Understanding the Rapid7 Vulnerability Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 9 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Rapid7 Vulnerability Integration

    The ServiceNow Rapid7 Vulnerability Integration imports and synchronizes vulnerability data from Rapid7 Nexpose (on-premise) or Rapid7 InsightVM (cloud-based) products into ServiceNow Vulnerability Response. This integration helps you assess the impact and priority of vulnerabilities by mapping them to Configuration Items (CIs) and services within your CMDB. Scheduled jobs automate data import and processing, ensuring your vulnerability data stays current and aligned with your vulnerability management workflows.

    Show full answer Show less

    The integration supports multiple deployments and consolidates asset and vulnerability data across them without duplication. It also provides options to deduplicate data when migrating between integration types.

    Key Features

    • Scheduled Jobs: Automated and manual execution of data imports and processing tasks that keep vulnerability data synchronized.
    • Multiple Integrations: Various base integrations cover vulnerability details, asset lists, categories, exploits, malware kits, references, solutions, vulnerable items, and site data from both Rapid7 data warehouse and InsightVM API sources.
    • Role-Based Access: Granular roles (admin, user, read) control permissions for managing Rapid7 vulnerability data within ServiceNow.
    • CI Lookup Rules: Customize how vulnerabilities are linked to CIs for accurate asset identification and remediation targeting.
    • Discovered Items Module: Lists assets detected during imports, highlighting unmatched items and their last scan dates to support asset management and scanning prioritization.
    • Host Tags: Imported tags from InsightVM enable refined filtering and assignment in Vulnerability Response but require running asset list imports before creating assignment or remediation rules.
    • Site Management and Filtering: Import site data to categorize and filter assets during vulnerability data imports, supporting targeted vulnerability management across asset groups.
    • Reopen Resolved Vulnerabilities: Optionally reopen vulnerabilities marked ‘Resolved’ but not closed by scans after a configurable number of days to ensure issues are not overlooked.
    • Identification and Reconciliation Engine (IRE): Automatically create new CIs for unmatched hosts using IRE, enhancing CMDB completeness.
    • Rescan Support: Initiate rescans in Rapid7 to verify remediation progress between scheduled scans.
    • Solution Management Integration: When Vulnerability Solution Management plugin is active, Rapid7 solutions are stored in the standard Vulnerability Solutions table, improving solution tracking and recommendations.
    • Service Graph Connector: Available for enhanced integration with CMDB and service maps.

    Practical Considerations for ServiceNow Customers

    • Choose either Rapid7 data warehouse or InsightVM as your data source to avoid duplicate vulnerabilities; deduplication tools exist when migrating between types.
    • Manage user access with provided roles to maintain data security and appropriate permissions.
    • Configure CI Lookup Rules carefully to ensure vulnerabilities accurately map to your configuration items, enabling effective remediation.
    • Use the Discovered Items list to monitor which assets are scanned and identify stale or unmatched items for follow-up.
    • Leverage host tags from InsightVM for precise filtering and assignment but be aware of case-insensitivity and best practices to avoid unexpected results.
    • Enable reopening of resolved vulnerabilities if your remediation process requires verification beyond initial resolution.
    • Activate the Vulnerability Solution Management plugin to benefit from standardized solution data and improved vulnerability resolution workflows.
    • Use the Identification and Reconciliation Engine to enhance CMDB mapping for assets detected by Rapid7 but not yet represented in your CMDB.
    • Integrate with the Service Graph Connector for Rapid7 to improve service impact analysis and visualization.

    Expected Outcomes

    By implementing the Rapid7 Vulnerability Integration, ServiceNow customers gain a unified, automated view of their vulnerability landscape enriched with comprehensive data from Rapid7 scanning tools. This enables prioritized vulnerability remediation aligned with asset management, improved accuracy in CI mapping, and enhanced operational efficiency through scheduled data synchronization. Additionally, customers can manage multiple Rapid7 deployments seamlessly, track remediation progress with rescans, and leverage solution data for proactive vulnerability resolution.

    The ServiceNow® Rapid7 Vulnerability Integration uses data imported from the Rapid7 data warehouse or the Rapid7 InsightVM products to help you determine the impact and priority of potentially malicious threats.

    Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 data warehouse (on-premise) or Rapid7 InsightVM (cloud-based) products, which continuously analyze and correlate the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

    Rapid7 integrations are entry points interacting with the Rapid7 data warehouse or Rapid7 InsightVM products, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.
    Note:
    If you use both Rapid7 data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.
    Note:
    When migrating from the Data Warehouse integration type to the InsightVM type, you can deduplicate your existing data warehouse records. See Deduplicate Rapid7 Vulnerability Integration data warehouse records for more information.
    If you have multiple deployments of the Rapid7 InsightVM vulnerability integration, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.
    Note:
    You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version for Xanadu Release Notes

    Rapid7 Vulnerability Integration v13.6, 13.7

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Roles

    Rapid7 vulnerability integration tasks involve the following roles.
    • sn_vul_r7.admin: Can read, write, and delete records.
    • sn_vul_r7.user: Can read and write records.
    • sn_vul_r7.read: Can read records.

