Understanding the Rapid7 Vulnerability Integration

Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 data warehouse (on-premise) or Rapid7 InsightVM (cloud-based) products, which continuously analyze and correlate the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

Rapid7 integrations are entry points interacting with the Rapid7 data warehouse or Rapid7 InsightVM products, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.

注:

If you use both Rapid7 data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.

注:

When migrating from the Data Warehouse integration type to the InsightVM type, you can deduplicate your existing data warehouse records. See Deduplicate Rapid7 Vulnerability Integration data warehouse records for more information.

If you have multiple deployments of the Rapid7 InsightVM vulnerability integration, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.

注:

You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Available versions


Release version for Australia	Release Notes
Rapid7 Vulnerability Integration v13.6, 13.7	For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Roles

Rapid7 vulnerability integration tasks involve the following roles.

sn_vul_r7.admin: Can read, write, and delete records.
sn_vul_r7.user: Can read and write records.
sn_vul_r7.read: Can read records.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

Rapid7 Vulnerability Integration integrations

To view the Rapid7 Vulnerability Integration, navigate to Rapid7 > Administration > Integrations.

The following integrations are included in the base system.

表 : 1. Rapid7 data warehouse integrations
Integration	Description
Rapid7 Vulnerability Integration	Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
Rapid7 Asset List Integration	Retrieves scan data once a week from Rapid7 Nexpose data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
Rapid7 Category Integration	Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
Rapid7 Exploit Integration	Retrieves exploit information from Rapid7 Nexpose.
Rapid7 Malware Kit Integration	Retrieves malware kit information from Rapid7 Nexpose.
Rapid7 Reference Integration	Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
Rapid7 Solution Integration	Retrieves solution data from Rapid7 Nexpose, which provides recommended solutions to specific vulnerabilities.
Rapid7 Superceding Solution Integration	Retrieves information about which solutions are superseded by other solutions.
Rapid7 Prerequisite Solution Integration	Retrieves information about the solutions that are prerequisites for other solutions. When this integration executes, it fetches the mapping of solutions and prerequisite solutions from the Rapid7 data warehouse. 注: This integration works only if the Vulnerability Solution Management plugin is activated.
Rapid7 Vulnerability Solution Map Integration	Retrieves the mapping to associate solutions with vulnerabilities.
Rapid7 Vulnerable Item Integration	Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance. The outputs of this integration are vulnerable items.
Rapid7 Vulnerable Item Resolution Integration	Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.
Rapid7 Site Integration	Retrieves Site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
Rapid7 Asset List Integration	Retrieves host tags and scan data once a week from the Rapid7 data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response
Rapid7 Comprehensive Vulnerable Item Integration	Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.

表 : 2. Rapid7 InsightVM integrations
Integration	Description
Rapid7 Vulnerable Item Integration — API	Retrieves vulnerable item data from Rapid7 InsightVM and processes it in your instance.
Rapid7 Vulnerability Integration — API	Retrieves reference, category, exploit, malware kit, and vulnerability data from Rapid7 InsightVM and processes it in your instance.
Rapid7 Asset List Integration - API	Retrieves host tags and scan data once a week from Rapid7 InsightVM and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
Rapid7 Comprehensive Vulnerable Item Integration - API	Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
Rapid7 Site Integration	Retrieves Site data from the Rapid7 InsightVM product. This integration is set to run weekly at 00:00:00.

During import, CVE records not already present are created as NVD records and referenced in third-party entries for Rapid7 by default. The template integration for Rapid7 cannot be deleted. Disable it instead.

The Service Graph Connector for Rapid7

Beginning with version 2.0, the Service Graph Connector for Rapid7 is available from the ServiceNow® Store. See Service Graph Connector for Rapid7 for more information.

CI Lookup Rules

CI Lookup Rules determine how to fill in the Configuration item field in a vulnerable item record.

For more information on how CI lookup rules work, see Configuring lookup rules.

To create or edit lookup rules, see Create a Vulnerability Response CI lookup rule.

注:

Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

Discovered Items

This module lists configuration items detected during import from the Rapid7 Vulnerable Item Integrations (data warehouse or InsightVM API) and the Rapid7 Asset List Integration - API. The Rapid7 Asset List Integration - API imports all Rapid7 assets scanned for vulnerabilities since the last integration run. The Rapid7 data warehouse Asset List Integration is included.

注:

The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

See Discovered Items in Vulnerability Response for more information on the Discovered Items module.

Host tags

Host tags are imported as part of the Rapid7 Asset List Integration - API integration for Rapid7 InsightVM. They are used primarily for filtering in Vulnerability Response Assignment and Remediation Task Rules in Rapid7 InsightVM. They are displayed in the Discovered Item form.

Host tags

注:

The Rapid7 Asset List integration - API integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.

Tag storage is not case-sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

Sites

A site is a collection of assets targeted for a scan. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. Sites are managed by Rapid7 applications.

Rapid7 Vulnerability Integration site filtering during configuration allows you to categorize and request assets by site during import. See Filtering by Rapid7 sites for more information on filtering imports.

The Rapid7 data warehouse and Rapid7 InsightVM Sites integrations import sites as a weekly scheduled job.

To view the imported sites in a list, navigate to Rapid7 > Sites.

Reopen resolved vulnerable items not closed by scans

Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the subsequent integration runs are reopened if they are detected during rescans.

For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans transition back to 'Open' after the number of days you enter.

Create CIs using the Identification and Reconciliation Engine (IRE)

You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see . For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see .

Rescan vulnerable items

Initiate rescans in the Rapid7 platform to verify that your vulnerable items have been remediated between scheduled scanning cycles. See Initiate rescan for the Rapid7 Vulnerability Integration.

Request apps on the Store

Visit the ServiceNow Store to view all the available apps, and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Rapid7 solution management

If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table. For more information, see Rapid7 solution management.