Rapid7 solution management

Xanadu Security Management

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Rapid7 solution management

Release version: Xanadu

Updated August 1, 2024

7 minutes to read

Solutions are known remediations that are imported into your Rapid7 Vulnerability Integration from either the Rapid7 data warehouse or Rapid7 InsightVM. Rapid7 data warehouse imports both solutions and superseding solutions. With Rapid7 InsightVM, you get solutions as part of the Rapid7 Vulnerable Item Integration - API.

Starting from version 21.0 of Vulnerability Response, there’s a change in how solutions are created by Rapid7 InsightVM. Instead of relying on solution_summary, solution_fix, or solution_type fields, Rapid7 InsightVM now creates solutions using the solution_id provided by the scanner. This means that even if these fields are empty, a solution is created as long as a solution id is available.

To view imported solutions as a list, navigate to Rapid7 > Solutions.

If the Vulnerability Solution Management plugin is activated, then the latest version of Rapid7 Vulnerability Integration provides the following key features concerning solutions:

The Rapid7 solution management is moved to vulnerability solution management.
A new integration Rapid7 Prerequisite Solution Management for the data warehouse is introduced. The integration fetches the prerequisite solution from the Rapid7 data warehouse.
The related list of Rapid7 (solution) on third-party entries (TPE) is hidden.
The previously imported data can be viewed in the new data model. Rapid7 Solutions, Solution Supersedence, and Vulnerability Solution map are reimported and the Import since field is set to empty. The field is populated in Solution management.
The detections are updated to populate the solution field. Detections show the solutions as they’re part of Vulnerability Solution Management.
Rapid7 gets higher preference over other solutions while setting the preferred solution on TPE for Rapid7 data warehouse.
The solutions roll up to vulnerable items (VI) from detections for Rapid7 InsightVM.
Note:
If you have not activated the Vulnerability Solution Management plugin, then the application works as is.

Vulnerability Solution Management

If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table.

To view the vulnerability solutions table, navigate to All > Vulnerability Response > Vulnerability Solutions where you can view and compare the solutions from different vendors. To view imported solutions in the custom table, navigate to All > Rapid7 Vulnerability Integration > Solutions.

Note:

Group by Source to view solutions based on vendors.

Rapid7 Prerequisite Solution Management integration

If you have activated the Vulnerability Solution Management plugin, a fix script gets executed and changes the order of integrations. The new Rapid7 Prerequisite Solution Integration for Rapid7 data warehouse maps the solutions with the prerequisite solutions. The integrations run in the following sequence:

Rapid7 Solution Integration 
Rapid7 Prerequisite Solution
Rapid7 Superseding Solution Integration 
Rapid7 Vulnerability Solution Map Integration
Rapid7 VI Solution Integration (From v19.0 of Vulnerability Response)

Note:

If you run the integrations manually, start with the Rapid7 Solution Integration . Do not alter the Next Integration chain in the Rapid7 Integration. The sequence is defined in the Next Integration column.

Rapid7 (Solutions) related list on TPE

If you have activated the Vulnerability Solution Management plugin, then you can do the following:

You can view the TPEs by navigating to All > Vulnerability Response > Third-Party.
You cannot see the Solutions (Rapid7) related list, which was available in the older releases.
You can see the Rapid7 related solutions in the Solutions related list along with the solutions from other sources, such as RedHat, Microsoft (MSRC), and so on.

If you have not activated the Vulnerability Solution Management plugin, then the following occurs:

The related lists functionality remains the same.
You can see the Solutions (Rapid7) related list.
The Solutions related list is hidden.

Preferred solution on TPE and VIs

Rapid7 gets the solution from the data warehouse at the third-party entry (TPE) level and for Rapid7 InsightVM at the detection level.

For a Rapid7 data warehouse, the solution is managed in the following manner:

The preferred solution is set on the TPE based on vulnerability and solution mapping. 
If the vulnerability from Rapid7 has a single highest supersedence solution from Rapid7, then it’s set as the preferred solution irrespective of other solutions from vendors attached to that vulnerability. 
In all other cases, the flow of the preferred solution stays the same.  For more information on the default behavior of preferred solutions, see Vulnerability Solution Management.

