookup attempts, create CIs if one does not exist)
-
When the detection/vuln item job runs, those assets will not be returned to ServiceNow based on the request sent to R7
- Rapid7 Asset List -> You have to modify the "all_assets" METHOD
- Rapid7 Vulnerable Item -> You have to modify the "post" METHOD
- Rapid7 Vulnerable Item (Comprehensive) -> You have to modify the "post" METHOD
The integration jobs, R7 IVM Vulnerable Item and R7 IVM Vulnerable Item (Comprehensive) share that same single REST Msg > POST method, so we would adjust it once.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hey Ken - awesome, glad you got a win.
Yes - we would modify the REST Message > POST Method similarly here.
-
This will ensure that both the asset and detection jobs for R7 IVM, omit the VDI assets (or any other similar asset based filtering)
-
When the asset job runs, we would not pull these assets in to track with Discovered Items (or trigger CI Lookup attempts, create CIs if one does not exist)
-
When the detection/vuln item job runs, those assets will not be returned to ServiceNow based on the request sent to R7
- Rapid7 Asset List -> You have to modify the "all_assets" METHOD
- Rapid7 Vulnerable Item -> You have to modify the "post" METHOD
- Rapid7 Vulnerable Item (Comprehensive) -> You have to modify the "post" METHOD
The integration jobs, R7 IVM Vulnerable Item and R7 IVM Vulnerable Item (Comprehensive) share that same single REST Msg > POST method, so we would adjust it once.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thank you for all of your help.