Understanding the Rapid7 Vulnerability Integration

  • Release version: Australia
  • Updated March 12, 2026
  • 9 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Rapid7 Vulnerability Integration

    The ServiceNow Rapid7 Vulnerability Integration imports vulnerability data from Rapid7 Nexpose and InsightVM platforms to enhance vulnerability management within ServiceNow Vulnerability Response. It consolidates scan data, maps vulnerabilities to configuration items (CIs) and services, and enriches vulnerability records for prioritized remediation. Scheduled jobs automate data synchronization, streamlining the vulnerability lifecycle and ensuring data freshness.

    Show full answer Show less

    This integration supports multiple Rapid7 deployments, consolidating asset and vulnerability data within a single ServiceNow instance, while preventing duplication. It also includes a mechanism to deduplicate data when migrating from the Rapid7 data warehouse to InsightVM.

    Key Features

    • Multiple Integration Types: Supports both Rapid7 data warehouse (on-premise) and InsightVM (cloud-based) data sources, with various integrations handling vulnerabilities, assets, categories, exploits, malware kits, references, solutions, and sites.
    • Scheduled Jobs: Automate vulnerability data import and processing, running in a specified order with manual execution options.
    • Role-Based Access: Provides granular roles (admin, user, read) specific to the Rapid7 integration for controlled access to vulnerability data and tasks.
    • CI Lookup Rules: Automate mapping of vulnerabilities to Configuration Items, improving asset and vulnerability correlation.
    • Discovered Items Module: Lists imported configuration items and assets, with filters to identify unmatched or unscanned assets based on 'Last Scan' date.
    • Host Tags: Imported from InsightVM to support filtering in assignment and remediation rules, with case-insensitive storage and usage guidelines.
    • Site Management: Imports and manages scan sites, enabling filtering and categorization of assets based on scan targets.
    • Vulnerable Item Lifecycle Management: Supports automatic reopening of resolved vulnerable items if they reappear in scans after a configurable period.
    • Identification and Reconciliation Engine (IRE): Automatically creates new CIs for unmatched hosts during import, enhancing CMDB accuracy.
    • Rescan Initiation: Allows triggering rescans within the Rapid7 platform to confirm remediation status between scheduled scans.
    • Solution Management: Integrates Rapid7 solutions into Vulnerability Solution Management plugin tables for recommended fixes; otherwise, solutions are stored separately without the plugin.
    • Service Graph Connector: Available separately to integrate Rapid7 data with the ServiceNow CMDB for enhanced service mapping.

    Practical Considerations for ServiceNow Customers

    • Data Source Selection: Use either Rapid7 data warehouse or InsightVM as the primary data source to avoid duplicate vulnerability records.
    • Multiple Deployments: You can configure integrations for multiple InsightVM deployments; the system consolidates overlapping scan data intelligently.
    • Role Assignments: Assign the appropriate Rapid7-specific roles to control user permissions within Vulnerability Response.
    • Host Tags Usage: Import host tags before creating assignment and remediation rules to ensure accurate filtering; avoid using host tags as group keys.
    • Site Filtering: Use site filters during configuration to manage asset imports effectively by scan site.
    • Data Maintenance: When migrating from data warehouse to InsightVM, use deduplication features to clean existing records.
    • Integration Management: Template integrations cannot be deleted but can be disabled to control active data flows.
    • Monitoring Vulnerable Items: Enable auto-closing of stale vulnerable items and configure reopening of resolved items to maintain accurate vulnerability status.

    Expected Outcomes

    By implementing the Rapid7 Vulnerability Integration, ServiceNow customers can expect a streamlined and automated vulnerability data import process, improved correlation between assets and vulnerabilities, prioritized remediation workflows, and enhanced visibility into asset security posture. The integration supports multiple data sources and deployments while maintaining data integrity and avoiding duplication. Additionally, customers gain flexibility in managing vulnerability lifecycle states and can leverage enriched solution data for effective remediation guidance.

    The ServiceNow® Rapid7 Vulnerability Integration uses data imported from the Rapid7 data warehouse or the Rapid7 InsightVM products to help you determine the impact and priority of potentially malicious threats.

    Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 data warehouse (on-premise) or Rapid7 InsightVM (cloud-based) products, which continuously analyze and correlate the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

    Rapid7 integrations are entry points interacting with the Rapid7 data warehouse or Rapid7 InsightVM products, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.
    Note:
    If you use both Rapid7 data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.
    Note:
    When migrating from the Data Warehouse integration type to the InsightVM type, you can deduplicate your existing data warehouse records. See Deduplicate Rapid7 Vulnerability Integration data warehouse records for more information.
    If you have multiple deployments of the Rapid7 InsightVM vulnerability integration, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.
    Note:
    You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version for Australia Release Notes

    Rapid7 Vulnerability Integration v13.6, 13.7

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Roles

    Rapid7 vulnerability integration tasks involve the following roles.
    • sn_vul_r7.admin: Can read, write, and delete records.
    • sn_vul_r7.user: Can read and write records.
    • sn_vul_r7.read: Can read records.

