Initiate rescan for the Rapid7 Vulnerability Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 6 minutes to read

    • Initiate rescans in the Rapid7 platform to verify that your vulnerable items have been remediated between scheduled scanning cycles.

    Before you begin

    Note:
    Rescans for Rapid7 data warehouse vulnerable items are not supported.

    You can initiate rescans from the Vulnerability Response workspaces. For more information, see Rescan records and remediation tasks in the Vulnerability Manager Workspace and Rescan vulnerable items and remediation tasks in the IT Remediation Workspace.

    Roles required: Roles required: sn_vul.write_all or sn_vul.write_assigned

    About this task

    For rescans in the classic environment, see the following sections.

    Rescans are supported. You can initiate a rescan on-demand for vulnerable items imported from Rapid7 InsightVM integrations from your ServiceNow AI Platform® instance.
    Note:
    The Rapid7 scanner is deactivated by default in the Vulnerability Response application. If you try to perform a rescan from the vulnerable items or remediation tasks that have Rapid7 application as a source, the Rescan button is not available.

    To help reduce the overhead and volume involved with scheduled, full scans, remediation owners, IT specialists, vulnerability analysts, or vulnerability managers can initiate targeted rescans on-demand for specific vulnerabilities on assets (configuration items) in their environments. You can initiate rescans from vulnerable item (VI), remediation tasks (RT)s, third-party entry (TPE), or discovered item records from your ServiceNow AI Platform® instance.

    Rescans permit you to verify that your remediation activities, patches, and other actions have successfully fixed specific vulnerabilities on your configuration items (CIs).

    As an example, your entire environment is scanned once every three weeks. The most recent full scan was completed a week ago, but you applied a patch yesterday to fix a critical vulnerability. Due to the nature of this vulnerability, you cannot wait two weeks for the next scheduled scan to verify that it has been remediated. To verify that your patch successfully fixed a critical vulnerability discovered during an earlier scan, you can initiate a targeted rescan from your ServiceNow AI Platform for Rapid7 vulnerable items. You can view updated results on your vulnerable items with the next scheduled import of Rapid7 InsightVM Vulnerability and Vulnerable Item Integrations.

    Procedure

    1. Navigate to All > Vulnerability Response > Vulnerable items.
    2. Locate the vulnerable item record that you want to trigger a rescan from and open it.
      Note:
      Initiate rescans for VIs with Rapid7 as the source. Verify Rapid7 is displayed in the Source column on the VI List views, or in the Source fields on individual records. You can use the condition builder to group VIs by Source. Or, if the Source column is not displayed on the VI List view, in the upper left of the list, click the gear icon and move Source from Available to Selected.

      When you initiate rescans, avoid simultaneously triggering scans for one source ID from multiple sources. The latest scan request will error out.

      For example, if you initiate a rescan for a VI from a VI record and also request another rescan from a remediation task record that contains that same VI, it is likely that the second request will fail.

      Source field highlighted on VI
    3. Alternatively, navigate to Vulnerability Response > Remediation Tasks or Vulnerability Response > Libraries > third party for the remediation task or third-party entry records, respectively, that you want to use for the rescan.

      Depending on your choice, the Rescan button is available on the following records:

      • On a single VI record, the VI must be from the Rapid7 product and in any state other than Closed. For multiple VI records, all the VIs you select from the list view must be from the Rapid7 product and in any state other than Closed.
      • On an remediation task record, the remediation task can be in any state other than Closed, and all the associated VIs must be from the Rapid7 product.
      • On a third-party entry (TPE) record, the record must have at least one associated VI record from the Rapid7 product in any state other than Closed.
      • On a discovered item record, the VI must be from the Rapid7 product and in any state other than Closed.
    4. In the upper right of the record, click Rescan.
      For list views, select the VIs from the list that you want to rescan, and, from the Action on selected rows list, select Rescan.
    5. In the pop-up that is displayed, confirm the rescan.
      A message is displayed that indicates your scan is being processed (Queued). In the message, click the View details link to check the status of the rescan (child scan) and view any other rescans launched from the record. Status for all rescans can be found at any time under the Scans related list on the bottom of the VI, remediation task, TPE, and discovered item records you use to launch the rescans.

      When the scan is in process, the State field changes to Scanning, and the Status message field displays Scan is in progress.

      Note:
      Each rescan supports 500 assets per scan. If your request has more than 500 assets, more child scans are requested.

      Your ServiceNow AI Platform® instance tracks the rescan status until it successfully completes, or, until the set tracking period times out, whichever happens first.

      Figure 1. Rescan in process
      State and Status message fields highlighted

      The time-out does not stop the scan. The time-out refers to when the ServiceNow AI Platform® stopped tracking your rescan status, not when the actual rescan stopped. All VIs that have transitioned, or will transition, to Closed/Fixed are imported with the next scheduled import of the Rapid7 integrations.

      Figure 2. Rescan complete
      Completed scan information highlighted

      Alternatively, you can initiate a rescan on-demand for a specific vulnerability on a specific asset. You can view the results from these scans once the scan has completed on the refreshed VI, remediation task, TPE, and discovered item records you launched the scan from.

      The value of the State field on Vulnerability Scan records is imported from Rapid7. When the scan is successfully finished, the state is set to Complete. If the scan does not successfully complete, an error value is displayed.

      Auto Scans and Scheduled Scans

      As a vulnerability manager or analyst, you can specify and schedule when rescans are initiated for VIs and RTs. You can also enable auto scans for VIs and remediation tasks that are set to resolve.

    6. To modify the integration parameters on the integration instance, navigate to Rapid7 Vulnerability Integration > Administration > Configuration.
    7. On the Rapid7 Configuration record, if not selected, from the Integration Type list, select Rapid7 InsightVM.
    8. To the right of the Integration instance field, click the information icon, followed by Open Record.
    9. On the Integration Instance Rapid7 InsightVM record, locate the parameters for scheduling scans and edit as needed.
      scan parameters

      scan_on_resolved indicates if the scan is initiated when a vulnerability is resolved. Default is false (disabled).

      If this parameter is set to true, whenever a VI or RT is set to Resolved, the workflow to rescan the respective VI and remediation task is triggered automatically.

      scan_start_time
      Set the scan start time in HH:mm (24 hours Format) in the UTC Time Zone for the start time of the window that you want rescans available.

      The default value is 00:00.

      scan_end_time
      Set the scan end time in HH:mm (24 hours Format) in the UTC Time Zone for the end time of the available scan window.

      The default value is 23:59.

      If a scan is initiated within the scheduled time window, it launches instantly. If the scan is initiated outside of the window, it is queued for the next scheduled window.

      For example, if you enter a start time of 00:00 for the scan_start_time parameter, and a scan_end_time of 10:00 AM that same morning, scans scheduled or manually launched outside of the midnight to 10 AM time window are queued and launched at the start time of the following day's time window 00:00.

      In the same example, if you manually initiate a rescan at 11:00 AM, the rescan is not immediately launched, because it lies outside of the available configured scan times. The scan request remains queued until the start of the following day's time window, in this example 00:00.