Rapid7 solution management

  • Release version: Xanadu
  • Updated August 1, 2024
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Rapid7 Solution Management

    Rapid7 solution management integrates known remediations into ServiceNow’s Vulnerability Response from either the Rapid7 data warehouse or Rapid7 InsightVM. Starting with version 21.0 of Vulnerability Response, Rapid7 InsightVM creates solutions based on a solutionid from the scanner, ensuring solutions are created even if some fields are empty. Solutions can be viewed in ServiceNow under Rapid7 > Solutions or Vulnerability Solutions, depending on plugin activation.

    Show full answer Show less

    Key Features

    • Vulnerability Solution Management Plugin: When activated, Rapid7 solutions for both data warehouse and InsightVM populate the standard Vulnerability Solutions [snvulsolution] table. Without the plugin, solutions reside in a custom table.
    • Rapid7 Prerequisite Solution Management Integration: Introduces a new integration fetching prerequisite solutions from the data warehouse and runs in a defined sequence with other Rapid7 integrations to maintain data consistency.
    • Related Lists on Third-Party Entries (TPE): With the plugin, the dedicated Rapid7 solutions related list on TPEs is hidden; instead, all solutions from various vendors appear in a unified Solutions list. Without the plugin, the older related lists remain visible.
    • Preferred Solution Handling: For Rapid7 data warehouse, the highest supersedence Rapid7 solution is set as preferred on TPEs. For Rapid7 InsightVM, preferred solutions roll up from detections to vulnerable items (VIs) based on defined rules about solution uniformity and recency.
    • Direct Preferred Solution Population: From version 19.0, Rapid7 data warehouse preferred solutions are populated directly onto vulnerable items, bypassing Vulnerability Solution Management to reduce uncertainty. This is enabled by a new integration, table, transform map, and script adjustments.
    • Performance Optimization: Starting version 22.0, solution updates related to remediation status metrics are optimized by using an Update status flag to reduce unnecessary queued processing, improving scheduled job performance.
    • Solution Supersedence Chain: Users can view superseding and preceding solutions on vulnerability solutions. To manage graph rendering performance, the depth of supersedence chains is limited by a configurable system property (default 500).
    • Upgrade Considerations: Upgrading the Rapid7 Vulnerability Integration plugin without activating Vulnerability Solution Management maintains existing functionality. Activation before or after upgrade results in the Import since field resetting and solution data migrating to the standard vulnerability solution table on subsequent runs.

    Practical Implications for ServiceNow Customers

    By enabling Rapid7 solution management, customers can:

    • Leverage automated import and management of remediation solutions from Rapid7 data sources directly within Vulnerability Response.
    • Benefit from improved accuracy and preference for Rapid7 solutions when determining remediation actions on vulnerabilities and third-party entries.
    • Streamline solution visibility by consolidating vendor solutions into a single list when using the Vulnerability Solution Management plugin.
    • Optimize performance of solution updates and remediation status calculations through built-in enhancements.
    • Configure and control the depth of solution supersedence chains to maintain system performance during solution processing.
    • Understand the integration sequence and upgrade behaviors to ensure smooth transitions and accurate data mapping during Rapid7 plugin updates.

    This management approach helps customers maintain accurate, up-to-date remediation data, enhancing vulnerability prioritization and response workflows within ServiceNow.

    Solutions are known remediations that are imported into your Rapid7 Vulnerability Integration from either the Rapid7 data warehouse or Rapid7 InsightVM. Rapid7 data warehouse imports both solutions and superseding solutions. With Rapid7 InsightVM, you get solutions as part of the Rapid7 Vulnerable Item Integration - API.

    Starting from version 21.0 of Vulnerability Response, there’s a change in how solutions are created by Rapid7 InsightVM. Instead of relying on solution_summary, solution_fix, or solution_type fields, Rapid7 InsightVM now creates solutions using the solution_id provided by the scanner. This means that even if these fields are empty, a solution is created as long as a solution id is available.