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    Rapid7 Vulnerability Integration integrations

    To view the Rapid7 Vulnerability Integration, navigate to Rapid7 > Administration > Integrations.

    The following integrations are included in the base system.

    Table 1. Rapid7 data warehouse integrations
    Integration Description
    Rapid7 Vulnerability Integration Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
    Rapid7 Asset List Integration Retrieves scan data once a week from Rapid7 Nexpose data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Category Integration Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
    Rapid7 Exploit Integration Retrieves exploit information from Rapid7 Nexpose.
    Rapid7 Malware Kit Integration Retrieves malware kit information from Rapid7 Nexpose.
    Rapid7 Reference Integration Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
    Rapid7 Solution Integration Retrieves solution data from Rapid7 Nexpose, which provides recommended solutions to specific vulnerabilities.
    Rapid7 Superceding Solution Integration Retrieves information about which solutions are superseded by other solutions.
    Rapid7 Prerequisite Solution Integration Retrieves information about the solutions that are prerequisites for other solutions. When this integration executes, it fetches the mapping of solutions and prerequisite solutions from the Rapid7 data warehouse.
    Note:
    This integration works only if the Vulnerability Solution Management plugin is activated.
    Rapid7 Vulnerability Solution Map Integration Retrieves the mapping to associate solutions with vulnerabilities.
    Rapid7 Vulnerable Item Integration Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance.

    The outputs of this integration are vulnerable items.
    Rapid7 Vulnerable Item Resolution Integration

    Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.
    Rapid7 Site Integration Retrieves Site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
    Rapid7 Asset List Integration Retrieves host tags and scan data once a week from the Rapid7 data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response
    Rapid7 Comprehensive Vulnerable Item Integration Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Table 2. Rapid7 InsightVM integrations
    Integration Description
    Rapid7 Vulnerable Item Integration — API Retrieves vulnerable item data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Vulnerability Integration — API Retrieves reference, category, exploit, malware kit, and vulnerability data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Asset List Integration - API Retrieves host tags and scan data once a week from Rapid7 InsightVM and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Comprehensive Vulnerable Item Integration - API Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Rapid7 Site Integration Retrieves Site data from the Rapid7 InsightVM product. This integration is set to run weekly at 00:00:00.

    During import, CVE records not already present are created as NVD records and referenced in third-party entries for Rapid7 by default. The template integration for Rapid7 cannot be deleted. Disable it instead.

    The Service Graph Connector for Rapid7

    Beginning with version 2.0, the Service Graph Connector for Rapid7 is available from the ServiceNow® Store. See Service Graph Connector for Rapid7 for more information.

    CI Lookup Rules

    CI Lookup Rules determine how to fill in the Configuration item field in a vulnerable item record.

    For more information on how CI lookup rules work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.

    To create or edit lookup rules, see Create a Vulnerability Response CI lookup rule.
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Discovered Items

    This module lists configuration items detected during import from the Rapid7 Vulnerable Item Integrations (data warehouse or InsightVM API) and the Rapid7 Asset List Integration - API. The Rapid7 Asset List Integration - API imports all Rapid7 assets scanned for vulnerabilities since the last integration run. The Rapid7 data warehouse Asset List Integration is included.
    Note:
    The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

    See Discovered Items in Vulnerability Response for more information on the Discovered Items module.

    Host tags

    Host tags are imported as part of the Rapid7 Asset List Integration - API integration for Rapid7 InsightVM. They are used primarily for filtering in Vulnerability Response Assignment and Remediation Task Rules in Rapid7 InsightVM. They are displayed in the Discovered Item form.

    Host tags
    Note:
    The Rapid7 Asset List integration - API integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
    • Tag storage is not case-sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
    • Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
    • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

    Sites

    A site is a collection of assets targeted for a scan. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. Sites are managed by Rapid7 applications.

    Rapid7 Vulnerability Integration site filtering during configuration allows you to categorize and request assets by site during import. See Filtering by Rapid7 sites for more information on filtering imports.

    The Rapid7 data warehouse and Rapid7 InsightVM Sites integrations import sites as a weekly scheduled job.

    To view the imported sites in a list, navigate to Rapid7 > Sites.

    Reopen resolved vulnerable items not closed by scans

    Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the subsequent integration runs are reopened if they are detected during rescans.

    For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans transition back to 'Open' after the number of days you enter.

    Create CIs using the Identification and Reconciliation Engine (IRE)

    You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

    Rescan vulnerable items

    Initiate rescans in the Rapid7 platform to verify that your vulnerable items have been remediated between scheduled scanning cycles. See Initiate rescan for the Rapid7 Vulnerability Integration.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Rapid7 solution management

    If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table. For more information, see Rapid7 solution management.