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    Rapid7 Vulnerability Integration integrations

    To view the Rapid7 Vulnerability Integration, navigate to Rapid7 > Administration > Integrations.

    The following integrations are included in the base system.

    Table 1. Rapid7 data warehouse integrations
    Integration Description
    Rapid7 Vulnerability Integration Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
    Rapid7 Asset List Integration Retrieves scan data once a week from Rapid7 Nexpose data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Category Integration Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
    Rapid7 Exploit Integration Retrieves exploit information from Rapid7 Nexpose.
    Rapid7 Malware Kit Integration Retrieves malware kit information from Rapid7 Nexpose.
    Rapid7 Reference Integration Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
    Rapid7 Solution Integration Retrieves solution data from Rapid7 Nexpose, which provides recommended solutions to specific vulnerabilities.
    Rapid7 Superceding Solution Integration Retrieves information about which solutions are superseded by other solutions.
    Rapid7 Prerequisite Solution Integration Retrieves information about the solutions that are prerequisites for other solutions. When this integration executes, it fetches the mapping of solutions and prerequisite solutions from the Rapid7 data warehouse.
    Note:
    This integration works only if the Vulnerability Solution Management plugin is activated.
    Rapid7 Vulnerability Solution Map Integration Retrieves the mapping to associate solutions with vulnerabilities.
    Rapid7 Vulnerable Item Integration Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance.

    The outputs of this integration are vulnerable items.
    Rapid7 Vulnerable Item Resolution Integration

    Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.
    Rapid7 Site Integration Retrieves Site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
    Rapid7 Asset List Integration Retrieves host tags and scan data once a week from the Rapid7 data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response
    Rapid7 Comprehensive Vulnerable Item Integration Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Table 2. Rapid7 InsightVM integrations
    Integration Description
    Rapid7 Vulnerable Item Integration — API Retrieves vulnerable item data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Vulnerability Integration — API Retrieves reference, category, exploit, malware kit, and vulnerability data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Asset List Integration - API Retrieves host tags and scan data once a week from Rapid7 InsightVM and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Comprehensive Vulnerable Item Integration - API Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Rapid7 Site Integration Retrieves Site data from the Rapid7 InsightVM product. This integration is set to run weekly at 00:00:00.

    During import, CVE records not already present are created as NVD records and referenced in third-party entries for Rapid7 by default. The template integration for Rapid7 cannot be deleted. Disable it instead.

    The Service Graph Connector for Rapid7

    Beginning with version 2.0, the Service Graph Connector for Rapid7 is available from the ServiceNow® Store. See Service Graph Connector for Rapid7 for more information.

    CI Lookup Rules

    CI Lookup Rules determine how to fill in the Configuration item field in a vulnerable item record.

    For more information on how CI lookup rules work, see Configuring lookup rules.

    To create or edit lookup rules, see Create a Vulnerability Response CI lookup rule.
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Discovered Items

    This module lists configuration items detected during import from the Rapid7 Vulnerable Item Integrations (data warehouse or InsightVM API) and the Rapid7 Asset List Integration - API. The Rapid7 Asset List Integration - API imports all Rapid7 assets scanned for vulnerabilities since the last integration run. The Rapid7 data warehouse Asset List Integration is included.
    Note:
    The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

    See Discovered Items in Vulnerability Response for more information on the Discovered Items module.

    Host tags

    Host tags are imported as part of the Rapid7 Asset List Integration - API integration for Rapid7 InsightVM. They are used primarily for filtering in Vulnerability Response Assignment and Remediation Task Rules in Rapid7 InsightVM. They are displayed in the Discovered Item form.

    Host tags
    Note:
    The Rapid7 Asset List integration - API integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
    • Tag storage is not case-sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
    • Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
    • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

    Sites

    A site is a collection of assets targeted for a scan. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. Sites are managed by Rapid7 applications.

    Rapid7 Vulnerability Integration site filtering during configuration allows you to categorize and request assets by site during import. See Filtering by Rapid7 sites for more information on filtering imports.

    The Rapid7 data warehouse and Rapid7 InsightVM Sites integrations import sites as a weekly scheduled job.

    To view the imported sites in a list, navigate to Rapid7 > Sites.

    Reopen resolved vulnerable items not closed by scans

    Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the subsequent integration runs are reopened if they are detected during rescans.

    For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans transition back to 'Open' after the number of days you enter.

    Create CIs using the Identification and Reconciliation Engine (IRE)

    You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs using the Identification and Reconciliation engine. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

    Rescan vulnerable items

    Initiate rescans in the Rapid7 platform to verify that your vulnerable items have been remediated between scheduled scanning cycles. See Initiate rescan for the Rapid7 Vulnerability Integration.

    Request apps on the Store

    Visit the ServiceNow Store to view all the available apps, and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Rapid7 solution management

    If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table. For more information, see Rapid7 solution management.