    To view imported solutions as a list, navigate to Rapid7 > Solutions.

    If the Vulnerability Solution Management plugin is activated, then the latest version of Rapid7 Vulnerability Integration provides the following key features concerning solutions:
    • The Rapid7 solution management is moved to vulnerability solution management.
    • A new integration Rapid7 Prerequisite Solution Management for the data warehouse is introduced. The integration fetches the prerequisite solution from the Rapid7 data warehouse.
    • The related list of Rapid7 (solution) on third-party entries (TPE) is hidden.
    • The previously imported data can be viewed in the new data model. Rapid7 Solutions, Solution Supersedence, and Vulnerability Solution map are reimported and the Import since field is set to empty. The field is populated in Solution management.
    • The detections are updated to populate the solution field. Detections show the solutions as they’re part of Vulnerability Solution Management.
    • Rapid7 gets higher preference over other solutions while setting the preferred solution on TPE for Rapid7 data warehouse.
    • The solutions roll up to vulnerable items (VI) from detections for Rapid7 InsightVM.
      Note:
      If you have not activated the Vulnerability Solution Management plugin, then the application works as is.

    Vulnerability Solution Management

    If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table.

    To view the vulnerability solutions table, navigate to All > Vulnerability Response > Vulnerability Solutions where you can view and compare the solutions from different vendors. To view imported solutions in the custom table, navigate to All > Rapid7 Vulnerability Integration > Solutions.
    Note:
    Group by Source to view solutions based on vendors.

    Rapid7 Prerequisite Solution Management integration

    If you have activated the Vulnerability Solution Management plugin, a fix script gets executed and changes the order of integrations. The new Rapid7 Prerequisite Solution Integration for Rapid7 data warehouse maps the solutions with the prerequisite solutions. The integrations run in the following sequence:
    1. Rapid7 Solution Integration 
    2. Rapid7 Prerequisite Solution
    3. Rapid7 Superseding Solution Integration 
    4. Rapid7 Vulnerability Solution Map Integration
    5. Rapid7 VI Solution Integration (From v19.0 of Vulnerability Response)
    Note:
    If you run the integrations manually, start with the Rapid7 Solution Integration . Do not alter the Next Integration chain in the Rapid7 Integration. The sequence is defined in the Next Integration column.

    Rapid7 (Solutions) related list on TPE

    If you have activated the Vulnerability Solution Management plugin, then you can do the following:
    • You can view the TPEs by navigating to All > Vulnerability Response > Third-Party.
    • You cannot see the Solutions (Rapid7) related list, which was available in the older releases.
    • You can see the Rapid7 related solutions in the Solutions related list along with the solutions from other sources, such as RedHat, Microsoft (MSRC), and so on.

    If you have not activated the Vulnerability Solution Management plugin, then the following occurs:

    • The related lists functionality remains the same.
    • You can see the Solutions (Rapid7) related list.
    • The Solutions related list is hidden.

    Preferred solution on TPE and VIs

    Rapid7 gets the solution from the data warehouse at the third-party entry (TPE) level and for Rapid7 InsightVM at the detection level.

    For a Rapid7 data warehouse, the solution is managed in the following manner:
    • The preferred solution is set on the TPE based on vulnerability and solution mapping. 
    • If the vulnerability from Rapid7 has a single highest supersedence solution from Rapid7, then it’s set as the preferred solution irrespective of other solutions from vendors attached to that vulnerability. 
    • In all other cases, the flow of the preferred solution stays the same.  For more information on the default behavior of preferred solutions, see Vulnerability Solution Management.
    For Rapid7 InsightVM, the solution is managed in the following manner:
    • The preferred solution is rolled up from detections to  VIs.  
    • If there’s a single detection and solution from Rapid7, then the solution is rolled up  to VI.
    • If there are multiple detections and all have the same solution from Rapid7, then the solution is rolled up to VI. 
    • If multiple detections have multiple solutions from Rapid7, then the latest solution is rolled up to the VI. 