For Rapid7 InsightVM, the solution is managed in the following manner:

The preferred solution is rolled up from detections to  VIs.  
If there’s a single detection and solution from Rapid7, then the solution is rolled up  to VI.
If there are multiple detections and all have the same solution from Rapid7, then the solution is rolled up to VI. 
If multiple detections have multiple solutions from Rapid7, then the latest solution is rolled up to the VI.

Starting from v19.0 of Vulnerability Response, the preferred solution, generated by Rapid7 Data Warehouse, is directly populated onto vulnerable items by Rapid7 bypassing the need for Vulnerability Solution Management. This change ensures that any uncertainty regarding potential solutions for these vulnerable items is eliminated.

To achieve this direct population through Rapid7, the following steps are taken:

A new integration, Rapid7 VI Solution Integration, is established and integrated into the existing Rapid7 Vulnerability Integration workflow.
A new table [sn_vul_r7_rapid7_vi_solution_import] is created.
A new transform map Rapid7 VI Solution Transform is created.
The script include Rapid7AssetsImportProcessor is modified to exclude the processing of solutions generated by Rapid7 within Vulnerability Solution Management.

Upon execution of the Rapid7 VI Solution Integration, the unprocessed data obtained from Rapid7 is stored in the newly created table. Subsequently, the Rapid7 VI Solution Transform is triggered, processing this data and populating the preferred solution directly onto the Vulnerable Item table.

Note:

The Rapid7 VI Solution Integration fills in the preferred solution exclusively when the Vulnerability Solution Management plugin has been installed.

Starting from v22.0 of Vulnerability Response, the solutions from Rapid7 are no longer queued up on running the scheduled job Process Vulnerability Solutions Metrics Queue. This scheduled job involves rolling up solutions from NVD entries to third-party entries, population of preferred solutions on vulnerabilities and updating the remediation status metrics on the solutions. In the following scenarios, only the remediation status metrics must be updated:

When the preferred solution changes on the vulnerabilities
When the VITs are created or deleted
When a VIT import is completed

Though the solutions are queued up to update only the remediation status metrics, they still attempt to roll up solutions from NVD entries to third-party entries and populate the preferred solutions. To optimize this process, in the Vulnerability Solution table, the column Update status is introduced. When the remediation status metrics on solutions must be updated without requiring the roll-up of solutions from NVD entries to third-party entries or the population of preferred solutions, they’re no longer queued. Instead, the Update status column is directly updated as true. This approach enables handling cases where only the remediation status metrics must be updated, resulting in time and resource savings. In the scheduled job, once the processing of the queued solutions is completed, solutions that are marked with an Update status as true are identified. Then, they’re iterated through these solutions, calculating the counts and updating the remediation status metrics accordingly. This step plays a significant role in improving the performance of the scheduled job, as the number of solutions that must be queued is reduced.

Solution supersedence chain imported from Rapid7 data warehouse for a vulnerability

You can view the superseding solutions for a solution by selecting a vulnerability solution and selecting the Superseding Solutions related list. You can view the preceding solutions by selecting the Preceding Solutions related list. When you attach any solution to the TPE, then the superseding solution of that solution gets attached to that TPE.

Change the maximum depth of solution supersedence chain in a graph by system property 

The solution supersedence chain received in the Rapid7 data model is too long to create the graph during the population of the preferred solution. So, to restrict the depth of the chain, a system property named sn_vul.max_recursion_depth with a value 500 is created. If the chain depth is more than 500, then the rest of the chain is ignored. To change the maximum depth of the chain, navigate to the [sys_properties] table and change the value of the property.

Upgrading the Rapid7 application

If you upgrade the Rapid7 Vulnerability Integration plugin, and haven’t yet activated the Vulnerability Solution Management plugin, then the application works as is.

Whether you activate the Vulnerability Solution Management plugin before or after upgrading the Rapid7 application, the Import since field remains empty for the following integrations:

Rapid7  Superseding Solution Integration 
Rapid7 Vulnerability Solution Map Integration 
Rapid7 Solution Integration 
Note:
From the next integration run, the data is populated to the vulnerability solution table.

For Rapid7 InsightVM, the data is received at the detection level. When the Rapid7 InsightVM integration runs, the solutions are imported in the vulnerability solution table.