Understanding the Rapid7 Vulnerability Integration

  • Release version: Zurich
  • Updated September 5, 2025
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Rapid7 Vulnerability Integration

    The ServiceNow® Rapid7 Vulnerability Integration enables customers to import and manage vulnerability data from Rapid7 Nexpose data warehouse or Rapid7 InsightVM products. This integration helps you prioritize and respond to vulnerabilities by enriching your ServiceNow Vulnerability Response instance with continuous and synchronized threat data. It supports mapping vulnerabilities to configuration items (CIs) and services, consolidating asset and vulnerability information from multiple Rapid7 deployments, and automating lifecycle management through scheduled jobs.

    Show full answer Show less

    Key Features

    • Scheduled Jobs: Automate data synchronization from Rapid7 sources, running in a specified order with manual execution options. Important to avoid duplicate records when using both data warehouse and InsightVM integrations.
    • Multiple Integrations: Various integrations handle the retrieval of specific data types such as vulnerabilities, assets, categories, exploits, malware kits, references, solutions, and site information.
    • InsightVM and Data Warehouse Support: Supports integration with both Rapid7 InsightVM (cloud-based) and Nexpose data warehouse (on-premise), including asset consolidation and reconciliation with the CMDB.
    • CI Lookup Rules: Determine how configuration items are identified and linked to vulnerabilities, essential for accurate vulnerability management and remediation.
    • Discovered Items Module: Displays imported configuration items, highlighting unmatched items and assets that have not been scanned recently via Last Scan dates.
    • Host Tags: Imported from InsightVM to aid in filtering and assignment within Vulnerability Response. Tags are case-insensitive and intended for use in condition builders only.
    • Site Management: Supports importing and filtering assets by Rapid7 sites (collections of assets targeted for scans), improving categorization and scan targeting.
    • Reopening Resolved Vulnerabilities: Optionally reopen vulnerabilities marked as 'Resolved' if subsequent scans detect them as still active, configurable by age.
    • Identification and Reconciliation Engine (IRE): Automatically create new CIs when no existing match is found, enhancing CMDB accuracy and completeness.
    • Rescan Initiation: Support for triggering rescans in Rapid7 to verify remediation status between scheduled scans.
    • Solution Management: If the Vulnerability Solution Management plugin is activated, Rapid7 solutions populate the standard Vulnerability Solutions table; otherwise, they use a custom table.
    • Role-Based Access: Defined roles control read, write, and administrative permissions for managing Rapid7 vulnerability data within ServiceNow.
    • Service Graph Connector for Rapid7: Available as an add-on from the ServiceNow Store to enhance CMDB integration starting with version 2.0.

    Practical Benefits for ServiceNow Customers

    • Streamlines the import and correlation of vulnerability data from Rapid7 tools into ServiceNow Vulnerability Response, enabling prioritized and efficient remediation workflows.
    • Ensures continuous synchronization and up-to-date vulnerability status with scheduled jobs and rescans, reducing manual overhead.
    • Improves asset and vulnerability mapping accuracy through CI lookup rules and the Identification and Reconciliation Engine, enhancing risk assessment and reporting.
    • Provides visibility into asset scanning recency and vulnerability status via Discovered Items and Last Scan dates, supporting proactive vulnerability management.
    • Facilitates better remediation task assignment using host tags and site-based filtering, aligning vulnerability efforts with organizational structure and scan scopes.
    • Supports governance and compliance by automatically closing stale vulnerabilities and optionally reopening resolved items when necessary.

    The ServiceNow® Rapid7 Vulnerability Integration uses data imported from the Rapid7 data warehouse or the Rapid7 InsightVM products to help you determine the impact and priority of potentially malicious threats.

    Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 data warehouse (on-premise) or Rapid7 InsightVM (cloud-based) products, which continuously analyze and correlate the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

    Rapid7 integrations are entry points interacting with the Rapid7 data warehouse or Rapid7 InsightVM products, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.
    Note:
    If you use both Rapid7 data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.
    Note:
    When migrating from the Data Warehouse integration type to the InsightVM type, you can deduplicate your existing data warehouse records. See Deduplicate Rapid7 Vulnerability Integration data warehouse records for more information.
    If you have multiple deployments of the Rapid7 InsightVM vulnerability integration, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.
    Note:
    You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version for Zurich Release Notes

    Rapid7 Vulnerability Integration v13.6, 13.7

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Roles

    Rapid7 vulnerability integration tasks involve the following roles.
    • sn_vul_r7.admin: Can read, write, and delete records.
    • sn_vul_r7.user: Can read and write records.
    • sn_vul_r7.read: Can read records.