    Starting from v19.0 of Vulnerability Response, the preferred solution, generated by Rapid7 Data Warehouse, is directly populated onto vulnerable items by Rapid7 bypassing the need for Vulnerability Solution Management. This change ensures that any uncertainty regarding potential solutions for these vulnerable items is eliminated.

    To achieve this direct population through Rapid7, the following steps are taken:

    • A new integration, Rapid7 VI Solution Integration, is established and integrated into the existing Rapid7 Vulnerability Integration workflow.
    • A new table [sn_vul_r7_rapid7_vi_solution_import] is created.
    • A new transform map Rapid7 VI Solution Transform is created.
    • The script include Rapid7AssetsImportProcessor is modified to exclude the processing of solutions generated by Rapid7 within Vulnerability Solution Management.
    Upon execution of the Rapid7 VI Solution Integration, the unprocessed data obtained from Rapid7 is stored in the newly created table. Subsequently, the Rapid7 VI Solution Transform is triggered, processing this data and populating the preferred solution directly onto the Vulnerable Item table.
    Note:
    The Rapid7 VI Solution Integration fills in the preferred solution exclusively when the Vulnerability Solution Management plugin has been installed.
    Starting from v22.0 of Vulnerability Response, the solutions from Rapid7 are no longer queued up on running the scheduled job Process Vulnerability Solutions Metrics Queue. This scheduled job involves rolling up solutions from NVD entries to third-party entries, population of preferred solutions on vulnerabilities and updating the remediation status metrics on the solutions. In the following scenarios, only the remediation status metrics must be updated:
    • When the preferred solution changes on the vulnerabilities
    • When the VITs are created or deleted
    • When a VIT import is completed
    Though the solutions are queued up to update only the remediation status metrics, they still attempt to roll up solutions from NVD entries to third-party entries and populate the preferred solutions. To optimize this process, in the Vulnerability Solution table, the column Update status is introduced. When the remediation status metrics on solutions must be updated without requiring the roll-up of solutions from NVD entries to third-party entries or the population of preferred solutions, they’re no longer queued. Instead, the Update status column is directly updated as true. This approach enables handling cases where only the remediation status metrics must be updated, resulting in time and resource savings. In the scheduled job, once the processing of the queued solutions is completed, solutions that are marked with an Update status as true are identified. Then, they’re iterated through these solutions, calculating the counts and updating the remediation status metrics accordingly. This step plays a significant role in improving the performance of the scheduled job, as the number of solutions that must be queued is reduced.

    Solution supersedence chain imported from Rapid7 data warehouse for a vulnerability

    You can view the superseding solutions for a solution by selecting a vulnerability solution and selecting the Superseding Solutions related list. You can view the preceding solutions by selecting the Preceding Solutions related list. When you attach any solution to the TPE, then the superseding solution of that solution gets attached to that TPE.

    Change the maximum depth of solution supersedence chain in a graph by system property 

    The solution supersedence chain received in the Rapid7 data model is too long to create the graph during the population of the preferred solution. So, to restrict the depth of the chain, a system property named sn_vul.max_recursion_depth with a value 500 is created. If the chain depth is more than 500, then the rest of the chain is ignored. To change the maximum depth of the chain, navigate to the [sys_properties] table and change the value of the property.

    Upgrading the Rapid7 application

    If you upgrade the Rapid7 Vulnerability Integration plugin, and haven’t yet activated the Vulnerability Solution Management plugin, then the application works as is.

    Whether you activate the Vulnerability Solution Management plugin before or after upgrading the Rapid7 application, the Import since field remains empty for the following integrations:
    • Rapid7  Superseding Solution Integration 
    • Rapid7 Vulnerability Solution Map Integration 
    • Rapid7 Solution Integration 
      Note:
      From the next integration run, the data is populated to the vulnerability solution table.

    For Rapid7 InsightVM, the data is received at the detection level. When the Rapid7 InsightVM integration runs, the solutions are imported in the vulnerability solution table.