    Rapid7 Vulnerability Integration integrations

    To view the Rapid7 Vulnerability Integration, navigate to Rapid7 > Administration > Integrations.

    The following integrations are included in the base system.

    Table 1. Rapid7 data warehouse integrations
    Integration Description
    Rapid7 Vulnerability Integration Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
    Rapid7 Asset List Integration Retrieves scan data once a week from Rapid7 Nexpose data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Category Integration Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
    Rapid7 Exploit Integration Retrieves exploit information from Rapid7 Nexpose.
    Rapid7 Malware Kit Integration Retrieves malware kit information from Rapid7 Nexpose.
    Rapid7 Reference Integration Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
    Rapid7 Solution Integration Retrieves solution data from Rapid7 Nexpose, which provides recommended solutions to specific vulnerabilities.
    Rapid7 Superceding Solution Integration Retrieves information about which solutions are superseded by other solutions.
    Rapid7 Prerequisite Solution Integration Retrieves information about the solutions that are prerequisites for other solutions. When this integration executes, it fetches the mapping of solutions and prerequisite solutions from the Rapid7 data warehouse.
    Note:
    This integration works only if the Vulnerability Solution Management plugin is activated.
    Rapid7 Vulnerability Solution Map Integration Retrieves the mapping to associate solutions with vulnerabilities.
    Rapid7 Vulnerable Item Integration Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance.

    The outputs of this integration are vulnerable items.
    Rapid7 Vulnerable Item Resolution Integration

    Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.
    Rapid7 Site Integration Retrieves Site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
    Rapid7 Asset List Integration Retrieves host tags and scan data once a week from the Rapid7 data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response
    Rapid7 Comprehensive Vulnerable Item Integration Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Table 2. Rapid7 InsightVM integrations
    Integration Description
    Rapid7 Vulnerable Item Integration — API Retrieves vulnerable item data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Vulnerability Integration — API Retrieves reference, category, exploit, malware kit, and vulnerability data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Asset List Integration - API Retrieves host tags and scan data once a week from Rapid7 InsightVM and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Comprehensive Vulnerable Item Integration - API Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Rapid7 Site Integration Retrieves Site data from the Rapid7 InsightVM product. This integration is set to run weekly at 00:00:00.

    During import, CVE records not already present are created as NVD records and referenced in third-party entries for Rapid7 by default. The template integration for Rapid7 cannot be deleted. Disable it instead.

    The Service Graph Connector for Rapid7

    Beginning with version 2.0, the Service Graph Connector for Rapid7 is available from the ServiceNow® Store. See Service Graph Connector for Rapid7 for more information.

    CI Lookup Rules

    CI Lookup Rules determine how to fill in the Configuration item field in a vulnerable item record.

    For more information on how CI lookup rules work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.

    To create or edit lookup rules, see Create a Vulnerability Response CI lookup rule.
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Discovered Items

    This module lists configuration items detected during import from the Rapid7 Vulnerable Item Integrations (data warehouse or InsightVM API) and the Rapid7 Asset List Integration - API. The Rapid7 Asset List Integration - API imports all Rapid7 assets scanned for vulnerabilities since the last integration run. The Rapid7 data warehouse Asset List Integration is included.
    Note:
    The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

    See Discovered Items in Vulnerability Response for more information on the Discovered Items module.

    Host tags

    Host tags are imported as part of the Rapid7 Asset List Integration - API integration for Rapid7 InsightVM. They are used primarily for filtering in Vulnerability Response Assignment and Remediation Task Rules in Rapid7 InsightVM. They are displayed in the Discovered Item form.

    Host tags
    Note:
    The Rapid7 Asset List integration - API integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
    • Tag storage is not case-sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
    • Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
    • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

    Sites

    A site is a collection of assets targeted for a scan. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. Sites are managed by Rapid7 applications.

    Rapid7 Vulnerability Integration site filtering during configuration allows you to categorize and request assets by site during import. See Filtering by Rapid7 sites for more information on filtering imports.

    The Rapid7 data warehouse and Rapid7 InsightVM Sites integrations import sites as a weekly scheduled job.

    To view the imported sites in a list, navigate to Rapid7 > Sites.

    Reopen resolved vulnerable items not closed by scans

    Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the subsequent integration runs are reopened if they are detected during rescans.

    For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans transition back to 'Open' after the number of days you enter.

    Create CIs using the Identification and Reconciliation Engine (IRE)

    You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

    Rescan vulnerable items

    Initiate rescans in the Rapid7 platform to verify that your vulnerable items have been remediated between scheduled scanning cycles. See Initiate rescan for the Rapid7 Vulnerability Integration.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Rapid7 solution management

    If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table. For more information, see Rapid7 solution management.